Terms lookup in DLS query


Ran into trouble after defining a terms lookup query as a part of a DLS filter. Query fails with type":“illegal_state_exception”,“reason”:“async actions are left after rewrite”. The lookup-query executes without issue if submitted directly with a non-DLS enabled user.

Are lookup queries supported?

Using search-guard-6:6.7.2-25.0, DLS def:

dls: {“terms”:{“somefield”:{“index”:“some-index”,“id”:“${attr.jwt.someproperty}”,“path”:“somepath”,“type”:“sometype”}}}’

“reason”:"failed to create query: { “terms” : { “somefield” : { “index” : “some-index”, “type” : “sometype”, “id” : “asdf, “path” : “somepath” }, “boost” : 1.0 }}”,“index_uuid”:“sRhY1f7mQOu0tDTZMvM4YQ”,“index”:“some-other-index”}],
“reason”:“all shards failed”,
“reason”:“failed to create query: { “terms” : { “somefield” : { “index” : “some-index”, “type” : “sometype”, “id” : “asdf”, “path” : “somepath” }, “boost” : 1.0 }}”,
“reason”:“async actions are left after rewrite”

Terms lookup is not supported in DLS. I have to admin the error message is not optimal here :slight_smile:

Queries where remote calls are involved are not supported. This is currently:

  • terms query with terms lookup
  • geo_shape query with indexed shapes
  • percolate query

Thanks for the prompt reply. I will figure out some wiorkaround.

And yeah, the error msg could stand some improvement :slight_smile:


@cstaley: btw, the docs (Search Guard document-level security basics | Security for Elasticsearch | Search Guard) claim that DLS queries “supports the full range of the Elasticsearch query DSL”, might want to reference the limitations.


True, and thanks for pointing this out. We will add a “Limitations” section in the docs to make it more clear what you can and can’t do with DLS.

We’ve added a “Limitations” section to the DLS docs.