DLS not working since upgrading to 6.x

ElasticSearch 6.1.3
SearchGuard 6.1.3.20

Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.

So at the moment, IT is only supposed to see documents with a certain office variable

User Roles

sg_role_it:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘hardware-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’

When I look at authinfo for the user I see the following:

{

“user”: “User [name=x, roles=, requestedTenant=null]”,

“user_name”: “x”,

“user_requested_tenant”: null,

“remote_address”: “127.0.0.1:52892”,

“backend_roles”: ,

“custom_attribute_names”: ,

“sg_roles”: [

“sg_kibana”,

“sg_role_it”

],

“sg_tenants”: {

“x”: true

},

“principal”: null,

“peer_certificates”: “0”

}

So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

However an IT user is able to log in and see all documents in all indicies.

Thanks.

Document- and Field-Level Security

6.0-20.1

true

This is also confirmed to be running in the System Info

···

On Monday, 5 March 2018 11:20:59 UTC, anthony...@actual-experience.com wrote:

ElasticSearch 6.1.3
SearchGuard 6.1.3.20

Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.

So at the moment, IT is only supposed to see documents with a certain office variable

User Roles

sg_role_it:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘hardware-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’

When I look at authinfo for the user I see the following:

{

“user”: “User [name=x, roles=, requestedTenant=null]”,

“user_name”: “x”,

“user_requested_tenant”: null,

“remote_address”: “127.0.0.1:52892”,

“backend_roles”: ,

“custom_attribute_names”: ,

“sg_roles”: [

“sg_kibana”,

“sg_role_it”

],

“sg_tenants”: {

“x”: true

},

“principal”: null,

“peer_certificates”: “0”

}

So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

However an IT user is able to log in and see all documents in all indicies.

Thanks.

i cannot not reproduce this

can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments

···

On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:

ElasticSearch 6.1.3
SearchGuard 6.1.3.20

Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.

So at the moment, IT is only supposed to see documents with a certain office variable

User Roles

sg_role_it:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘hardware-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’

When I look at authinfo for the user I see the following:

{

“user”: “User [name=x, roles=, requestedTenant=null]”,

“user_name”: “x”,

“user_requested_tenant”: null,

“remote_address”: “127.0.0.1:52892”,

“backend_roles”: ,

“custom_attribute_names”: ,

“sg_roles”: [

“sg_kibana”,

“sg_role_it”

],

“sg_tenants”: {

“x”: true

},

“principal”: null,

“peer_certificates”: “0”

}

So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

However an IT user is able to log in and see all documents in all indicies.

Thanks.

I think,

‘?kibana’:

‘*’:

  • INDICES_ALL

On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?

···

On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:

i cannot not reproduce this

can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments

On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:

ElasticSearch 6.1.3
SearchGuard 6.1.3.20

Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.

So at the moment, IT is only supposed to see documents with a certain office variable

User Roles

sg_role_it:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘hardware-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’

When I look at authinfo for the user I see the following:

{

“user”: “User [name=x, roles=, requestedTenant=null]”,

“user_name”: “x”,

“user_requested_tenant”: null,

“remote_address”: “127.0.0.1:52892”,

“backend_roles”: ,

“custom_attribute_names”: ,

“sg_roles”: [

“sg_kibana”,

“sg_role_it”

],

“sg_tenants”: {

“x”: true

},

“principal”: null,

“peer_certificates”: “0”

}

So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

However an IT user is able to log in and see all documents in all indicies.

Thanks.

this should not be an issue (and we have a huge testbase for dls/fls, so i assume this would be raised by our internal QA)

pls mail the files to info (at) search-guard.com, you can also pgp encrypt if you like: https://floragunn.com/search-guard-public-key/

On Monday, 5 March 2018 14:36:36 UTC+1

···

I think,

‘?kibana’:

‘*’:

  • INDICES_ALL

On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?

On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:

i cannot not reproduce this

can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments

On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:

ElasticSearch 6.1.3
SearchGuard 6.1.3.20

Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.

So at the moment, IT is only supposed to see documents with a certain office variable

User Roles

sg_role_it:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘hardware-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’

When I look at authinfo for the user I see the following:

{

“user”: “User [name=x, roles=, requestedTenant=null]”,

“user_name”: “x”,

“user_requested_tenant”: null,

“remote_address”: “127.0.0.1:52892”,

“backend_roles”: ,

“custom_attribute_names”: ,

“sg_roles”: [

“sg_kibana”,

“sg_role_it”

],

“sg_tenants”: {

“x”: true

},

“principal”: null,

“peer_certificates”: “0”

}

So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

However an IT user is able to log in and see all documents in all indicies.

Thanks.

I pasted the wrong block, this is the fix:

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

- READ

‘?kibana’:

‘*’:

  • INDICES_ALL

Thanks for your time.

···

On Monday, 5 March 2018 13:43:40 UTC, Search Guard wrote:

this should not be an issue (and we have a huge testbase for dls/fls, so i assume this would be raised by our internal QA)

pls mail the files to info (at) search-guard.com, you can also pgp encrypt if you like: https://floragunn.com/search-guard-public-key/

On Monday, 5 March 2018 14:36:36 UTC+1

I think,

‘?kibana’:

‘*’:

  • INDICES_ALL

On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?

On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:

i cannot not reproduce this

can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments

On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:

ElasticSearch 6.1.3
SearchGuard 6.1.3.20

Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.

So at the moment, IT is only supposed to see documents with a certain office variable

User Roles

sg_role_it:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘hardware-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’

When I look at authinfo for the user I see the following:

{

“user”: “User [name=x, roles=, requestedTenant=null]”,

“user_name”: “x”,

“user_requested_tenant”: null,

“remote_address”: “127.0.0.1:52892”,

“backend_roles”: ,

“custom_attribute_names”: ,

“sg_roles”: [

“sg_kibana”,

“sg_role_it”

],

“sg_tenants”: {

“x”: true

},

“principal”: null,

“peer_certificates”: “0”

}

So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

However an IT user is able to log in and see all documents in all indicies.

Thanks.

I need to learn to read documentation :stuck_out_tongue: Sorry for wasting your time.

···

On Monday, 5 March 2018 13:49:51 UTC, anthony...@actual-experience.com wrote:

I pasted the wrong block, this is the fix:

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

- READ

‘?kibana’:

‘*’:

  • INDICES_ALL

Thanks for your time.

On Monday, 5 March 2018 13:43:40 UTC, Search Guard wrote:

this should not be an issue (and we have a huge testbase for dls/fls, so i assume this would be raised by our internal QA)

pls mail the files to info (at) search-guard.com, you can also pgp encrypt if you like: https://floragunn.com/search-guard-public-key/

On Monday, 5 March 2018 14:36:36 UTC+1

I think,

‘?kibana’:

‘*’:

  • INDICES_ALL

On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?

On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:

i cannot not reproduce this

can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments

On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:

ElasticSearch 6.1.3
SearchGuard 6.1.3.20

Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.

So at the moment, IT is only supposed to see documents with a certain office variable

User Roles

sg_role_it:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘hardware-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’

When I look at authinfo for the user I see the following:

{

“user”: “User [name=x, roles=, requestedTenant=null]”,

“user_name”: “x”,

“user_requested_tenant”: null,

“remote_address”: “127.0.0.1:52892”,

“backend_roles”: ,

“custom_attribute_names”: ,

“sg_roles”: [

“sg_kibana”,

“sg_role_it”

],

“sg_tenants”: {

“x”: true

},

“principal”: null,

“peer_certificates”: “0”

}

So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)

sg_kibana:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

However an IT user is able to log in and see all documents in all indicies.

Thanks.