Hello all !
I would also be interested in knowing how the security plugin combines dsl originating from different roles.
Did you have te chance to understand how this is handled ?
Hi All, Tested this with 1.12.0, and if user is mapped to :
role A which has access to index B and dls of {âtermâ: { â_idâ: 1}}
role B which also has access to index B and dls of {âtermâ: { â_idâ: 2}}"
Then the rules are combined and user has access to only those 2 documents during search of the index.
Is this the behaviour you are seeing?
Hi @Anthony , thanks for trying
Now please try with a user that has 2 roles:
One with with no DLS configured at all (that is to say it should have access to all documents).
One with DLS configured (for instance {âtermâ: { â_idâ: 1}})
The expected behavior would be that the user has access to everything since the first roles allow that.
But what I am experiencing is the follwing : The user only has access to documents with {âtermâ: { â_idâ: 1}}. However, if I change the first role to have DLS configured with a {âmatch_allâ : {} } DLS, then the user sees all documents.
My analysis is that the plugin provides a DLS based on the union of all DLS of all roles. It ignores the fact that a role with no DLS is the same as a role with a {âmatch_allâ : {} } DLS.
The workaround could be to set a {âmatch_allâ : {} } DLS for roles allowing access to everything but it induces a performance overhead.
Addition: in OpenSearch 2.9, this â{âmatch_allâ : {} }â makes Opensearch Dashboard throw 500 error.
Iâve replaced it with â{ âboolâ: { âmust_notâ: [ { âmatch_phraseâ: { âhostâ: âunexisted.name.hereâ } } ] } }â and it works now.
