Document Level Security & nested search

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:

Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:
indices:
‘some_index’:
‘*’:
- UNLIMITED
dls: ‘{“term”: {“a_field”: “${attr.jwt.a_claim}”}}’

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,

Andreas

Am 30.01.2018 um 14:57 schrieb Andreas Berre <andreas.berre@gmail.com>:

Tested on a minimal setup, with DLS on the sg_all_access role:

sg_all_access:
  indices:
    '*':
      '*':
        - UNLIMITED
      _dls_: '{"term": {"owner": "${user.name}"}}'

PUT /my_index
{
    "mappings": {
        "my_type" : {
            "properties" : {
    "owner" : {"type": "text"},
                "my_nested_object" : {"type" : "nested"}
            }
        }
    }
}

PUT /my_index/my_type/1
{
    "owner" : "admin",
    "my_nested_object" : {"name": "spock"}
}

GET /_search
{
  "query": {
    "nested": {
      "path": "my_nested_object",
      "query": {
        "match": {"my_nested_object.name" : "spock"}
      },
      "inner_hits": {}
    }
  }
}

Result without DLS:

{
    "_shards": {
        "failed": 0,
        "skipped": 0,
        "successful": 5,
        "total": 5
    },
    "hits": {
        "hits": [
            {
                "_id": "1",
                "_index": "my_index",
                "_score": 0.2876821,
                "_source": {
                    "owner": "admin",
                    "my_nested_object": {
                        "name": "spock"
                    }
                },
                "_type": "my_type",
                "inner_hits": {
                    "my_nested_object": {
                        "hits": {
                            "hits": [
                                {
                                    "_nested": {
                                        "field": "my_nested_object",
                                        "offset": 0
                                    },
                                    "_score": 0.2876821,
                                    "_source": {
                                        "name": "spock"
                                    }
                                }
                            ],
                            "max_score": 0.2876821,
                            "total": 1
                        }
                    }
                }
            }
        ],
        "max_score": 0.2876821,
        "total": 1
    },
    "timed_out": false,
    "took": 59
}

Result with DLS:

{
    "_shards": {
        "failed": 0,
        "skipped": 0,
        "successful": 5,
        "total": 5
    },
    "hits": {
        "hits": [
            {
                "_id": "1",
                "_index": "my_index",
                "_score": 0.2876821,
                "_source": {
                    "owner": "admin",
                    "my_nested_object": {
                        "name": "spock"
                    }
                },
                "_type": "my_type",
                "inner_hits": {
                    "my_nested_object": {
                        "hits": {
                            "hits": ,
                            "max_score": null,
                            "total": 0
                        }
                    }
                }
            }
        ],
        "max_score": 0.2876821,
        "total": 1
    },
    "timed_out": false,
    "took": 39
}

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:
Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:
  indices:
    'some_index':
      '*':
        - UNLIMITED
      _dls_: '{"term": {"a_field": "${attr.jwt.a_claim}"}}'

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,
Andreas

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

On Wednesday, January 31, 2018 at 9:34:51 PM UTC+1, Search Guard wrote:

Good catch, i looked into this and will fix it soon.

Thx for reporting

Am 30.01.2018 um 14:57 schrieb Andreas Berre andreas.berre@gmail.com:

Tested on a minimal setup, with DLS on the sg_all_access role:

sg_all_access:

indices:

'*':

  '*':

    - UNLIMITED

  _dls_: '{"term": {"owner": "${[user.name](http://user.name)}"}}'

PUT /my_index

{

"mappings": {

    "my_type" : {

        "properties" : {

            "owner" : {"type": "text"},

            "my_nested_object" : {"type" : "nested"}

        }

    }

}

}

PUT /my_index/my_type/1
{

"owner" : "admin",        

"my_nested_object" : {"name": "spock"}                

}

GET /_search

{

“query”: {

"nested": {

  "path": "my_nested_object",

  "query": {

    "match": {"[my_nested_object.name](http://my_nested_object.name)" : "spock"}

  },

  "inner_hits": {}
}

}

}

Result without DLS:

