Search bar and Filter do not honour role field visibility restrictions

Chris_Blackwell · January 29, 2020, 11:33am

I have a role which has read only access to a single index pattern (not an alias) and is granted access to a subset of fields in the index. However when logged in as a user with only this role all fields in the index are suggested in the Search bar and in the Add Filter > Field dropdown

I've tried both including only the field i want the user to see, and excluding the fields i want to hide, but in both cases the field names leak out through Search and Filter.

i've tried excluding fields with

"field_security" : {
  "grant" : [
    "*"
  ],
  "except" : [
    "response.headers.*"
  ]
}

and including fields with

"field_security" : {
  "grant" : [
    "@timestamp",
    "_id",
    "url",
  ],
  "except" : [ ]
}

I also noticed that if you exclude a field that is not included, the role management ui does not complain but users with the role will get a very unfriendly error dumped to the browser if they are logged in

{"statusCode":500,"error":"Internal Server Error","message":"[exception] unable to compute field permissions"}

If they are not logged in, this breaks the login page and they are unable to login at all.

This second one looks like a bug, but is there anyway to fix the field names leaking in kibana that i've missed ?

Bargs · January 29, 2020, 8:18pm

Hi @Chris_Blackwell, there's an existing Github ticket for a similar issue where restricted field names are leaking out. I've added a link to your post here in the issue.

I'm not seeing an existing issue for the "unable to compute field permissions" error you're getting, would you mind creating a ticket on our GitHub repo with all the details on how to reproduce?

Bargs · January 29, 2020, 8:40pm

Also, I just want to highlight a workaround mentioned in that ticket. If you create the index pattern with a user assigned the role you want, the index pattern will be created with only the fields that the user has access to. This will prevent the fields from showing up in the autocomplete suggestions.

system · February 26, 2020, 8:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field_security exclude fields showing up in visualizations Elasticsearch	2	761	January 25, 2018
I have dashboard i want to hide the extra fields from being accessed from anonymous user Elasticsearch	5	144	May 2, 2024
Security error when create new role with field_security Kibana elastic-stack-monitoring , elastic-stack-security	3	671	January 7, 2021
Authentication role issues Elasticsearch	5	1396	August 22, 2017
Managing field access from kibana Elasticsearch elastic-stack-security	2	961	July 6, 2017

Search bar and Filter do not honour role field visibility restrictions

Related topics