Search bar and Filter do not honour role field visibility restrictions

I have a role which has read only access to a single index pattern (not an alias) and is granted access to a subset of fields in the index. However when logged in as a user with only this role all fields in the index are suggested in the Search bar and in the Add Filter > Field dropdown

I've tried both including only the field i want the user to see, and excluding the fields i want to hide, but in both cases the field names leak out through Search and Filter.

i've tried excluding fields with

"field_security" : {
  "grant" : [
    "*"
  ],
  "except" : [
    "response.headers.*"
  ]
}

and including fields with

"field_security" : {
  "grant" : [
    "@timestamp",
    "_id",
    "url",
  ],
  "except" : [ ]
}

I also noticed that if you exclude a field that is not included, the role management ui does not complain but users with the role will get a very unfriendly error dumped to the browser if they are logged in

{"statusCode":500,"error":"Internal Server Error","message":"[exception] unable to compute field permissions"}

If they are not logged in, this breaks the login page and they are unable to login at all.

This second one looks like a bug, but is there anyway to fix the field names leaking in kibana that i've missed ?

Hi @Chris_Blackwell, there's an existing Github ticket for a similar issue where restricted field names are leaking out. I've added a link to your post here in the issue.

I'm not seeing an existing issue for the "unable to compute field permissions" error you're getting, would you mind creating a ticket on our GitHub repo with all the details on how to reproduce?

Also, I just want to highlight a workaround mentioned in that ticket. If you create the index pattern with a user assigned the role you want, the index pattern will be created with only the fields that the user has access to. This will prevent the fields from showing up in the autocomplete suggestions.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.