Document Level Security & nested search

Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:
indices:
‘some_index’:
‘*’:
- UNLIMITED
dls: ‘{“term”: {“a_field”: “${attr.jwt.a_claim}”}}’

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,

Andreas

Tested on a minimal setup, with DLS on the sg_all_access role:

sg_all_access:
indices:
’:
'
’:
- UNLIMITED
dls: ‘{“term”: {“owner”: “${user.name}”}}’

PUT /my_index

{

"mappings": {

    "my_type" : {

        "properties" : {

	"owner" : {"type": "text"},

            "my_nested_object" : {"type" : "nested"}

        }

    }

}

}

**PUT /my_index/my_type/1 **

{

"owner" : "admin",

"my_nested_object" : {"name": "spock"}

}

GET /_search

{

“query”: {

"nested": {

  "path": "my_nested_object",

  "query": {

    "match": {"my_nested_object.name" : "spock"}

  },

  "inner_hits": {} 

}

}

}

Result without DLS:

{

"_shards": {

    "failed": 0, 

    "skipped": 0, 

    "successful": 5, 

    "total": 5

}, 

"hits": {

    "hits": [

        {

            "_id": "1", 

            "_index": "my_index", 

            "_score": 0.2876821, 

            "_source": {

                "owner": "admin", 

                "my_nested_object": {

                    "name": "spock"

                }

            }, 

            "_type": "my_type", 

            "inner_hits": {

                "my_nested_object": {

                    "hits": {

                        "hits": [

                            {

                                "_nested": {

                                    "field": "my_nested_object", 

                                    "offset": 0

                                }, 

                                "_score": 0.2876821, 

                                "_source": {

                                    "name": "spock"

                                }

                            }

                        ], 

                        "max_score": 0.2876821, 

                        "total": 1

                    }

                }

            }

        }

    ], 

    "max_score": 0.2876821, 

    "total": 1

}, 

"timed_out": false, 

"took": 59

}

Result with DLS:

{

“_shards”: {

“failed”: 0,

“skipped”: 0,

“successful”: 5,

“total”: 5

},

“hits”: {

“hits”: [

{

“_id”: “1”,

“_index”: “my_index”,

“_score”: 0.2876821,

“_source”: {

“owner”: “admin”,

“my_nested_object”: {

“name”: “spock”

}

},

“_type”: “my_type”,

“inner_hits”: {

“my_nested_object”: {

“hits”: {

“hits”: ,

“max_score”: null,

“total”: 0

}

}

}

}

],

“max_score”: 0.2876821,

“total”: 1

},

“timed_out”: false,

“took”: 39

}

···

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:

Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:
indices:
‘some_index’:
‘*’:
- UNLIMITED
dls: ‘{“term”: {“a_field”: “${attr.jwt.a_claim}”}}’

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,

Andreas

Good catch, i looked into this and will fix it soon.

Thx for reporting

···

Am 30.01.2018 um 14:57 schrieb Andreas Berre <andreas.berre@gmail.com>:

Tested on a minimal setup, with DLS on the sg_all_access role:

sg_all_access:
  indices:
    '*':
      '*':
        - UNLIMITED
      _dls_: '{"term": {"owner": "${user.name}"}}'

PUT /my_index
{
    "mappings": {
        "my_type" : {
            "properties" : {
    "owner" : {"type": "text"},
                "my_nested_object" : {"type" : "nested"}
            }
        }
    }
}

PUT /my_index/my_type/1
{
    "owner" : "admin",
    "my_nested_object" : {"name": "spock"}
}

GET /_search
{
  "query": {
    "nested": {
      "path": "my_nested_object",
      "query": {
        "match": {"my_nested_object.name" : "spock"}
      },
      "inner_hits": {}
    }
  }
}

Result without DLS:

{
    "_shards": {
        "failed": 0,
        "skipped": 0,
        "successful": 5,
        "total": 5
    },
    "hits": {
        "hits": [
            {
                "_id": "1",
                "_index": "my_index",
                "_score": 0.2876821,
                "_source": {
                    "owner": "admin",
                    "my_nested_object": {
                        "name": "spock"
                    }
                },
                "_type": "my_type",
                "inner_hits": {
                    "my_nested_object": {
                        "hits": {
                            "hits": [
                                {
                                    "_nested": {
                                        "field": "my_nested_object",
                                        "offset": 0
                                    },
                                    "_score": 0.2876821,
                                    "_source": {
                                        "name": "spock"
                                    }
                                }
                            ],
                            "max_score": 0.2876821,
                            "total": 1
                        }
                    }
                }
            }
        ],
        "max_score": 0.2876821,
        "total": 1
    },
    "timed_out": false,
    "took": 59
}

Result with DLS:

{
    "_shards": {
        "failed": 0,
        "skipped": 0,
        "successful": 5,
        "total": 5
    },
    "hits": {
        "hits": [
            {
                "_id": "1",
                "_index": "my_index",
                "_score": 0.2876821,
                "_source": {
                    "owner": "admin",
                    "my_nested_object": {
                        "name": "spock"
                    }
                },
                "_type": "my_type",
                "inner_hits": {
                    "my_nested_object": {
                        "hits": {
                            "hits": ,
                            "max_score": null,
                            "total": 0
                        }
                    }
                }
            }
        ],
        "max_score": 0.2876821,
        "total": 1
    },
    "timed_out": false,
    "took": 39
}

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:
Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:
  indices:
    'some_index':
      '*':
        - UNLIMITED
      _dls_: '{"term": {"a_field": "${attr.jwt.a_claim}"}}'

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,
Andreas

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Will be fixed with the next version of Search Guard this Wednesday/Thursday.

