we are currently exploring opendistro security features for our (java/spring) application. Based on some experiments, it seems that Document-level security (DLS) only applies to queries? Currently, then, it is possible for the user to write data that would then become invisible to them because of DLS! This is obviously not desired in most applications.
Is there a current (or planned) feature which would allow DLS (or similar concept) to be applied transparently when data is written (and fail the request if the data does not satisfy the constraints)?
Currently, the only options seem to be to duplicate the constraints that we express as DLS into application logic for writes and/or an ingest pipeline doing a similar thing. The lack of this data protection on writes also prevents us from using user impersonation. Any ideas welcome from people who may have solved a similar problem in other ways.