Document deletion issue related to DLS

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): v 2.7.0

Describe the issue:
We have two users. Both of them have attached roles. Roles contain DLS configuration with restrictions by the document’s field (each document contains an ID that is related to a specific user). One of them creates a document with an ID that is related to the creator. The second one tries to delete it (in the case of the experiment he has two permissions only - “data/write/delete”, “data/write/bulk[s]”). Expected behavior that the action will be denied. The actual behavior - the document is deleted. The restriction is working in the case of the reading (if reading permission is added).

DLS

{
  "bool": {
    "must": {
      "match": {
        "user_id": "6028c69c-87bc-4f7c-8954-414833e38cd8"
      }
    }
  }
}

Configuration: The default. Security was enabled.

Relevant Logs or Screenshots:

Screenshot 2023-09-10 at 19.54.473330×1616 377 KB

Thank you

Hi @_Anton
I have noticed that you have delete permission on your screenshot. The user who is mapped with the role ROLE_1fb7e... can also delete a document.

Hi @Eugene7

Thank you for the answer.

Two moments:

• There are two roles and each role is mapped to the specific user i.e. each user has only one role mapped.
• Each role has restrictions by DLS. An example of such an expression was added to the description part because I have no right to add multiple screenshots here.

Could you share the output of the following command? Please execute this command for both of your role names.

GET _plugins/_security/api/roles/<role_name>

Role:

{
    "ROLE_1fb7e951-d158-46ac-aad0-3c2df6a5b7f9": {
        "reserved": false,
        "hidden": false,
        "cluster_permissions": [
            "*"
        ],
        "index_permissions": [
            {
                "index_patterns": [
                    "test_entity"
                ],
                "dls": "{\"bool\":{\"must\":{\"match\":{\"user_id\":\"6028c69c-87bc-4f7c-8954-414833e38cd8\"}}}}",
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    "indices:data/write/delete",
                    "indices:data/write/bulk[s]"
                ]
            }
        ],
        "tenant_permissions": [],
        "static": false
    }
}

User:

{
   "hash":"",
   "reserved":false,
   "hidden":false,
   "backend_roles":[
   ],
   "opendistro_security_roles":[
      "ROLE_1fb7e951-d158-46ac-aad0-3c2df6a5b7f9"
   ],
   "static":false
}

Could you share your roles mapping?

GET _plugins/_security/api/rolesmapping

According to the tests in my lab, DLS does not affect delete operations and only applies for operations that read from an index.

{
    "security_manager": {
        "hosts": [],
        "users": [
            "admin"
        ],
        "reserved": false,
        "hidden": false,
        "backend_roles": [],
        "and_backend_roles": []
    },
    "ROLE_1fb7e951-d158-46ac-aad0-3c2df6a5b7f9": {
        "hosts": [],
        "users": [
            "USER_3a96dd6c-00f4-4904-85d9-ceb0059ca62c"
        ],
        "reserved": false,
        "hidden": false,
        "backend_roles": [],
        "and_backend_roles": []
    },
    "all_access": {
        "hosts": [],
        "users": [
            "admin"
        ],
        "reserved": false,
        "hidden": false,
        "backend_roles": [],
        "and_backend_roles": []
    }
}

It looks like, but it’s quite strange. In such a case it is impossible to protect a single specific document from deletion.

In order to fix it, you can create the issue for the Security plugin team at the following link:
Issues · opensearch-project/security · GitHub
Or you can create the documentation website issue:
Issues · opensearch-project/documentation-website · GitHub

@Eugene7 Thank you