So I have an admin group and a public group. The admin group has my user defined and allows complete searching, the public group defines it’s users as ‘*’ and has a DLS attached. Problem is, SG adds my defined user to both and then inherits the dls which I don’t want. Any ideas?
sg_roles.yml
sg_admin:
cluster:
- ‘*’
indices:
‘*’:
‘*’:
- ‘*’
sg_public:
indices:
‘*’:
‘*’:
-
READ
-
indices:admin/mappings/fields/get*
-
indices:admin/validate/query*
-
indices:admin/get*
‘-’:
‘*’:
-
READ
-
indices:admin/mappings/fields/get*
-
indices:admin/validate/query*
-
indices:admin/get*
dls: ‘{ “term” : {“tags” : “devlogs” } }’
‘?kibana’:
‘*’:
-
indices:admin/exists*
-
indices:admin/mapping/put*
-
indices:admin/mappings/fields/get*
-
indices:admin/refresh*
-
indices:admin/validate/query*
-
indices:data/read/get*
-
indices:data/read/mget*
-
indices:data/read/search*
-
indices:data/write/delete*
-
indices:data/write/index*
-
indices:data/write/update*
sg_roles_mapping.yml
sg_admin:
users:
-
admin
-
daniel.kasen
sg_public:
users:
- ‘*’
Log:
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen, roles=]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/search from 10.0.11.193:36878
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [logstash-2016.06.21] from class org.elasticsearch.action.search.SearchRequest
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=39, ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wild
cards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [logstash-2016.06.21]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [logstash-2016.06.21] to {}
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [logstash-2016.06.21]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin, sg_public]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [logstash-2016.06.21]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against /: [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for -
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for -: [logstash-2016.06.21]
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for -, will check now types [*]
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for -/: [indices:admin/validate/query, indices:admin/get*, indices:admin/mappings/fields/get*, indic
es:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against -/: [indices:admin/validate/query, indices:admin/get*, indic
es:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index - remaining requested aliases and indices:
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index - remaining requested resolved types:
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_public.-’, evaluate other roles
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match fo
r *: [logstash-2016.06.21]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against /: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_public.*’, evaluate other roles
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for ?kibana
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] No wildcard match found for ?kibana
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested aliases and indices: [logstash-2016.06.21]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested resolved types: [_all]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] dls query { “term” : {“tags” : “devlogs” } }