ElasticSearch 6.1.3
SearchGuard 6.1.3.20
Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.
So at the moment, IT is only supposed to see documents with a certain office variable
User Roles
sg_role_it:
cluster:
indices:
‘hardware-*’:
‘*’:
dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’
When I look at authinfo for the user I see the following:
{
“user”: “User [name=x, roles=, requestedTenant=null]”,
“user_name”: “x”,
“user_requested_tenant”: null,
“remote_address”: “127.0.0.1:52892”,
“backend_roles”: ,
“custom_attribute_names”: ,
“sg_roles”: [
“sg_kibana”,
“sg_role_it”
],
“sg_tenants”: {
“x”: true
},
“principal”: null,
“peer_certificates”: “0”
}
So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
‘?kibana’:
‘*’:
However an IT user is able to log in and see all documents in all indicies.
Thanks.
Document- and Field-Level Security
6.0-20.1
true
This is also confirmed to be running in the System Info
···
On Monday, 5 March 2018 11:20:59 UTC, anthony...@actual-experience.com wrote:
ElasticSearch 6.1.3
SearchGuard 6.1.3.20
Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.
So at the moment, IT is only supposed to see documents with a certain office variable
User Roles
sg_role_it:
cluster:
indices:
‘hardware-*’:
‘*’:
dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’
When I look at authinfo for the user I see the following:
{
“user”: “User [name=x, roles=, requestedTenant=null]”,
“user_name”: “x”,
“user_requested_tenant”: null,
“remote_address”: “127.0.0.1:52892”,
“backend_roles”: ,
“custom_attribute_names”: ,
“sg_roles”: [
“sg_kibana”,
“sg_role_it”
],
“sg_tenants”: {
“x”: true
},
“principal”: null,
“peer_certificates”: “0”
}
So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
‘?kibana’:
‘*’:
However an IT user is able to log in and see all documents in all indicies.
Thanks.
i cannot not reproduce this
can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments
···
On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:
ElasticSearch 6.1.3
SearchGuard 6.1.3.20
Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.
So at the moment, IT is only supposed to see documents with a certain office variable
User Roles
sg_role_it:
cluster:
indices:
‘hardware-*’:
‘*’:
dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’
When I look at authinfo for the user I see the following:
{
“user”: “User [name=x, roles=, requestedTenant=null]”,
“user_name”: “x”,
“user_requested_tenant”: null,
“remote_address”: “127.0.0.1:52892”,
“backend_roles”: ,
“custom_attribute_names”: ,
“sg_roles”: [
“sg_kibana”,
“sg_role_it”
],
“sg_tenants”: {
“x”: true
},
“principal”: null,
“peer_certificates”: “0”
}
So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
‘?kibana’:
‘*’:
However an IT user is able to log in and see all documents in all indicies.
Thanks.
I think,
‘?kibana’:
‘*’:
On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?
···
On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:
i cannot not reproduce this
can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments
On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:
ElasticSearch 6.1.3
SearchGuard 6.1.3.20
Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.
So at the moment, IT is only supposed to see documents with a certain office variable
User Roles
sg_role_it:
cluster:
indices:
‘hardware-*’:
‘*’:
dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’
When I look at authinfo for the user I see the following:
{
“user”: “User [name=x, roles=, requestedTenant=null]”,
“user_name”: “x”,
“user_requested_tenant”: null,
“remote_address”: “127.0.0.1:52892”,
“backend_roles”: ,
“custom_attribute_names”: ,
“sg_roles”: [
“sg_kibana”,
“sg_role_it”
],
“sg_tenants”: {
“x”: true
},
“principal”: null,
“peer_certificates”: “0”
}
So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
‘?kibana’:
‘*’:
However an IT user is able to log in and see all documents in all indicies.
Thanks.
this should not be an issue (and we have a huge testbase for dls/fls, so i assume this would be raised by our internal QA)
pls mail the files to info (at) search-guard.com, you can also pgp encrypt if you like: Security and Alerting for Elasticsearch and Kibana | Search Guard
On Monday, 5 March 2018 14:36:36 UTC+1
···
I think,
‘?kibana’:
‘*’:
On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?
On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:
i cannot not reproduce this
can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments
On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:
ElasticSearch 6.1.3
SearchGuard 6.1.3.20
Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.
