[Roles] Time range query in DLS filter

Search Guard
1

Elasticsearch version:
7.9.3 + sg plugin 47.0.0
Server OS version:
Centos 7
Kibana version
Kibana 7.8.1 + kibana sg plugin 43.0.0

Hi,
I would like to add dls filter into sg role.
I tried a few different queries but without succes.

Here what i tried:

{"query": { "bool": {"must": [ {"range": { "@timestamp": { "gte": "now-90d/d" } }} ]} } }

{ "query": { "bool": {"must": [ {"match_all":{}},{"range": { "@timestamp": { "gte": "now-90d/d" } }} ]} }}

{ "bool": {"must": [ {"match_all":{}},{"range": { "@timestamp": { "gte": "now-90d/d" } }} ]} }

{ "bool": {"must": [ {"match_all":{}},{"range": { "@timestamp": { "gte": "now-90d/d", "lte": "now/d" } }} ]} }

I added role without dls filter, afterthat i added index-pattern of that index. When i modifed role and added dls filter, in Discover i have this info:

{
  "took": 4498,
  "timed_out": false,
  "_shards": {
    "total": 1014,
    "successful": 991,
    "skipped": 991,
    "failed": 23,
    "failures": [
      {
        "shard": 0,
        "index": "network-devices-dd-2021.06.03-000037",
        "node": "MKPoUHwvRGOLUDbQ2A8XdQ",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: could not read the current timestamp",
          "index_uuid": "q63yv0ORRWWs9Rpo0BPQhw",
          "index": "network-devices-dd-2021.06.03-000037",
          "caused_by": {
            "type": "parse_exception",
            "reason": "could not read the current timestamp",
            "caused_by": {
              "type": "illegal_argument_exception",
              "reason": "'now' is not allowed in DLS queries"
            }
          }
        }
      },
...

Would you be so kind and help with that query?

2

Hello Patryk!

Search Guard DLS explicitly disallows the use of now in DLS queries. The reason for this it is that the current time (=now) must be evaluated on every shard separately when using DLS and so the resolved “now” date would not be consistent across different nodes and even shards. If operating on a scale like hours or days this is not a concern but if operating on ms or sec level the results can be inconsistent.

If these circumstances are not a concern for you, you can add the option searchguard.unsupported.allow_now_in_dls: true to elasticsearch.yml. However, as the name of the option says, please be aware that this is an experimental and unsupported configuration.

3

Ok thank you so much for the fast answer

4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.