How to use roles parameter substitution for DLS

I’m trying to set up Document-Level Security using roles parameter substitution, but I can’t get it to work.

I have the following roles :

{
  "document-level-security": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": ["*"],
    "index_permissions": [
      {
        "index_patterns": ["*"],
        "dls": "{\"bool\": {\"filter\": [{\"terms\": {\"origin_roles\": [${user.roles}]}}, {\"terms\": {\"department_roles\": [${user.roles}]}}]}}"
      }
    ]
  },

  "all_departments": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": ["*"],
    "index_permissions": [
      {
        "index_patterns": ["*"],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": ["read"]
      }
    ],
  },

  "origin-character": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": ["*"],
    "index_permissions": [
      {
        "index_patterns": ["*"],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": ["read"]
      }
    ],
  }
}

And the following document :

{
  "id": 1090,
  "title": "A title",
  "origin_roles": ["origin-character"],
  "department_roles": ["all_departments"]
}

I’m trying to search this document using the following user:

{
  "myuser": {
    "hash": "",
    "reserved": false,
    "hidden": false,
    "backend_roles": [],
    "attributes": {},
    "opendistro_security_roles": ["all_departments", "document-level-security", "origin-character"],
    "static": false
  }
}

I expected the search to work since the user has both the roles "all_departments" and "origin-character" to match the DLS query in "document-level-security", but I got no result.

Any idea ?

the terms query is trying to match all the all the role array elements in each of the fields.

you may want to update your dls based on the example here

@qcoumes I’m not sure if the above is clear, but the dls query needs to be set for a specific index that it refers to. So for example:

"index_permissions": [{
    "index_patterns": [
      "pub*"
    ],
    "dls": "{\"term\": { \"readable_by\": \"${user.name}\"}}",
    "allowed_actions": [
      "read"
    ]

Otherwise the dls limitation is applied to other system indices and fails to work correctly. Hope this helps