Negating a set of indices via java regex in the sg_roles

Search Guard
1

Hi all,

is possible negating a set of indices via java regex in the sg_roles?
We tried to do something like:

sg_all_access:
cluster:
- UNLIMITED
indices:
/\``!seo-/':
'’:
- UNLIMITED
tenants:
adm_tenant: RW
test_tenant_ro: RW

So, every index is permit only “seo-*” not. We tried with some differents systax but any of them run… is not permit negating a couple set of words?

Many Thanks,
Christian Moreno

  • Search Guard version: 5.5.0

  • Elasticsearch version: 5.5.0-16

  • Java Version: java version “1.8.0_144”

  • Until now only Free licence

2

you can use whatever java regex supports: Pattern (Java Platform SE 7 )

Try '/(?!seo-.*$).*/' (no guarantees)

···

Am 27.11.2017 um 12:14 schrieb Christian Moreno Moreno <christian.moreno@idealo.de>:

Hi all,

is possible negating a set of indices via java regex in the sg_roles?
We tried to do something like:

sg_all_access:
  cluster:
    - UNLIMITED
  indices:
    '/\!seo-*/':
      '*':
        - UNLIMITED
  tenants:
    adm_tenant: RW
    test_tenant_ro: RW

So, every index is permit only "seo-*" not. We tried with some differents systax but any of them run... is not permit negating a couple set of words?

Many Thanks,
Christian Moreno

* Search Guard version: 5.5.0
* Elasticsearch version: 5.5.0-16
* Java Version: java version "1.8.0_144"
* Until now only Free licence

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a1fec70f-39d6-4147-b396-5125b29de172%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

you can use whatever java regex supports: https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html

Try ‘/(?!seo-.$)./’ (no guarantees)

I’m having this issue today, too!

I have this:

indices:

 '/^(?!endpoints$|thing1$|thing2$|thing3$).*/':

   '*':

     - ALL

``

And there was no match. Debugging says:

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_most_access

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for *

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] Wildcard match for *: [endpoints-123]

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for , will check now types []

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] For index * remaining requested indextype: [IndexType [index=endpoints-123, type=*]]

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for /^(?!endpoints$|thing1$|thing2$|thing3$)

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] No wildcard match found for /^(?!endpoints$|thing1$|thing2$|thing3$)

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] For index /^(?!endpoints$|thing1$|thing2$|thing3$) remaining requested indextype: [IndexType [index=endpoints-123, type=*]]

[2017-11-29T17:15:24,801][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers sg_most_access=>[IndexType [index=endpoints-123, type=*]]

``

I’ve tried the regex through a java regex tester and it had a match. It’s as if it’s not treating it as a regex. Also odd that the trailing / in the debug output got dropped.

···

On Monday, November 27, 2017 at 9:25:05 AM UTC-8, Search Guard wrote:

4

NEVERMIND!

I didn’t realise the “don’t put a dot in the index” actually refers to not having a dot anywhere in the key, since ES will expand that into subkeys.

Once I turned .* into (?:\s|\S)* , it worked a treat.

Oh, I realise now that the “^” is unnecessary, since the code will surround the given pattern with “^” and “$” for you, enforcing a “whole string match”.