Document Level Security on clusters?

peter · August 29, 2018, 10:12am

Hello,

Does ROR (ES) need to be installed on all nodes in a cluster, for Document Level Security to work?

I have a filter like this to only allow documents with the tag “foo”:

filter: '{"query_string":{"query":"tags: foo"}}'

But other documents are returned that doesn’t have this tag.

I can make it work if I run it on a single node cluster, but not in a multi node cluster. In the multi node cluster, Kibana only connects to localhost (coordinating node) and no other nodes.

This thread regarding Field Level Security, seems to indicate that ROR needs to be installed on all nodes:

I am running ES/Kibana 6.3.2 and ROR 1.6.23/ROR_kbn_enterprise 1.16.23.

Thanks,

Peter

sscarduzio · August 29, 2018, 2:42pm

Hi @peter,

The filter and fields rule modify the behaviour of the default Lucene reader. This means that yes, you need to have ROR in all nodes in which you have data if you need to use one of these rules.

peter · August 29, 2018, 2:50pm

Thanks for the clarification Simone,

My understanding was that ROR only needs to be installed on the HTTP nodes, and that seems to be the case in most situations.

You might want to update the documentation regarding DLS and TLS, to make this clearer.

Best regards,

Peter

sscarduzio · August 29, 2018, 2:51pm

I completely agree, Peter. Will do this now.

EDIT: documentation updated! Thanks Peter