Hi guys,
I'm facing a strange problem with role based access control. Here is my use case:
INDEX DEFINITION
{
"invoices_status" : {
"aliases" : { },
"mappings" : {
"status" : {
"properties" : {
"company" : {
"type" : "text"
},
"error_type" : {
"type" : "text"
},
"invoice_id" : {
"type" : "text"
}
}
}
},
"settings" : {
"index" : {
"creation_date" : "1536588960795",
"number_of_shards" : "5",
"number_of_replicas" : "1",
"uuid" : "ocN_Tl79SOqW6U7x3X8ONA",
"version" : {
"created" : "6040099"
},
"provided_name" : "invoices_status"
}
}
}
}
BRIEF LIST OF INSERTED DOCUMENTS
- company: company_1 invoice_id: company_1_22222 error_type: business _id: 2 _type: status _index: invoices_status _score: 1
- company: company_1 invoice_id: company_1_44444 error_type: technical _id: 4 _type: status _index: invoices_status _score: 1
- company: company_1 invoice_id: company_1_22222 error_type: business _id: 1 _type: status _index: invoices_status _score: 1
- company: company_2 invoice_id: company_2_33333 error_type: business _id: 3 _type: status _index: invoices_status _score: 1
ROLE DEFINITION
curl --user elastic:elastic -X GET "localhost:9200/_xpack/security/role/bus_company1_invoice_status?pretty"
{
"bus_company1_invoice_status" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
"invoices_status"
],
"privileges" : [
"all"
],
"field_security" : {
"grant" : [
""
]
},
"query" : ""must": [{"match": {"company": "company_1"}},{"match": {"error_type": "business"}}]"
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"all"
],
"resources" : [
""
]
}
],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
EXPECTED BEHAVIOUR
I expect that when I query for all documents using a bus_company1_invoice_status user, only documents that have company: company_1 and error_type: business will be returned. So, basically, only the following:
- _id: 1
- _id: 2
The query definition works fine:
curl --user elastic:elastic -X GET "localhost:9200/invoices_status/status/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{ "match": { "company": "company_1" }},
{ "match": { "error_type": "business" }}
]
}
}
}
'
{"took":3,"timed_out":false,"_shards":{"total":5,"successful":5,"skipped":0,"failed":0},"hits":{"total":2,"max_score":0.87546873,"hits":[{"_index":"invoices_status","_type":"status","_id":"2","_score":0.87546873,"_source":
{
"company": "company_1",
"invoice_id": "company_1_22222",
"error_type": "business"
}
},{"_index":"invoices_status","_type":"status","_id":"1","_score":0.5753642,"_source":
{
"company": "company_1",
"invoice_id": "company_1_22222",
"error_type": "business"
}
}]}}[
ACTUAL BEHAVIOUR
curl --user bus_company1_invoice_status:****** -XGET 'localhost:9200/invoices_status/_search?pretty' -H 'Content-Type: application/json' -d'
{
"size": 10000,
"query": {
"match_all": {}
}
}
{
"error" : {
"root_cause" : [
{
"type" : "x_content_parse_exception",
"reason" : "Failed to derive xcontent"
}
],
"type" : "search_phase_execution_exception",
"reason" : "all shards failed",
"phase" : "query",
"grouped" : true,
"failed_shards" : [
{
"shard" : 0,
"index" : "invoices_status",
"node" : "V7dQrUk-RhO_GgWpZ5H8zw",
"reason" : {
"type" : "x_content_parse_exception",
"reason" : "Failed to derive xcontent"
}
}
],
"caused_by" : {
"type" : "x_content_parse_exception",
"reason" : "Failed to derive xcontent",
"caused_by" : {
"type" : "x_content_parse_exception",
"reason" : "Failed to derive xcontent"
}
}
},
"status" : 400
}
'
Instead, documents are returned correctly if the search is done using the "elastic" user. What's wrong in it?
Thanks,
Andrea