hardcoded account filter shows this in logs by comparison:
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Check rule 3.: ACRule [hosts=null, users=[test1], roles=null, indices=[logstash-*], aliases=null, filters_execute=[dlsfilter.acc_test1], filters_bypass=, isDefault()=false, Comment=“logstash test org”]
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] → User test1 match
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] → Role wildcard match
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] → Host wildcard match
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Identity would match, see if aliases and indices are also ok?
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] → Alias wildcard match
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] typeAndMatch(): request logstash-2015.11.11, granted logstash-, requestedTypes []
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Wildcard indices/aliases: logstash-2015.11.11 → logstash-*
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Wildcard without types: logstash-2015.11.11 → logstash-*
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] -->Index logstash-2015.11.11 match logstash-*
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Index logstash-2015.11.11 has a matching pattern
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] ----> APPLY RULE <---- which means the following executeFilters: [dlsfilter.acc_test1]/bypassFilters:
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Final executeFilters: [dlsfilter.acc_test1]/bypassFilters:
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.RequestActionFilter] REQUEST on node estest: indices:data/read/search (class org.elasticsearch.action.search.SearchRequest) from INTRANODE
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.RequestActionFilter] Context [searchguard.dlsfilter.acc_false.filters=>[account, field, false], searchguard.dlsfilter.acc_test2.filters=>[term, account, test2, false], searchguard_authenticated_user=>User [name=test1, roles=[loguser, kibana]], searchguard_filter=>[dlsfilter:acc_false, dlsfilter:acc_true, dlsfilter:acc_test2, dlsfilter:acc_test1], searchguard.dlsfilter.acc_test1.filters=>[term, account, test1, false], _searchguard_token_evaluator=>com.floragunn.searchguard.tokeneval.TokenEvaluator@391b1543, searchguard_resolved_rest_address=>dc1.preprod.local/172.16.31.60, searchguard.dlsfilter.acc_true.filters=>[account, field, true], searchguard_ac_evaluator=>com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator@4de47fa7]
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.RequestActionFilter] Headers [searchguard.dlsfilter.acc_true.filters, searchguard.dlsfilter.acc_false.filters, searchguard_authenticated_user, searchguard.dlsfilter.acc_test1.filters, searchguard_ac_evaluator, searchguard_filter, searchguard_resolved_rest_address, searchguard.dlsfilter.acc_test2.filters]
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.RequestActionFilter] TYPE: rest authenticated request, apply filters
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.DLSActionFilter] REQUEST on node estest: indices:data/read/search (class org.elasticsearch.action.search.SearchRequest) from INTRANODE
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.DLSActionFilter] Context [searchguard.dlsfilter.acc_false.filters=>[account, field, false], searchguard.dlsfilter.acc_test2.filters=>[term, account, test2, false], searchguard_authenticated_user=>User [name=test1, roles=[loguser, kibana]], searchguard_filter=>[dlsfilter:acc_false, dlsfilter:acc_true, dlsfilter:acc_test2, dlsfilter:acc_test1], searchguard.dlsfilter.acc_test1.filters=>[term, account, test1, false], _searchguard_token_evaluator=>com.floragunn.searchguard.tokeneval.TokenEvaluator@391b1543, searchguard_resolved_rest_address=>dc1.preprod.local/172.16.31.60, searchguard.dlsfilter.acc_true.filters=>[account, field, true], searchguard_ac_evaluator=>com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator@4de47fa7]
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.DLSActionFilter] Headers [searchguard.dlsfilter.acc_true.filters, searchguard.dlsfilter.acc_false.filters, searchguard_authenticated_user, searchguard.dlsfilter.acc_test1.filters, searchguard_ac_evaluator, searchguard_filter, searchguard_resolved_rest_address, searchguard.dlsfilter.acc_test2.filters]
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.DLSActionFilter] TYPE: rest authenticated request, apply filters
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.FLSActionFilter] REQUEST on node estest: indices:data/read/search (class org.elasticsearch.action.search.SearchRequest) from INTRANODE
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.FLSActionFilter] Context [searchguard.dlsfilter.acc_false.filters=>[account, field, false], searchguard.dlsfilter.acc_test2.filters=>[term, account, test2, false], searchguard_authenticated_user=>User [name=test1, roles=[loguser, kibana]], searchguard_filter=>[dlsfilter:acc_false, dlsfilter:acc_true, dlsfilter:acc_test2, dlsfilter:acc_test1], searchguard.dlsfilter.acc_test1.filters=>[term, account, test1, false], _searchguard_token_evaluator=>com.floragunn.searchguard.tokeneval.TokenEvaluator@391b1543, searchguard_resolved_rest_address=>dc1.preprod.local/172.16.31.60, searchguard.dlsfilter.acc_true.filters=>[account, field, true], searchguard_ac_evaluator=>com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator@4de47fa7]
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.FLSActionFilter] Headers [searchguard.dlsfilter.acc_true.filters, searchguard.dlsfilter.acc_false.filters, searchguard_authenticated_user, searchguard.dlsfilter.acc_test1.filters, searchguard_ac_evaluator, searchguard_filter, searchguard_resolved_rest_address, searchguard.dlsfilter.acc_test2.filters]
[2015-11-11 12:35:54,046][DEBUG][com.floragunn.searchguard.filter.FLSActionFilter] TYPE: rest authenticated request, apply filters
Just from comparing logs it doesn’t look like it event attempts to filter when using the username → field filter.
