Document-level security - substitution for array of attributes

I have a groups claim on my JWT token which contains an array of multiple strings (UUIDs).
I want to apply DLS using these attributes eg

"dls": "{\"terms_set\": { \"group_permissions\":{ \"terms\":[\"${attr.jwt.groups_ids}\"],\"minimum_should_match_script\": { \"source\": \"1\"}}}}"

However since the claim is read in as a String the underlying query is not substituted correctly:

queries={documents=[{"terms_set": { "group_permissions":{ "terms":["[71b460f8-6f5c-476d-acac-4ec54069fbb7, 02f008a5-253d-4b1b-8abe-c3da1513ded8]"],"minimum_should_match_script": { "source": "1"}}}}]]}

Is there anyway around this?

For anyone interested my workaround was:

  • In the document mapping for group_permissions add a text type with an an analyzer of keyword and a custom search_analyzer which tokenizes on comma
  • Add the claim group_id_list to my JWT cookie which creates a comma separated String of groups eg "group_id_list": "02f008a5-253d-4b1b-8abe-c3da1513ded8,12d763a0-1096-4b05-8b19-4a16b20808cc"
  • Use match query as DSL query: "dls": "{\"match\":{\"group_permissions.text\":\"${attr.jwt.groupIdList}\"}}}"

eg

"group_permissions": {
  "type": "keyword",
  "fields": {
    "text": {
      "type": "text",
      "analyzer": "keyword",
      "search_analyzer": "comma_analyzer"
    }
}
1 Like