Are terms lookups incompatible within a document level security query?

Peter_Wain · July 27, 2016, 9:24pm

Terms lookup works as normal query for an admin user with no dls defined:

{“query”: {“terms”: {“_label”: {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}}

``

Using the same query within a role dls in sg_roles.yml:

sg_role_billy:
cluster:
- ‘’
indices:
‘securetest’:
'’:
- ‘*’
dls: ‘{“terms”: {“_label”: {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}’

``

Causes this error when a user with that role performs any query:

{
“error”: {
“root_cause”: [
{
“type”: “engine_exception”,
“reason”: “Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];”,
“shard”: “0”,
“index”: “securetest”
}
],
“type”: “search_phase_execution_exception”,
“reason”: “all shards failed”,
“phase”: “query”,
“grouped”: true,
“failed_shards”: [
{
“shard”: 0,
“index”: “securetest”,
“node”: “empZA0Z2R_WIMH7CJzDlag”,
“reason”: {
“type”: “engine_exception”,
“reason”: “failed to acquire searcher, source search”,
“shard”: “0”,
“index”: “securetest”,
“caused_by”: {
“type”: “engine_exception”,
“reason”: “Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];”,
“shard”: “0”,
“index”: “securetest”
}
}
}
]
},
“status”: 500
}

But switching the roles dls to use a regular terms query works fine:

sg_role_billy:
cluster:
- ‘’
indices:
‘securetest’:
'’:
- ‘*’
dls: ‘{“terms”: {“label": [ “AVYqSb1yfHqgYd1N3Po5”, "AVYqSb21fHqgYd1N3Po” ]}}’

``

Any ideas?

searchguard_google_group · July 28, 2016, 12:13am

Good catch, thx. The current user was not propagated for the lookup.

Fixed in master with https://github.com/floragunncom/search-guard-module-dlsfls/commit/530547c8b2e61fc38ffb7003871d50d07ab17510

Can you download and test it?:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-module-dlsfls/2.3.3.2-SNAPSHOT/dlic-search-guard-module-dlsfls-2.3.3.2-20160728.000827-249-jar-with-dependencies.jar

Just delete the old dlsfls jar and use the above mentioned one

···

Am 27.07.2016 um 23:24 schrieb Peter Wain <peter.wain.nz@gmail.com>:

Terms lookup works as normal query for an admin user with no dls defined:

{"query": {"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}}

Using the same query within a role dls in sg_roles.yml:

sg_role_billy:
  cluster:
    - '*'
  indices:
    'securetest':
      '*':
        - '*'
      _dls_: '{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}'

Causes this error when a user with that role performs any query:

{
  "error": {
    "root_cause": [
      {
        "type": "engine_exception",
        "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];",
        "shard": "0",
        "index": "securetest"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 0,
        "index": "securetest",
        "node": "empZA0Z2R_WIMH7CJzDlag",
        "reason": {
          "type": "engine_exception",
          "reason": "failed to acquire searcher, source search",
          "shard": "0",
          "index": "securetest",
          "caused_by": {
            "type": "engine_exception",
            "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]];",
            "shard": "0",
            "index": "securetest"
          }
        }
      }
    ]
  },
  "status": 500
}

But switching the roles dls to use a regular terms query works fine:

sg_role_billy:
  cluster:
    - '*'
  indices:
    'securetest':
      '*':
        - '*'
      _dls_: '{"terms": {"_label": [ "AVYqSb1yfHqgYd1N3Po5", "AVYqSb21fHqgYd1N3Po_" ]}}'

Any ideas?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/39b157d8-3853-428e-8dad-82768de8fb90%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Peter_Wain · July 28, 2016, 6:24am

Hey - thanks for the quick turnaround on that. Tested it and it appears to work as advertised

···

On Thursday, 28 July 2016 12:13:04 UTC+12, SG wrote:

Good catch, thx. The current user was not propagated for the lookup.

Fixed in master with https://github.com/floragunncom/search-guard-module-dlsfls/commit/530547c8b2e61fc38ffb7003871d50d07ab17510

Can you download and test it?:

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-module-dlsfls/2.3.3.2-SNAPSHOT/dlic-search-guard-module-dlsfls-2.3.3.2-20160728.000827-249-jar-with-dependencies.jar

Just delete the old dlsfls jar and use the above mentioned one

Am 27.07.2016 um 23:24 schrieb Peter Wain peter....@gmail.com:

Terms lookup works as normal query for an admin user with no dls defined:

{“query”: {“terms”: {“_label”: {“index”: “securetest”, “type”: “userlabels”, “id”: “billy”, “path”: “allowedlabelids” }}}}

Using the same query within a role dls in sg_roles.yml:

sg_role_billy:

cluster:
- '*'
indices:
'securetest':
  '*':
    - '*'
  _dls_: '{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}'
Causes this error when a user with that role performs any query:

{

“error”: {
"root_cause": [
  {
    "type": "engine_exception",
    "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
    "shard": "0",
    "index": "securetest"
  }
],
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": [
  {
    "shard": 0,
    "index": "securetest",
    "node": "empZA0Z2R_WIMH7CJzDlag",
    "reason": {
      "type": "engine_exception",
      "reason": "failed to acquire searcher, source search",
      "shard": "0",
      "index": "securetest",
      "caused_by": {
        "type": "engine_exception",
        "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
        "shard": "0",
        "index": "securetest"
      }
    }
  }
]
},

“status”: 500

}

But switching the roles dls to use a regular terms query works fine:

sg_role_billy:

cluster:
- '*'
indices:
'securetest':
  '*':
    - '*'
  _dls_: '{"terms": {"_label": [ "AVYqSb1yfHqgYd1N3Po5", "AVYqSb21fHqgYd1N3Po_" ]}}'
Any ideas?

–
You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/39b157d8-3853-428e-8dad-82768de8fb90%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Topic		Replies	Views
Terms lookup in DLS query Search Guard	7	628	May 9, 2019
Document Level Security & nested search Search Guard	4	365	February 10, 2018
Document Level Security Statement Search Guard	5	720	September 3, 2019
Granular document level security Search Guard	11	612	June 1, 2017
How to authorize a user using ldap groups dinamically Search Guard	3	534	March 20, 2019

Are terms lookups incompatible within a document level security query?

Related Topics