···

On Wednesday, January 31, 2018 at 9:34:51 PM UTC+1, Search Guard wrote:

Good catch, i looked into this and will fix it soon.

Thx for reporting

Am 30.01.2018 um 14:57 schrieb Andreas Berre andreas.berre@gmail.com:

Tested on a minimal setup, with DLS on the sg_all_access role:

sg_all_access:

indices:

'*':
  '*':
    - UNLIMITED
  _dls_: '{"term": {"owner": "${[user.name](http://user.name)}"}}'

PUT /my_index

{

"mappings": {
    "my_type" : {
        "properties" : {
            "owner" : {"type": "text"},
            "my_nested_object" : {"type" : "nested"}
        }
    }
}

}

PUT /my_index/my_type/1
{

"owner" : "admin",        
"my_nested_object" : {"name": "spock"}                

}

GET /_search

{

“query”: {

"nested": {
  "path": "my_nested_object",
  "query": {
    "match": {"[my_nested_object.name](http://my_nested_object.name)" : "spock"}
  },
  "inner_hits": {}
}

}

}

Result without DLS:

{

"_shards": {
    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5
},
"hits": {
    "hits": [
        {
            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {
                "owner": "admin",
                "my_nested_object": {
                    "name": "spock"
                }
            },
            "_type": "my_type",
            "inner_hits": {
                "my_nested_object": {
                    "hits": {
                        "hits": [
                            {
                                "_nested": {
                                    "field": "my_nested_object",
                                    "offset": 0
                                },
                                "_score": 0.2876821,
                                "_source": {
                                    "name": "spock"
                                }
                            }
                        ],
                        "max_score": 0.2876821,
                        "total": 1
                    }
                }
            }
        }
    ],
    "max_score": 0.2876821,
    "total": 1
},
"timed_out": false,
"took": 59

}

Result with DLS:

{

"_shards": {
    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5
},
"hits": {
    "hits": [
        {
            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {
                "owner": "admin",
                "my_nested_object": {
                    "name": "spock"
                }
            },
            "_type": "my_type",
            "inner_hits": {
                "my_nested_object": {
                    "hits": {
                        "hits": [],
                        "max_score": null,
                        "total": 0
                    }
                }
            }
        }
    ],
    "max_score": 0.2876821,
    "total": 1
},
"timed_out": false,
"took": 39

}

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:

Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:

indices:

'some_index':
  '*':
    - UNLIMITED
  _dls_: '{"term": {"a_field": "${attr.jwt.a_claim}"}}'

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,
Andreas


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

This is fixed with 6.x-21 version of Search Guard.

···

On Monday, February 5, 2018 at 11:20:31 AM UTC+1, Jochen Kressin wrote:

Will be fixed with the next version of Search Guard this Wednesday/Thursday.

On Wednesday, January 31, 2018 at 9:34:51 PM UTC+1, Search Guard wrote:

Good catch, i looked into this and will fix it soon.

Thx for reporting

Am 30.01.2018 um 14:57 schrieb Andreas Berre andreas.berre@gmail.com:

Tested on a minimal setup, with DLS on the sg_all_access role:

sg_all_access:

indices:

'*':
  '*':
    - UNLIMITED
  _dls_: '{"term": {"owner": "${[user.name](http://user.name)}"}}'

PUT /my_index

{

"mappings": {
    "my_type" : {
        "properties" : {
            "owner" : {"type": "text"},
            "my_nested_object" : {"type" : "nested"}
        }
    }
}

}

PUT /my_index/my_type/1
{

"owner" : "admin",        
"my_nested_object" : {"name": "spock"}                

}

GET /_search

{

“query”: {

"nested": {
  "path": "my_nested_object",
  "query": {
    "match": {"[my_nested_object.name](http://my_nested_object.name)" : "spock"}
  },
  "inner_hits": {}
}

}

}

Result without DLS:

{

"_shards": {
    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5
},
"hits": {
    "hits": [
        {
            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {
                "owner": "admin",
                "my_nested_object": {
                    "name": "spock"
                }
            },
            "_type": "my_type",
            "inner_hits": {
                "my_nested_object": {
                    "hits": {
                        "hits": [
                            {
                                "_nested": {
                                    "field": "my_nested_object",
                                    "offset": 0
                                },
                                "_score": 0.2876821,
                                "_source": {
                                    "name": "spock"
                                }
                            }
                        ],
                        "max_score": 0.2876821,
                        "total": 1
                    }
                }
            }
        }
    ],
    "max_score": 0.2876821,
    "total": 1
},
"timed_out": false,
"took": 59

}

Result with DLS:

{

"_shards": {
    "failed": 0,
    "skipped": 0,
    "successful": 5,
    "total": 5
},
"hits": {
    "hits": [
        {
            "_id": "1",
            "_index": "my_index",
            "_score": 0.2876821,
            "_source": {
                "owner": "admin",
                "my_nested_object": {
                    "name": "spock"
                }
            },
            "_type": "my_type",
            "inner_hits": {
                "my_nested_object": {
                    "hits": {
                        "hits": [],
                        "max_score": null,
                        "total": 0
                    }
                }
            }
        }
    ],
    "max_score": 0.2876821,
    "total": 1
},
"timed_out": false,
"took": 39

}

On Tuesday, 30 January 2018 10:32:03 UTC+1, Andreas Berre wrote:

Hi,

Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration

sg_some_role:

indices:

'some_index':
  '*':
    - UNLIMITED
  _dls_: '{"term": {"a_field": "${attr.jwt.a_claim}"}}'

This works fine, any result where the field does not match is excluded.

However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.

Im guessing the solution is related to how the dsl query is applied? Any suggestions?

Regards,
Andreas


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.