How is DLS applied when user has multiple roles

This is more of a question around expected behavior/specification as I cannot determine the behavior via test and observe:

If a user is mapped to a Role A that grants read access to Index 1 with a document level security pattern match of :

{"term": { "_id": 1}}

And same user is mapped to a Role B that also grants read access to Index 1 with a document level security pattern match of :

{"term": { "_id": 2}}"

Which one wins out? Or do both apply?

In testing, it appears to be possibly related to the order in which ODFE processes the dls patterns but cannot confirm.

Anyone have any suggestions?

Hello all !
I would also be interested in knowing how the security plugin combines dsl originating from different roles.
Did you have te chance to understand how this is handled ?

Thanks
Christophe

Hi All, Tested this with 1.12.0, and if user is mapped to :
role A which has access to index B and dls of {“term”: { “_id”: 1}}
role B which also has access to index B and dls of {“term”: { “_id”: 2}}"

Then the rules are combined and user has access to only those 2 documents during search of the index.
Is this the behaviour you are seeing?

Hi @Anthony , thanks for trying :slight_smile:
Now please try with a user that has 2 roles:

  • One with with no DLS configured at all (that is to say it should have access to all documents).
  • One with DLS configured (for instance {“term”: { “_id”: 1}})

The expected behavior would be that the user has access to everything since the first roles allow that.
But what I am experiencing is the follwing : The user only has access to documents with {“term”: { “_id”: 1}}. However, if I change the first role to have DLS configured with a {“match_all” : {} } DLS, then the user sees all documents.

My analysis is that the plugin provides a DLS based on the union of all DLS of all roles. It ignores the fact that a role with no DLS is the same as a role with a {“match_all” : {} } DLS.

The workaround could be to set a {“match_all” : {} } DLS for roles allowing access to everything but it induces a performance overhead.

I hope this is clear.
Thanks
Christophe.