Document Level Security fails with nested documents

kostteg · June 16, 2021, 9:52pm

Hello!

I tried to set up Document Level Security on my index, which has not only regular but also nested documents, but when I try a simple search request
_search?pretty=true&q=*

I get an error:

{ "error" : { "root_cause" : [ { "type" : "illegal_state_exception", "reason" : "Parent query must not match any docs besides parent filter. Combine them as must (+) and must-not (-) clauses to find a problem doc. docID=1" } ], "type" : "search_phase_execution_exception", "reason" : "all shards failed", "phase" : "query", "grouped" : true, "failed_shards" : [ { "shard" : 0, "index" : "my-index", "node" : "pWhrtIQPRdCWuw6hyeGCwQ", "reason" : { "type" : "illegal_state_exception", "reason" : "Parent query must not match any docs besides parent filter. Combine them as must (+) and must-not (-) clauses to find a problem doc. docID=1" } } ], "caused_by" : { "type" : "illegal_state_exception", "reason" : "Parent query must not match any docs besides parent filter. Combine them as must (+) and must-not (-) clauses to find a problem doc. docID=1", "caused_by" : { "type" : "illegal_state_exception", "reason" : "Parent query must not match any docs besides parent filter. Combine them as must (+) and must-not (-) clauses to find a problem doc. docID=1" } } }, "status" : 500 }

I tried it on different versions of Open Distro For Elasticsearch and OpenSearch and the error is still there.

Described the issue thoroughly on Github about 3 weeks ago, but see no reaction…
https://github.com/opensearch-project/security/issues/1187

Can you confirm the issue or tell me what I’m doing wrong?

pablo · June 17, 2021, 11:46am

@kostteg

I’ve reproduced your issue in OpenDistro 1.13.2. Looks like dls doesn’t accept must_not on it’s own.
However, it will work with must.

I’ll check if there is any workaround.

pablo · June 17, 2021, 2:32pm

@kostteg

Could you try below in your dsl?

{
  "bool": {
    "must": [
      {"exists": {
        "field": "field1"
         }
      }
    ],
    "must_not": [
      {"match": {
        "field1": "a"
      }}
    ]
  }
}

This is just workaround and not solution.

kostteg · June 18, 2021, 1:22pm

Looks like it’s working, thanks!
So I have to add must exist clause for each field I’m using in my DLS-query if I have nested docs in my index? and this ‘must exist’ clause should separate general docs from nested, right?

I’m still interested in what really causes this bug? I checked the OpenSearch source and see it already tries to separate nested docs from general docs. See NON_NESTED_QUERY here: security/DlsQueryParser.java at main · opensearch-project/security · GitHub

Topic		Replies	Views
Sorting on multi nested fields. getting the error OpenSearch discuss , troubleshoot	0	155	November 22, 2023
Issue with using a nested query combined with a non-nested query OpenSearch troubleshoot	2	469	October 25, 2022
Nested compound predicate filters Open Source Elasticsearch and Kibana	1	403	February 7, 2023
Query_shard_exception and HTTP response codes OpenSearch discuss , troubleshoot	0	88	March 8, 2024
Getting issue for data with nested mapping in opensearch OpenDistro	1	417	February 7, 2023

Document Level Security fails with nested documents

Related Topics