Dls and fls not working in my roles

Hello,

I installed Elasticsearch 6.6.1 version with Search Guard 24.1, Community Edition I used a Docker image created from https://github.com/khezen/docker-elasticsearch/ repository.

I added a new role in sg_roles.yml for the following index, type and all permission but with a dls rule limitation:

test_role:

indices:

'humanresources':

  'employees':

    - '*'

  _dls_: '{ "bool": { "must_not": { "match": { "department": "Management" }}}}'

Then, I created the user with the right hash:

test:

hash: ‘HASHME’

roles:

- test_role

And set the mapping in the sg_roles_mapping.yml file:

test_role:

backendroles:

    - test_role

hosts:

    - "*"

users:

    - test

I tried the same example with dls y fls options just to give only access to the matched document, creating before several different documents and indexes.

I run in other Docker image a Kibana with Search Guard that can connect to the ES and I can login with the use. Unfortunally, the user can access to all kind of documents and indexes, and of course, to all the fields. Looks like the dsl and fls is not working.

Do someone know what I am doing wrong?

Thanks in advance.

DLS and FLS are enterprise edition features and therefore not included (and not working) in the community version.

Pls. refer to our "Feature Comparison" to determine which features are included in the community version: https://search-guard.com/product/

···

Am 25.03.2019 um 17:20 schrieb David Albela <elmadno@gmail.com>:

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

Hello,

I installed Elasticsearch 6.6.1 version with Search Guard 24.1, Community Edition I used a Docker image created from https://github.com/khezen/docker-elasticsearch/ repository.

I added a new role in sg_roles.yml with the following roles:

test_role:
  indices:
    'humanresources':
      'employees':
        - '*'
      _dls_: '{ "bool": { "must_not": { "match": { "department": "Management" }}}}'

Then, I created the user with the right hash:

test2:
  hash: 'HASHME'
  roles:
    - test2_role

And set the mapping in the sg_roles_mapping.yml file:

test_role:
    backendroles:
        - test_role
    hosts:
        - "*"
    users:
        - test

I tried the same example with _dls_ y _fls_ options just to give only access to the matched document, creating before several different documents and indexes.

I run in other Docker image a Kibana with Search Guard that can connect to the ES and I can login with the use. Unfortunally, the user can access to all kind of documents and indexes, and of course, to all the fields. Looks like the _dsl_ and _fls_ is not working.

Do someone know what I am doing wrong?

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/3b819d2a-d192-41bb-8e21-1a163f3a4f83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.