Hello all !
I would also be interested in knowing how the security plugin combines dsl originating from different roles.
Did you have te chance to understand how this is handled ?
Hi All, Tested this with 1.12.0, and if user is mapped to :
role A which has access to index B and dls of {“term”: { “_id”: 1}}
role B which also has access to index B and dls of {“term”: { “_id”: 2}}"
Then the rules are combined and user has access to only those 2 documents during search of the index.
Is this the behaviour you are seeing?
Hi @Anthony , thanks for trying
Now please try with a user that has 2 roles:
One with with no DLS configured at all (that is to say it should have access to all documents).
One with DLS configured (for instance {“term”: { “_id”: 1}})
The expected behavior would be that the user has access to everything since the first roles allow that.
But what I am experiencing is the follwing : The user only has access to documents with {“term”: { “_id”: 1}}. However, if I change the first role to have DLS configured with a {“match_all” : {} } DLS, then the user sees all documents.
My analysis is that the plugin provides a DLS based on the union of all DLS of all roles. It ignores the fact that a role with no DLS is the same as a role with a {“match_all” : {} } DLS.
The workaround could be to set a {“match_all” : {} } DLS for roles allowing access to everything but it induces a performance overhead.
