Terms lookup in DLS query


Ran into trouble after defining a terms lookup query as a part of a DLS filter. Query fails with type":“illegal_state_exception”,“reason”:“async actions are left after rewrite”. The lookup-query executes without issue if submitted directly with a non-DLS enabled user.

Are lookup queries supported?

Using search-guard-6:6.7.2-25.0, DLS def:

dls: {“terms”:{“somefield”:{“index”:“some-index”,“id”:"${attr.jwt.someproperty}",“path”:“somepath”,“type”:“sometype”}}}’

“reason”:"failed to create query: { “terms” : { “somefield” : { “index” : “some-index”, “type” : “sometype”, “id” : “asdf, “path” : “somepath” }, “boost” : 1.0 }}”,“index_uuid”:“sRhY1f7mQOu0tDTZMvM4YQ”,“index”:“some-other-index”}],
“reason”:“all shards failed”,
“reason”:“failed to create query: { “terms” : { “somefield” : { “index” : “some-index”, “type” : “sometype”, “id” : “asdf”, “path” : “somepath” }, “boost” : 1.0 }}”,
“reason”:“async actions are left after rewrite”

Terms lookup is not supported in DLS. I have to admin the error message is not optimal here :slight_smile:

Queries where remote calls are involved are not supported. This is currently:

  • terms query with terms lookup
  • geo_shape query with indexed shapes
  • percolate query

Thanks for the prompt reply. I will figure out some wiorkaround.

And yeah, the error msg could stand some improvement :slight_smile:


@cstaley: btw, the docs (https://docs.search-guard.com/latest/document-level-security) claim that DLS queries “supports the full range of the Elasticsearch query DSL”, might want to reference the limitations.


True, and thanks for pointing this out. We will add a “Limitations” section in the docs to make it more clear what you can and can’t do with DLS.

We’ve added a “Limitations” section to the DLS docs.