Document level security - filter does not work

Hey all,
I’m trying to setup a simple filter to enable document level security based on department id, but I don’t get it to work. Each document entry has a field “message.departmentId”. The role is created with the query:

PUT _plugins/_security/api/roles/AppReader
 {
    "index_permissions" : [
      {
        "index_patterns" : [
          "logs-app-*"
        ],
        "dls" : "{\"term\": { \"message.departmentId\": 300}}",
        "allowed_actions" : [
          "search"
        ]
      }
    ]
  }

The internal user is also mapped to the correct role. But whenever that user does a query like the following:

GET logs-app-*/_search 
{
  "query": {
    "term": {"message.departmentId": 350}
    }
}

They still get access to the documents with that id value. Am I missing something in the configuration? I also tried the example of {“bool”:{“must”:{“match”:{“message.departmentId”:300}}}}, but that didn’t work either. Any help would be appreciated!

Opensearch version: 2.0.0
Helmchart version: 2.0.1

Edit: something that might be related, I tried to change the dls mode in opensearch.yml, but this gives the following error: unknown setting [plugins.security.dls.mode] did you mean any of [plugins.security.disabled, plugins.security.audit.type, plugins.security.ssl_only, plugins.security.cert.oid]

@Arnaut I’ve tested your scenario and couldn’t reproduce your outcome.
I’ve used OpenSearch 2.0.

In my case I’m not getting any results when message.depratmentId is equal to 350. I’m able to see all documents from multiple indexes with value equal to 300.

Could you share a single document from the below query?

GET logs-app-*/_search 
{
  "query": {
    "term": {"message.departmentId": 300}
    }
}

Is this the only role that your test user is assigned?

Thanks for your reply!

This is the first item in the 300 id result: (I altered some fields with data I don’t want to share, but the structure is the same). I forgot to mention, the indices are created with datastreams.

"_index" : ".ds-logs-app-aantekeninglog-000001",
"_id" : "sQfTq38B86-5-FtzKsOi",
"_score" : 1.0,
"_source" : {
  "message" : {
    "logType" : "AantekeningLog",
    "departmentId" : 300,
    "logInfo" : {
      "tehuisPatientId" : 71000
      "locatie" : "Prospects",
      "afdeling" : "Prospects1",
      "tehuisPatientAisId" : 10
    },
    "userId" : 34000,
    "logDescription" : "Client aantekeningen ingezien door medewerker",
    "userRoles" : [
      "Role1",
      "Role2"
    ],
    "logSource" : "sourcecode",
    "userName" : "myuser",
    "timestamp" : "2022-03-21T10:33:37.1925343+01:00"
  },
  "@timestamp" : "2022-03-21T09:33:37.210Z",
  "messageType" : [
    "UserActionLogCommand"
  ],
  "destinationAddress" : "rabbitmq.UserActionLogCommand",
  "@version" : "1",
  "headers" : { }

Result from query with id = 350

"_index" : ".ds-logs-app-apotheeklog-000002",
"_id" : "rdUJLYABQeBqgvzDAPRM",
"_score" : 1.0,
"_source" : {
  "message" : {
    "logInfo" : {
      "agbCodeApotheek" : "code",
      "naamApotheek" : "name"
    },
    "userName" : "myuser2",
    "departmentId" : 350,
    "timestamp" : "2022-04-15T13:43:26.1685195+02:00",
    "logSource" : "sourcecode",
    "userId" : 38000,
    "logDescription" : "Apotheek toegevoegd",
    "logType" : "ApotheekLog",
    "userRoles" : [
      "Role1",
      "Role2"
    ]
  },
  "headers" : { },
  "destinationAddress" : "rabbitmq.UserActionLogCommand",
  "@version" : "1",
  "messageType" : [
    "UserActionLogCommand"
  ],
  "@timestamp" : "2022-04-15T11:43:26.178Z"

The test user also has a role called “own_index”, that was automatically mapped. I removed the mapping and tried again, but the results are the same.

@Arnaut I wasn’t aware that you’re using data streams and you’ve created a role against the alias instead of index.
Try “.ds-logs-app-*” as index pattern instead in the role.

1 Like

Yes that works perfectly!
I knew I was missing something.
Thanks for the help!