Are terms lookups incompatible within a document level security query?

Terms lookup works as normal query for an admin user with no dls defined:

{“query”: {“terms”: {"_label": {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}}

``

Using the same query within a role dls in sg_roles.yml:

sg_role_billy:
cluster:
- ‘
indices:
‘securetest’:
'
’:
- ‘*’
dls: ‘{“terms”: {"_label": {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}’

``

Causes this error when a user with that role performs any query:

{
“error”: {
“root_cause”: [
{
“type”: “engine_exception”,
“reason”: “Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{“terms”: {”_label": {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];",
“shard”: “0”,
“index”: “securetest”
}
],
“type”: “search_phase_execution_exception”,
“reason”: “all shards failed”,
“phase”: “query”,
“grouped”: true,
“failed_shards”: [
{
“shard”: 0,
“index”: “securetest”,
“node”: “empZA0Z2R_WIMH7CJzDlag”,
“reason”: {
“type”: “engine_exception”,
“reason”: “failed to acquire searcher, source search”,
“shard”: “0”,
“index”: “securetest”,
“caused_by”: {
“type”: “engine_exception”,
“reason”: “Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{“terms”: {”_label": {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];",
“shard”: “0”,
“index”: “securetest”
}
}
}
]
},
“status”: 500
}

But switching the roles dls to use a regular terms query works fine:

sg_role_billy:
cluster:
- ‘
indices:
‘securetest’:
'
’:
- ‘*’
dls: ‘{“terms”: {“label": [ “AVYqSb1yfHqgYd1N3Po5”, "AVYqSb21fHqgYd1N3Po” ]}}’

``

Any ideas?

Good catch, thx. The current user was not propagated for the lookup.

Fixed in master with https://github.com/floragunncom/search-guard-module-dlsfls/commit/530547c8b2e61fc38ffb7003871d50d07ab17510

Can you download and test it?:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-module-dlsfls/2.3.3.2-SNAPSHOT/dlic-search-guard-module-dlsfls-2.3.3.2-20160728.000827-249-jar-with-dependencies.jar

Just delete the old dlsfls jar and use the above mentioned one

···

Am 27.07.2016 um 23:24 schrieb Peter Wain <peter.wain.nz@gmail.com>:

Terms lookup works as normal query for an admin user with no dls defined:

{"query": {"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}}

Using the same query within a role dls in sg_roles.yml:

sg_role_billy:
  cluster:
    - '*'
  indices:
    'securetest':
      '*':
        - '*'
      _dls_: '{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}'

Causes this error when a user with that role performs any query:

{
  "error": {
    "root_cause": [
      {
        "type": "engine_exception",
        "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];",
        "shard": "0",
        "index": "securetest"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 0,
        "index": "securetest",
        "node": "empZA0Z2R_WIMH7CJzDlag",
        "reason": {
          "type": "engine_exception",
          "reason": "failed to acquire searcher, source search",
          "shard": "0",
          "index": "securetest",
          "caused_by": {
            "type": "engine_exception",
            "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];",
            "shard": "0",
            "index": "securetest"
          }
        }
      }
    ]
  },
  "status": 500
}

But switching the roles dls to use a regular terms query works fine:

sg_role_billy:
  cluster:
    - '*'
  indices:
    'securetest':
      '*':
        - '*'
      _dls_: '{"terms": {"_label": [ "AVYqSb1yfHqgYd1N3Po5", "AVYqSb21fHqgYd1N3Po_" ]}}'

Any ideas?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/39b157d8-3853-428e-8dad-82768de8fb90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hey - thanks for the quick turnaround on that. Tested it and it appears to work as advertised :slight_smile:

···

On Thursday, 28 July 2016 12:13:04 UTC+12, SG wrote:

Good catch, thx. The current user was not propagated for the lookup.

Fixed in master with https://github.com/floragunncom/search-guard-module-dlsfls/commit/530547c8b2e61fc38ffb7003871d50d07ab17510

Can you download and test it?:

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-module-dlsfls/2.3.3.2-SNAPSHOT/dlic-search-guard-module-dlsfls-2.3.3.2-20160728.000827-249-jar-with-dependencies.jar

Just delete the old dlsfls jar and use the above mentioned one

Am 27.07.2016 um 23:24 schrieb Peter Wain peter....@gmail.com:

Terms lookup works as normal query for an admin user with no dls defined:

{“query”: {“terms”: {"_label": {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}}

Using the same query within a role dls in sg_roles.yml:

sg_role_billy:

cluster:

- '*'

indices:

'securetest':
  '*':
    - '*'
  _dls_: '{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}'

Causes this error when a user with that role performs any query:

{

“error”: {

"root_cause": [
  {
    "type": "engine_exception",
    "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
    "shard": "0",
    "index": "securetest"
  }
],
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": [
  {
    "shard": 0,
    "index": "securetest",
    "node": "empZA0Z2R_WIMH7CJzDlag",
    "reason": {
      "type": "engine_exception",
      "reason": "failed to acquire searcher, source search",
      "shard": "0",
      "index": "securetest",
      "caused_by": {
        "type": "engine_exception",
        "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
        "shard": "0",
        "index": "securetest"
      }
    }
  }
]

},

“status”: 500

}

But switching the roles dls to use a regular terms query works fine:

sg_role_billy:

cluster:

- '*'

indices:

'securetest':
  '*':
    - '*'
  _dls_: '{"terms": {"_label": [ "AVYqSb1yfHqgYd1N3Po5", "AVYqSb21fHqgYd1N3Po_" ]}}'

Any ideas?


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/39b157d8-3853-428e-8dad-82768de8fb90%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.