So at the moment, IT is only supposed to see documents with a certain office variable
User Roles
sg_role_it:
cluster:
indices:
‘hardware-*’:
‘*’:
dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’
When I look at authinfo for the user I see the following:
{
“user”: “User [name=x, roles=, requestedTenant=null]”,
“user_name”: “x”,
“user_requested_tenant”: null,
“remote_address”: “127.0.0.1:52892”,
“backend_roles”: ,
“custom_attribute_names”: ,
“sg_roles”: [
“sg_kibana”,
“sg_role_it”
],
“sg_tenants”: {
“x”: true
},
“principal”: null,
“peer_certificates”: “0”
}
So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
‘?kibana’:
‘*’:
However an IT user is able to log in and see all documents in all indicies.
Thanks.
I pasted the wrong block, this is the fix:
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
- READ
‘?kibana’:
‘*’:
Thanks for your time.
···
On Monday, 5 March 2018 13:43:40 UTC, Search Guard wrote:
this should not be an issue (and we have a huge testbase for dls/fls, so i assume this would be raised by our internal QA)
pls mail the files to info (at) search-guard.com, you can also pgp encrypt if you like: https://floragunn.com/search-guard-public-key/
On Monday, 5 March 2018 14:36:36 UTC+1
I think,
‘?kibana’:
‘*’:
On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?
On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:
i cannot not reproduce this
can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments
On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:
ElasticSearch 6.1.3
SearchGuard 6.1.3.20
Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.
So at the moment, IT is only supposed to see documents with a certain office variable
User Roles
sg_role_it:
cluster:
indices:
‘hardware-*’:
‘*’:
dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’
When I look at authinfo for the user I see the following:
{
“user”: “User [name=x, roles=, requestedTenant=null]”,
“user_name”: “x”,
“user_requested_tenant”: null,
“remote_address”: “127.0.0.1:52892”,
“backend_roles”: ,
“custom_attribute_names”: ,
“sg_roles”: [
“sg_kibana”,
“sg_role_it”
],
“sg_tenants”: {
“x”: true
},
“principal”: null,
“peer_certificates”: “0”
}
So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
‘?kibana’:
‘*’:
However an IT user is able to log in and see all documents in all indicies.
Thanks.
I need to learn to read documentation 
Sorry for wasting your time.
···
On Monday, 5 March 2018 13:49:51 UTC, anthony...@actual-experience.com wrote:
I pasted the wrong block, this is the fix:
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
- READ
‘?kibana’:
‘*’:
Thanks for your time.
On Monday, 5 March 2018 13:43:40 UTC, Search Guard wrote:
this should not be an issue (and we have a huge testbase for dls/fls, so i assume this would be raised by our internal QA)
pls mail the files to info (at) search-guard.com, you can also pgp encrypt if you like: https://floragunn.com/search-guard-public-key/
On Monday, 5 March 2018 14:36:36 UTC+1
I think,
‘?kibana’:
‘*’:
On the kibana role may be the issue, it rings a bell from a previous discussion if this isn’t the case where can I email the configs?
On Monday, 5 March 2018 12:44:40 UTC, Search Guard wrote:
i cannot not reproduce this
can you please post (or mail) your elasticsearch.yml and sg_roles.yml as files/attachments
On Monday, 5 March 2018 12:20:59 UTC+1, anth…ves@ac…ce.com wrote:
ElasticSearch 6.1.3
SearchGuard 6.1.3.20
Hello, I recently upgraded from 5.x to 6.x on both search guard / elasticsearch and I have noticed that my IT user can see all documents even though DLS is set.
So at the moment, IT is only supposed to see documents with a certain office variable
User Roles
sg_role_it:
cluster:
indices:
‘hardware-*’:
‘*’:
dls: ‘{ “bool”: { “must”: { “match”: { “fields.environment”: “x-office” }}}}’
When I look at authinfo for the user I see the following:
{
“user”: “User [name=x, roles=, requestedTenant=null]”,
“user_name”: “x”,
“user_requested_tenant”: null,
“remote_address”: “127.0.0.1:52892”,
“backend_roles”: ,
“custom_attribute_names”: ,
“sg_roles”: [
“sg_kibana”,
“sg_role_it”
],
“sg_tenants”: {
“x”: true
},
“principal”: null,
“peer_certificates”: “0”
}
So they are using the role, just for clarity this is the sg_kibana role (This is unchanged since 5.x)
sg_kibana:
cluster:
indices:
‘*’:
‘*’:
‘?kibana’:
‘*’:
However an IT user is able to log in and see all documents in all indicies.
Thanks.