DLS/FLS doesn't work

System/Clusterconfig: ES5.4.1 on 2 Nodes, SG-SSL-5.4.1-22 with Plugins: DFS/FLS, KibanaMultitenancy, LDAP

Hello Community,

I’m trying to configure the DLS/FLS-Feature. Looking into the example from

https://github.com/floragunncom/search-guard-docs/blob/master/addendum_b_permission_settings_examples.md

i configured my installation like follow:

sg_internal_users.yml
frb_main:
hash: $2a$12$Fc0X…9YcFi

sg_roles_mapping.yml
sg_abteilung_main:
backendroles:

- 'Rolle Abteilung MAIN'

users:
- frb_main

sg_roles.yml

Read all, but no write permissions

sg_abteilung_main:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
’:
'
’:
- READ
dls: ‘{“term” : {"_type" : “secure”}}’
fls:
- ‘message’
- ‘_type’
tenants:
main_tenant: RW
support_tenant: RO

I access the ES-Cluster via Kibana, login as user frb_main is possible without error.

As of the explaination in the example, i expected, with this configuration that user frb_main should only have access to documents of “_type”=“secure” out of all indices, limited to fields “message” and “_type”. But unfortunately this isn’t working, the user has a) access to all documents in all indices and b) the fls settings are also ignored, all fields are offered to the user.

Because i can not see any errors in the Logs, i checked already if the plugin is working in general by inserting a faulty query in “dls” -> as expected i can see errors in the logs, so the plugin is working (i think). Moving the DLSFLS-Settings to one Index doesn’t resolve the problem. I also checked the index permission settings in sg_roles.yml in general by modifying the “indices”-Section -> this settings work as expected.

Can someone give me a hint, whats wrong with my config? Or some troubeshooting steps to find the problem?

I am thankful for every help :)

Kind regards
Frank

can you pls post the complete sg_roles.yml file?
Does the user "frb_main" has also other roles assigned? If so then dls and fls wil be OR'red
see https://github.com/floragunncom/search-guard-docs/blob/master/dlsfls.md#multiple-roles-and-document-level-security

···

Am 28.06.2017 um 14:18 schrieb Frank Bach <frb@artegic.de>:

System/Clusterconfig: ES5.4.1 on 2 Nodes, SG-SSL-5.4.1-22 with Plugins: DFS/FLS, KibanaMultitenancy, LDAP

Hello Community,

I'm trying to configure the DLS/FLS-Feature. Looking into the example from

    https://github.com/floragunncom/search-guard-docs/blob/master/addendum_b_permission_settings_examples.md

i configured my installation like follow:

>>>>>> sg_internal_users.yml
frb_main:
  hash: $2a$12$Fc0X...9YcFi

>>>>>> sg_roles_mapping.yml
sg_abteilung_main:
  backendroles:
    - 'Rolle Abteilung MAIN'
  users:
    - frb_main

>>>>>> sg_roles.yml
# Read all, but no write permissions
sg_abteilung_main:
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    '*':
      '*':
        - READ
      _dls_: '{"term" : {"_type" : "secure"}}'
      _fls_:
        - 'message'
        - '_type'
  tenants:
    main_tenant: RW
    support_tenant: RO

I access the ES-Cluster via Kibana, login as user frb_main is possible without error.

As of the explaination in the example, i expected, with this configuration that user frb_main should only have access to documents of "_type"="secure" out of all indices, limited to fields "message" and "_type". But unfortunately this isn't working, the user has a) access to all documents in all indices and b) the _fls_ settings are also ignored, all fields are offered to the user.

Because i can not see any errors in the Logs, i checked already if the plugin is working in general by inserting a faulty query in "_dls_" -> as expected i can see errors in the logs, so the plugin is working (i think). Moving the DLSFLS-Settings to one Index doesn't resolve the problem. I also checked the index permission settings in sg_roles.yml in general by modifying the "indices"-Section -> this settings work as expected.

Can someone give me a hint, whats wrong with my config? Or some troubeshooting steps to find the problem?

I am thankful for every help :slight_smile:

Kind regards
Frank

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57a6f895-0976-4fdb-b9fa-8a33ef8b7366%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hello,

thanks for your quick response!

Find the sg_roles.yml File attached to this post.

The user “frb_main” is only assigned to “sg_abteilung_main”, and the DLS/FLS-Settings are only configured in this role.

Kind regards
Frank

sg_roles.yml (5.65 KB)

Hallo,

some quick updates on this issue:

DLS started working :slight_smile: just not sure, why. perhaps one or more indices were faulty so the complete query failed? but without any errors in logfiles. just renamed some indices and closed some old ones. now its working! :slight_smile:

Sadly FLS won’t work. if i put the statements in, kibana complains about “nothing found”.

Any hints how to troubleshoot this?

Kind regards

Frank

Hello again,

just one more update/question regarding DLS/FLS:

At which stage of the search are the FLS-Restrictions applied?