···
On Wednesday, November 11, 2015 at 12:27:25 PM UTC-8, Rory Schramm wrote:
per the documentation I should be able to allow/block a record if a field contains the elasticsearch user as a value. However, I haven’t been able to get this to work.
However, if i hard code the field value (filter b in the examples from documentation below), It works correctly. However, that doesn’t really work since we’re going to have a lot of kibana users in elasticsearch. It would be nice if I could just match against the logged in user.
When I have access control configured to match against current user kibana shows all records not just the records for that user. I have tried both false and true field conditions but neither work. I also tried using the logstash .raw fields but that doesn’t work either.
from documentation:
searchguard.dlsfilter.names: [“a”, “b”, “c”, “d”, “e”, “f”, “g”]
searchguard.dlsfilter.d: [“user_name”,“field”, “false”]
searchguard.dlsfilter.b: [“term”, “field”,“value”, “false”]
searchguard.dlsfilter.e: [“user_roles”,“field”, “false”]
…
elasticsearch.yml:
searchguard.authentication.settingsdb.user.test1: test1
searchguard.authentication.settingsdb.user.test2: test2
searchguard.authentication.authorization.settingsdb.roles.test1: [“kibana”,“loguser”]
searchguard.authentication.authorization.settingsdb.roles.test2: [“kibana”,“loguser”]
#filter by field value
searchguard.dlsfilter.names: [“acc_test1”,“acc_test2”,“acc_false”,“acc_true”]
searchguard.dlsfilter.acc_test1: [“term”, “account”, “test1”, “false”]
searchguard.dlsfilter.acc_test2: [“term”, “account”, “test2”, “false”]
searchguard.dlsfilter.acc_false: [“account”,“field”, “false”]
searchguard.dlsfilter.acc_true: [“account”,“field”, “true”]
curl -XPUT ‘http://localhost:9200/searchguard/ac/ac?pretty’ -d ’
{“acl”: [
{
“Comment”: “Default is to execute no filters - return no results”,
“filters_bypass”: ,
“filters_execute”:
},
{
“Comment”: “kibana index”,
“roles” : [“kibana”],
“indices”: [“kibana-*”],
“filters_bypass”: [“*”],
“filters_execute”:
},
{
“Comment”: “logstash indices read/write”,
“roles” : [“logstash”],
“indices”: [“logstash-*”],
“filters_bypass”: [“*”],
“filters_execute”:
},
{
“Comment”: “logstash test org”,
“users” : [“test1”],
“indices”: [“logstash-*”],
“filters_bypass”: ,
“filters_execute”: [“dlsfilter.acc_false”]
}
]}’
Log’s aren’t really that helpful:
[2015-11-11 12:26:20,538][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=test1, roles=[logreader, kibana]]
[2015-11-11 12:26:20,542][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=test1, roles=[logreader, kibana]]
[2015-11-11 12:26:20,543][WARN ][com.floragunn.searchguard.filter.SearchGuardActionFilter] Cannot determine types for indices:admin/get (class org.elasticsearch.action.admin.indices.get.GetIndexRequest) due to types method not found
…