{

"_shards": {

    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5

},
"hits": {

    "hits": [

        {

            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {

                "owner": "admin",
                "my_nested_object": {

                    "name": "spock"

                }

            },
            "_type": "my_type",
            "inner_hits": {

                "my_nested_object": {

                    "hits": {

                        "hits": [

                            {

                                "_nested": {

                                    "field": "my_nested_object",
                                    "offset": 0

                                },
                                "_score": 0.2876821,
                                "_source": {

                                    "name": "spock"

                                }

                            }

                        ],
                        "max_score": 0.2876821,
                        "total": 1

                    }

                }

            }

        }

    ],
    "max_score": 0.2876821,
    "total": 1

},
"timed_out": false,
"took": 59

}

Result with DLS:

{

"_shards": {

    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5

},
"hits": {

    "hits": [

        {

            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {

                "owner": "admin",
                "my_nested_object": {

                    "name": "spock"

                }

            },
            "_type": "my_type",
            "inner_hits": {

                "my_nested_object": {

                    "hits": {

                        "hits": [],
                        "max_score": null,
                        "total": 0

                    }

                }

            }

        }

    ],
    "max_score": 0.2876821,
    "total": 1

},
"timed_out": false,
"took": 39

}

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:

Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:

indices:

'some_index':

  '*':

    - UNLIMITED

  _dls_: '{"term": {"a_field": "${attr.jwt.a_claim}"}}'

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,
Andreas

–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

On Monday, February 5, 2018 at 11:20:31 AM UTC+1, Jochen Kressin wrote:

Will be fixed with the next version of Search Guard this Wednesday/Thursday.

On Wednesday, January 31, 2018 at 9:34:51 PM UTC+1, Search Guard wrote:

Good catch, i looked into this and will fix it soon.

Thx for reporting

Am 30.01.2018 um 14:57 schrieb Andreas Berre andreas.berre@gmail.com:

Tested on a minimal setup, with DLS on the sg_all_access role:

sg_all_access:

indices:

'*':

  '*':

    - UNLIMITED

  _dls_: '{"term": {"owner": "${[user.name](http://user.name)}"}}'

PUT /my_index

{

"mappings": {

    "my_type" : {

        "properties" : {

            "owner" : {"type": "text"},

            "my_nested_object" : {"type" : "nested"}

        }

    }

}

}

PUT /my_index/my_type/1
{

"owner" : "admin",        

"my_nested_object" : {"name": "spock"}                

}

GET /_search

{

“query”: {

"nested": {

  "path": "my_nested_object",

  "query": {

    "match": {"[my_nested_object.name](http://my_nested_object.name)" : "spock"}

  },

  "inner_hits": {}
}

}

}

Result without DLS:

{

"_shards": {

    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5

},
"hits": {

    "hits": [

        {

            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {

                "owner": "admin",
                "my_nested_object": {

                    "name": "spock"

                }

            },
            "_type": "my_type",
            "inner_hits": {

                "my_nested_object": {

                    "hits": {

                        "hits": [

                            {

                                "_nested": {

                                    "field": "my_nested_object",
                                    "offset": 0

                                },
                                "_score": 0.2876821,
                                "_source": {

                                    "name": "spock"

                                }

                            }

                        ],
                        "max_score": 0.2876821,
                        "total": 1

                    }

                }

            }

        }

    ],
    "max_score": 0.2876821,
    "total": 1

},
"timed_out": false,
"took": 59

}

Result with DLS:

{

"_shards": {

    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5

},
"hits": {

    "hits": [

        {

            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {

                "owner": "admin",
                "my_nested_object": {

                    "name": "spock"

                }

            },
            "_type": "my_type",
            "inner_hits": {

                "my_nested_object": {

                    "hits": {

                        "hits": [],
                        "max_score": null,
                        "total": 0

                    }

                }

            }

        }

    ],
    "max_score": 0.2876821,
    "total": 1

},
"timed_out": false,
"took": 39

}

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:

Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:

indices:

'some_index':

  '*':

    - UNLIMITED

  _dls_: '{"term": {"a_field": "${attr.jwt.a_claim}"}}'

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,
Andreas

–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.