Terms lookup in DLS query

Search Guard
1

Hi,

Ran into trouble after defining a terms lookup query as a part of a DLS filter. Query fails with type":“illegal_state_exception”,“reason”:“async actions are left after rewrite”. The lookup-query executes without issue if submitted directly with a non-DLS enabled user.

Are lookup queries supported?

Using search-guard-6:6.7.2-25.0, DLS def:

dls: {“terms”:{“somefield”:{“index”:“some-index”,“id”:“${attr.jwt.someproperty}”,“path”:“somepath”,“type”:“sometype”}}}’

response:
{
“error”:{“root_cause”:
[
{“type”:“query_shard_exception”,
“reason”:"failed to create query: { “terms” : { “somefield” : { “index” : “some-index”, “type” : “sometype”, “id” : “asdf, “path” : “somepath” }, “boost” : 1.0 }}”,“index_uuid”:“sRhY1f7mQOu0tDTZMvM4YQ”,“index”:“some-other-index”}],
“type”:“search_phase_execution_exception”,
“reason”:“all shards failed”,
“phase”:“query”,
“grouped”:true,
“failed_shards”:[
{“shard”:0,
“index”:“some-other-index”,
“node”:“wCxy-6KbSoWrbDXCTtTvWQ”,
“reason”:{“type”:“query_shard_exception”,
“reason”:“failed to create query: { “terms” : { “somefield” : { “index” : “some-index”, “type” : “sometype”, “id” : “asdf”, “path” : “somepath” }, “boost” : 1.0 }}”,
“index_uuid”:“sRhY1f7mQOu0tDTZMvM4YQ”,
“index”:“some-other-index”,
“caused_by”:{
“type”:“illegal_state_exception”,
“reason”:“async actions are left after rewrite”
}
}
}
]
},
“status”:400
}

2

Terms lookup is not supported in DLS. I have to admin the error message is not optimal here :slight_smile:

Queries where remote calls are involved are not supported. This is currently:

  • terms query with terms lookup
  • geo_shape query with indexed shapes
  • percolate query
4

Thanks for the prompt reply. I will figure out some wiorkaround.

And yeah, the error msg could stand some improvement :slight_smile:

-andreas

5

@cstaley: btw, the docs (Search Guard document-level security basics | Security for Elasticsearch | Search Guard) claim that DLS queries “supports the full range of the Elasticsearch query DSL”, might want to reference the limitations.

-andreas

6

True, and thanks for pointing this out. We will add a “Limitations” section in the docs to make it more clear what you can and can’t do with DLS.

7

We’ve added a “Limitations” section to the DLS docs.