As of my last tests, the rules are applied “before” searching (incl. DLS) is done - so if some of the keyfields are missing, the result is empty…

Example with empty result within kibana (because of missing @timestamp-field, which is selected as time-field in settings):


dls: ‘{“term” : {“type” : “elainelogs”}}’
fls:
- ‘message’
- ‘type’

Example with empty result within kibana (because of missing type-field, which is used in DLS):


dls: ‘{“term” : {“type” : “elainelogs”}}’
fls:
- ‘@timestamp
- ‘message’

WORKING Example (all nessessary fields included):


dls: ‘{“term” : {“type” : “elainelogs”}}’
fls:
- ‘@timestamp
- ‘message’
- ‘type’

Is this just working as expected? If yes, the documentation for the DLS/FLS-Feature should be clearified in this matter (Ex. “… if using FLS all fields nessessary to search must be included/must not be excluded…”). if not… ??? bug?

In either way, perhaps a process-chart showing the processing of a typical search query throu kibana, searchguard, elastic-cluster and back would help to clarify whats going on.

Don’t get me wrong, searchguard is a excellent piece of software! :slight_smile:

Kind regards
Frank

will investigate this, thx
Report back asap

···

Am 29.06.2017 um 17:16 schrieb Frank Bach <frb@artegic.de>:

Hello again,

just one more update/question regarding DLS/FLS:

At which stage of the search are the FLS-Restrictions applied?

As of my last tests, the rules are applied "before" searching (incl. DLS) is done - so if some of the keyfields are missing, the result is empty....

Example with empty result within kibana (because of missing @timestamp-field, which is selected as time-field in settings):

....
      _dls_: '{"term" : {"type" : "elainelogs"}}'
      _fls_:
        - 'message'
        - 'type'
....

Example with empty result within kibana (because of missing type-field, which is used in DLS):

....
      _dls_: '{"term" : {"type" : "elainelogs"}}'
      _fls_:
        - '@timestamp'
        - 'message'
....

WORKING Example (all nessessary fields included):

....
      _dls_: '{"term" : {"type" : "elainelogs"}}'
      _fls_:
        - '@timestamp'
        - 'message'
        - 'type'
....

Is this just working as expected? If yes, the documentation for the DLS/FLS-Feature should be clearified in this matter (Ex. "... if using FLS all fields nessessary to search must be included/must not be excluded...."). if not.... ??? bug?

In either way, perhaps a process-chart showing the processing of a typical search query throu kibana, searchguard, elastic-cluster and back would help to clarify whats going on.

Don't get me wrong, searchguard is a excellent piece of software! :slight_smile:

Kind regards
Frank

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/abd8a123-44db-43b3-a901-5c9ffaccc23c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi Frank,

yes you’re right, documentation could be improved here. But basically you’re right:

The FLS comes first and will remove/allow the configured fields. This happens on a very low Lucene level, so we can make sure that regardless which Elasticsearch API you’re using, the FLS setting is always honored.

Then the DLS is executed, and if this query includes a field removed by FLS, you can end up with an empty result set.

So if you’re using whitelisted fields, you need to add the metadata fields like _type, _id or timestamp explicitly to the FLS fields. If you’re using blacklisting, this is not necessary of course.

The second issue we will address is the configuration. For example, if you’re using a wrong indentation level, the DLS/FLS module will simply ignore it, potentially leaking information. We should at least issue a warning or error message in the log file.

Thanks for reporting, we’ve added both issues in our backlog.

···

On Thursday, June 29, 2017 at 5:32:09 PM UTC+2, Search Guard wrote:

will investigate this, thx

Report back asap

Am 29.06.2017 um 17:16 schrieb Frank Bach frb@artegic.de:

Hello again,

just one more update/question regarding DLS/FLS:

At which stage of the search are the FLS-Restrictions applied?

As of my last tests, the rules are applied “before” searching (incl. DLS) is done - so if some of the keyfields are missing, the result is empty…

Example with empty result within kibana (because of missing @timestamp-field, which is selected as time-field in settings):

  _dls_: '{"term" : {"type" : "elainelogs"}}'
  _fls_:
    - 'message'
    - 'type'

Example with empty result within kibana (because of missing type-field, which is used in DLS):

  _dls_: '{"term" : {"type" : "elainelogs"}}'
  _fls_:
    - '@timestamp'
    - 'message'

WORKING Example (all nessessary fields included):

  _dls_: '{"term" : {"type" : "elainelogs"}}'
  _fls_:
    - '@timestamp'
    - 'message'
    - 'type'

Is this just working as expected? If yes, the documentation for the DLS/FLS-Feature should be clearified in this matter (Ex. “… if using FLS all fields nessessary to search must be included/must not be excluded…”). if not… ??? bug?

In either way, perhaps a process-chart showing the processing of a typical search query throu kibana, searchguard, elastic-cluster and back would help to clarify whats going on.

Don’t get me wrong, searchguard is a excellent piece of software! :slight_smile:

Kind regards

Frank


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/abd8a123-44db-43b3-a901-5c9ffaccc23c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.