How to use roles parameter substitution for DLS

qcoumes · December 12, 2021, 4:41pm

I’m trying to set up Document-Level Security using roles parameter substitution, but I can’t get it to work.

I have the following roles :

{
  "document-level-security": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": ["*"],
    "index_permissions": [
      {
        "index_patterns": ["*"],
        "dls": "{\"bool\": {\"filter\": [{\"terms\": {\"origin_roles\": [${user.roles}]}}, {\"terms\": {\"department_roles\": [${user.roles}]}}]}}"
      }
    ]
  },

  "all_departments": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": ["*"],
    "index_permissions": [
      {
        "index_patterns": ["*"],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": ["read"]
      }
    ],
  },

  "origin-character": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": ["*"],
    "index_permissions": [
      {
        "index_patterns": ["*"],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": ["read"]
      }
    ],
  }
}

And the following document :

{
  "id": 1090,
  "title": "A title",
  "origin_roles": ["origin-character"],
  "department_roles": ["all_departments"]
}

I’m trying to search this document using the following user:

{
  "myuser": {
    "hash": "",
    "reserved": false,
    "hidden": false,
    "backend_roles": [],
    "attributes": {},
    "opendistro_security_roles": ["all_departments", "document-level-security", "origin-character"],
    "static": false
  }
}

I expected the search to work since the user has both the roles "all_departments" and "origin-character" to match the DLS query in "document-level-security", but I got no result.

Any idea ?

jathin12 · December 13, 2021, 3:25pm

the terms query is trying to match all the all the role array elements in each of the fields.

you may want to update your dls based on the example here

Anthony · December 14, 2021, 2:11pm

@qcoumes I’m not sure if the above is clear, but the dls query needs to be set for a specific index that it refers to. So for example:

"index_permissions": [{
    "index_patterns": [
      "pub*"
    ],
    "dls": "{\"term\": { \"readable_by\": \"${user.name}\"}}",
    "allowed_actions": [
      "read"
    ]

Otherwise the dls limitation is applied to other system indices and fails to work correctly. Hope this helps

Topic		Replies	Views
Document level security - filter does not work Security troubleshoot , configure	4	480	June 1, 2022
Tenants and parameter substitution Security	3	575	November 2, 2020
How is DLS applied when user has multiple roles Security	6	1153	February 2, 2024
Error when specify Document Level Security query in roles Security troubleshoot , upgrade	12	718	August 1, 2022
Configure document level security Security	1	827	May 17, 2021

How to use roles parameter substitution for DLS

Related topics