Issue with document-level security expression and date range

I am having the same issue as https://discuss.elastic.co/t/granted-documents-query-with-filter-by-timestamp/201834 and https://discuss.elastic.co/t/document-level-security-combining-queries-together/136143

{
      "bool": {
        "must": [
          {
            "terms": {
              "name": [
                "John"
              ]
            }
          },
          {
            "range": {
              "birthdate": {
                "gte": "now-30y"
              }
            }
          }
        ]
      }
    }

I am getting the following error message when I try to search the index with a user linked to the Role:

 Request failed to execute. Call: Status code 400 from: POST /users/_search?typed_keys=true. ServerError: Type: search_phase_execution_exception Reason: "all shards failed" CausedBy: "Type: parse_exception Reason: "could not read the current timestamp" CausedBy: "Type: illegal_argument_exception Reason: "'now' is not allowed in DLS queries"""

I am not sure why because now is perfectly parsed in DSL queries in Kibana Discovery for example. Do you have any idea on how to create a document-level security role with a relative date to now?

Thanks.

There are some limitation, check this link :slight_smile:

Thank you @ylasri for pointing me to that page. Somehow I had overlooked it and couldn't get to it while searching for the error I was getting.
Do you think there may be an alternate way of applying that document-level security expression?

I'm trying to use these role-based expressions to limit the data that different applications/users can see from the elasticsearch instance. That way, I won't have to "manually" apply them in every application that gets data from elasticsearch.

One of the business rules has a relative-to-now date range (e.g. some users cannot see documents older than 10 months), it would be a pity not being able to use this awesome security features only for that.

Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.