Empty document-level security statement causes filtering of results

Faiglindra · November 15, 2022, 9:25am

Versions:
OpenSearch 1.3 on AWS
OpenSearchDashboards 1.3.2

Describe the issue:

I have a question or maybe an issue regarding document-level security statement in role definitons.

I have a user mapped to a role. The role allows read (and more) on an index pattern. The role has no document level security statement defined. As this is optional I expect to have full read access to the indices matching the pattern, but rather to opposite is the case. There is no hit when executing a simple search.

Only if adding a document level security statement that matches all documents, like so:

{ 
  "wildcard":
  {
    "project": "*"
   }
}

where project is a field in my documents, I get the expected results.

From documentation I would always expect that non existing document level security statement does mean no filtering at all and not that everything is filtered. Or not?

pablo · October 27, 2023, 2:16pm

@Faiglindra Would you mind sharing roles.yml and roles_mapping.yml?
Please also share the roles assigned to the test user.

Topic		Replies	Views
Document level security - filter does not work Security troubleshoot , configure	4	386	June 1, 2022
Error when specify Document Level Security query in roles Security troubleshoot , upgrade	12	648	August 1, 2022
Configure document level security Security	1	786	May 17, 2021
Clarification is sought on the functionality sequence of order execution for document level security, field level security and field masking Security	3	158	March 12, 2024
Document Groups and Document Level Security Security discuss	4	368	April 19, 2023

Empty document-level security statement causes filtering of results

Related Topics