Document-level security - substitution for array of attributes

robmartin · November 30, 2020, 1:03pm

I have a groups claim on my JWT token which contains an array of multiple strings (UUIDs).
I want to apply DLS using these attributes eg

"dls": "{\"terms_set\": { \"group_permissions\":{ \"terms\":[\"${attr.jwt.groups_ids}\"],\"minimum_should_match_script\": { \"source\": \"1\"}}}}"

However since the claim is read in as a String the underlying query is not substituted correctly:

queries={documents=[{"terms_set": { "group_permissions":{ "terms":["[71b460f8-6f5c-476d-acac-4ec54069fbb7, 02f008a5-253d-4b1b-8abe-c3da1513ded8]"],"minimum_should_match_script": { "source": "1"}}}}]]}

Is there anyway around this?

robmartin · December 2, 2020, 8:11am

For anyone interested my workaround was:

In the document mapping for group_permissions add a text type with an an analyzer of keyword and a custom search_analyzer which tokenizes on comma
Add the claim group_id_list to my JWT cookie which creates a comma separated String of groups eg "group_id_list": "02f008a5-253d-4b1b-8abe-c3da1513ded8,12d763a0-1096-4b05-8b19-4a16b20808cc"
Use match query as DSL query: "dls": "{\"match\":{\"group_permissions.text\":\"${attr.jwt.groupIdList}\"}}}"

eg

"group_permissions": {
  "type": "keyword",
  "fields": {
    "text": {
      "type": "text",
      "analyzer": "keyword",
      "search_analyzer": "comma_analyzer"
    }
}

Topic		Replies	Views
Document-level security - String array filter Security	2	877	May 3, 2021
Document-Layer Security with parameter substitution from JWT token claims doesn't seem to work Security troubleshoot	2	387	June 16, 2023
How to use roles parameter substitution for DLS Security	2	674	December 14, 2021
DLS using multiple LDAP attributes in a term query Security configure	3	171	May 7, 2024
Tenants and parameter substitution Security	3	576	November 2, 2020

Document-level security - substitution for array of attributes

Related topics