Problem with document level security

I have the following two documents in Elastic:

 [ {
      "_index" : "hr",
      "_type" : "blog",
      "_id" : "123",
      "_score" : 1.0,
      "_source" : {
        "title" : "blah blah Doe"
      }
    }, {
      "_index" : "hr",
      "_type" : "person",
      "_id" : "1",
      "_score" : 1.0,
      "_source" : {
        "name" : "Jane Doe",
        "title" : "Software Engineer"
      }
    } ]

==========================================
I have two roles: hr_user and hr_blog_reader, and two users mapped to them. Role hr_user should have full access to hr index; hr_blog_reader should only have access to documents with _type=blog:

hr_blog_reader:
  indices:
    'hr':
      privileges: read
      query: '{"match":{"_type":"blog"}}'

hr_user:
  indices:
    'hr':
      privileges: all

When I run a query as hr_user, I get both documents back, as expected. When I run a query as hr_blog_reader, I get the following error:

{
  "error" : {
    "root_cause" : [ {
      "type" : "security_exception",
      "reason" : "action [indices:data/read/search] is unauthorized for user [hr_blog_reader]"
    } ],
    "type" : "security_exception",
    "reason" : "action [indices:data/read/search] is unauthorized for user [hr_blog_reader]"
  },
  "status" : 403
}

I'm running the queries using curl:

curl http://localhost:9200/_search?pretty -u hr_blog_reader

Any ideas what I'm doing wrong?

What version of Shield are you using? You may need to set shield.dls_fls.enabled: true in your elasticsearch.yml file. This was supposed to be enabled by default in 2.2, but there was a bug and it was not; we'll fix it in the next bug release version.

Also, in your logs you might have a message saying that role isn't valid and why.

That worked, thank you!