I’m trying to set up Document-Level Security using roles parameter substitution, but I can’t get it to work.
I have the following roles :
{
"document-level-security": {
"reserved": false,
"hidden": false,
"cluster_permissions": ["*"],
"index_permissions": [
{
"index_patterns": ["*"],
"dls": "{\"bool\": {\"filter\": [{\"terms\": {\"origin_roles\": [${user.roles}]}}, {\"terms\": {\"department_roles\": [${user.roles}]}}]}}"
}
]
},
"all_departments": {
"reserved": false,
"hidden": false,
"cluster_permissions": ["*"],
"index_permissions": [
{
"index_patterns": ["*"],
"fls": [],
"masked_fields": [],
"allowed_actions": ["read"]
}
],
},
"origin-character": {
"reserved": false,
"hidden": false,
"cluster_permissions": ["*"],
"index_permissions": [
{
"index_patterns": ["*"],
"fls": [],
"masked_fields": [],
"allowed_actions": ["read"]
}
],
}
}
And the following document :
{
"id": 1090,
"title": "A title",
"origin_roles": ["origin-character"],
"department_roles": ["all_departments"]
}
I’m trying to search this document using the following user:
{
"myuser": {
"hash": "",
"reserved": false,
"hidden": false,
"backend_roles": [],
"attributes": {},
"opendistro_security_roles": ["all_departments", "document-level-security", "origin-character"],
"static": false
}
}
I expected the search to work since the user has both the roles "all_departments"
and "origin-character"
to match the DLS query in "document-level-security"
, but I got no result.
Any idea ?