Clarification is sought on the functionality sequence of order execution for document level security, field level security and field masking

chirumanem · February 9, 2024, 11:40am

We are looking for clarification regarding the functionality sequence of field level security, document level security and field masking order of execution.

Need further information about the following concerns.

First Concern:

We noticed that the DLS rule does not function if field masking and DLS are used together (i.e. both apply to the same field). Please refer: Creation of one role, how to set pattern-based anonymization to all fields in one rule?

Did OpenSearch document the order of execution for DLS, FLS and field masking? If not is there a strategy to document it?

Second Concern:

The other issue is connected to the role combinations.

A user with both roles is created if you have one role with a field masking rule (which means user cannot view certain data) and another role without a field masking rule (which means user can see all data). Theoretically, he should be able to see the data clearly; nevertheless, OpenSearch uses the field masking rule.

In this case, why is OpenSearch using the field masking rule?

Mantas · February 13, 2024, 4:45pm

Hi @chirumanem,

The sequence: FLS is applied first and then DLS, field masking occurs before DLS as well, based on tests in my lab.

You might be interested in the below as well:

github.com/opensearch-project/security

[BUG] "Field level security" and "Field masking definitions" don't work together with "Document level security"

opened 10:58AM - 31 Aug 23 UTC

rafaelma

help wanted triaged

**What is the bug?** "Field level security (FLS)" and "Field masking definition…s(FMD)" don't work as expected, together with "Document level security(DLS)" FLS/FMD get applied only to the index-pattern definition in the role and bypass the DLS definition When having 2 roles using "Document level security" to restrict the role to a subset of documents in an index, and one of them also uses "Field level security" and/or "Field masking definitions", the restriction to the fields defined in one of the roles will affect the other role as well. **How can one reproduce the bug?** Steps to reproduce the behavior: 1. Create an index `"logs-component1"` 2. Update the index with 2 documents having these two fields: ``` { "product": "product-1", "description": "This is a document for product-1" } { "product": "product-2", "description": "This is a document for product-2" } ``` 3. Create 2 roles, A and B: ``` { "A": { "reserved": false, "hidden": false, "cluster_permissions": [], "index_permissions": [ { "index_patterns": [ "logs-component1" ], "dls": """{ "bool": { "must": [ { "match": { "product": "product-1" } } ] } }""", "fls": [], "masked_fields": [], "allowed_actions": [ "data_access" ] } ], "tenant_permissions": [], "static": false } } ``` ``` { "B": { "reserved": false, "hidden": false, "cluster_permissions": [], "index_permissions": [ { "index_patterns": [ "logs-component1" ], "dls": """{ "bool": { "must": [ { "match": { "product": "product-2" } } ] } }""", "fls": [], "masked_fields": [ "description" ], "allowed_actions": [ "data_access" ] } ], "tenant_permissions": [], "static": false } } ``` 4. Mapp user "rafael" to role A and B: ``` { "A": { "hosts": [], "users": [ "rafael" ], "reserved": false, "hidden": false, "backend_roles": [], "and_backend_roles": [] } } { "B": { "hosts": [], "users": [ "rafael" ], "reserved": false, "hidden": false, "backend_roles": [], "and_backend_roles": [] } } ``` 5. Search all documents in the index ``` { "took": 2, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 2, "hits": [ { "_index": "logs-component1", "_id": "cYWcRYoBA8cFetXWaUrZ", "_score": 2, "_source": { "product": "product-1", "description": "fa845b9b2b564e179180c26858748e79ce271d1cd3d3efaf72ea2dd031c18fda" } }, { "_index": "logs-component1", "_id": "coWcRYoBA8cFetXWe0o6", "_score": 2, "_source": { "product": "product-2", "description": "fa845b9b2b564e179180c26858748e79ce271d1cd3d3efaf72ea2dd031c18fda" } } ] } } ``` The document with `"_id": "cYWcRYoBA8cFetXWaUrZ"` should not get `"description" `masked because the user gets access to this document via role-A. **What is the expected behavior?** Use case: * We have an index with information about a component used by different products. The products are identified by a field ("product"). * We have two roles A and B. * A will give full access to all documents in the index with "product"="product-1" * B will give access to all documents in an index with "product"="product-2" but will restrict the access to one field in the index via "Field level security" or "Field anonymization" * An user gets mapped to role A and B * **_The user should get full access to all documents in the index with "product"="product-1", and restricted access to all documents with "product"="product-2"_** **What is your host/environment?** - OS: Ubuntu 22.04.2 LTS - Opensearch Version: 2.9 - Plugins: ``` $ /usr/share/opensearch/bin/opensearch-plugin list -v |egrep "Name|^Version" Name: opensearch-alerting Version: 2.9.0.0 Name: opensearch-anomaly-detection Version: 2.9.0.0 Name: opensearch-asynchronous-search Version: 2.9.0.0 Name: opensearch-cross-cluster-replication Version: 2.9.0.0 Name: opensearch-geospatial Version: 2.9.0.0 Name: opensearch-index-management Version: 2.9.0.0 Name: opensearch-job-scheduler Version: 2.9.0.0 Name: opensearch-knn Version: 2.9.0.0 Name: opensearch-ml Version: 2.9.0.0 Name: opensearch-neural-search Version: 2.9.0.0 Name: opensearch-notifications Version: 2.9.0.0 Name: opensearch-notifications-core Version: 2.9.0.0 Name: opensearch-observability Version: 2.9.0.0 Name: opensearch-performance-analyzer Version: 2.9.0.0 Name: opensearch-reports-scheduler Version: 2.9.0.0 Name: opensearch-security Version: 2.9.0.0 Name: opensearch-security-analytics Version: 2.9.0.0 Name: opensearch-sql Version: 2.9.0.0 ``` **Do you have any screenshots?** If applicable, add screenshots to help explain your problem. **Do you have any additional context?** Add any other context about the problem.

Best,
mj

chirumanem · February 29, 2024, 2:20pm

Hi Mantas,
Thank you for your response.

It would be really appreciated if we could ascertain when OpenSearch intends to address this bug and whether any plans are in place to record the issue in the meanwhile.
Could you please clarify the second point expressed above?

B/R
Chiranjeevi

Regards,
Chiranjeevi

chirumanem · March 12, 2024, 4:44am

Hi,
Any updates on these concerns?

B/R
Chiranjeevi

Topic		Replies	Views
Creation of one role, how to set pattern-based anonymization to all fields in one rule? Security	7	294	December 11, 2023
Pattern-based field masking disables the search Security	2	393	May 18, 2022
How is DLS applied when user has multiple roles Security	6	1153	February 2, 2024
Field-Level Security for Search/Aggregate Security	2	648	May 25, 2021
Configure document level security Security	1	827	May 17, 2021

Clarification is sought on the functionality sequence of order execution for document level security, field level security and field masking

Related topics