ElasticSearch X-Pack Security Roles and Field Security

116 views Asked by At

I am using ES 6.2.4 and I am using X-Pack. I register a user with the following roles:

{
    "password" : "changeme",
    "roles" : [  "object_basic", "object_ext" ],
    "full_name" : "FullName",
    "email" : "[email protected]",
    "metadata" : {
        "access_group_ids": ["1", "2", "3"]
    }
}

I have the following security roles.

Object_basic:

{
  "indices": [
    {
      "names": [ "*cases_*" ],
      "privileges": [ "read" ],
      "field_security" : {
        "grant" : [ "case_id","short_name", "type", "status", "owner_department" ]
      },
      "query": "{\"template\":{\"source\":\"{\\\"bool\\\":{\\\"should\\\":[{\\\"terms\\\":{\\\"case_access_owner_group_ids\\\": {{#toJson}}_user.metadata.access_group_ids{{/toJson}}}},{\\\"terms\\\":{\\\"case_access_contributor_group_ids\\\": {{#toJson}}_user.metadata.access_group_ids{{/toJson}} }},{\\\"terms\\\":{\\\"case_access_viewer_group_ids\\\": {{#toJson}}_user.metadata.access_group_ids{{/toJson}} }},{\\\"terms\\\":{\\\"case_access_basic_viewer_group_ids\\\": {{#toJson}}_user.metadata.access_group_ids{{/toJson}}  }} ]}}\"}}"
    }
  ]
}

Object_ext:

{
  "indices": [
    {
      "names": [ "*cases_*" ],
      "privileges": [ "read" ],
      "field_security" : {
        "grant" : [ "name", "description" ]
      },
      "query": "{\"template\":{\"source\":\"{\\\"bool\\\":{\\\"should\\\":[{\\\"terms\\\":{\\\"case_access_owner_group_ids\\\":{{#toJson}}_user.metadata.access_group_ids{{/toJson}}}},{\\\"terms\\\":{\\\"case_access_contributor_group_ids\\\":{{#toJson}}_user.metadata.access_group_ids{{/toJson}}}},{\\\"terms\\\":{\\\"case_access_viewer_group_ids\\\": {{#toJson}}_user.metadata.access_group_ids{{/toJson}}}}]}}\"}}"
    }
  ]
}

The only difference between the two security role queries is that the object_ext contains one term(s) criteria less (ie: case_access_basic_viewer_group_ids).

I ingested some data that contain values like the following:

 "case_access_owner_group_ids": [],
  "case_access_contributor_group_ids": [],
  "case_access_viewer_group_ids": [],
  "case_access_basic_viewer_group_ids": ["2"],

When I assign both roles (object_basic & object_ext) to the user then all of the fields (including the "name", "description") are returned. This is not what I would expect. I would expect that the "name", "description" are NOT returned since only the case_access_basic_viewer_group_ids is NOT included in the object_ext query.

Now if I update the user's roles and I leave only the object_ext then it behaves correctly and returns nothing.

If I update the user's roles and I leave only the object_basic then it does not return the "name", "description".

I want of course to have both roles to the user assigned and return the "name", "description" only when the adequate arrays contain valid data in conjunction with the user's metadata array. Now it looks like that if the obj_basic role is triggered it automatically triggers the obj_ext as well.

What am I doing wrong?

1

There are 1 answers

0
Investigator On

It looks like that (at least) for the version 6.2.4 it is not possible to have document & field level security at the same index as it is documented here.

If you need to restrict access to both documents and fields, consider splitting documents by index instead.

This can be a real problem under specific conditions since it could enforce normalization of the model.