I’m trying to configure RoR to not let particular users see all data in a given document, but can’t get it to work correctly. I have used this simple setup for testing:
readonlyrest:
enable: true
response_if_req_forbidden: Access denied
audit_collector: true
audit_index_template: "'access-log'-yyyy-MM" # <--monthly pattern
access_control_rules:
- name: EVERYONE
type: allow
actions: ["cluster:monitor/health","cluster:monitor/main"]
- name: Superuser access
type: allow
actions: ["*"]
indices: ["*"]
proxy_auth:
users: ["superuser"]
- name: Test restricted access
type: allow
actions: ["indices:data/read/*"]
indices: ["test"]
fields: [
"~items.endDate",
"~secrets*"
]
proxy_auth:
users: ["restricted"]
Added a document to a test index:
curl -s -XPOST -H ‘Content-Type: application/json’ -u ‘superuser:superuser’ https://server/test/_doc/1 -d ‘{
“id”:1,
“items”: [
{“itemId”: 1, “text”:“text1”,“startDate”:“2019-05-22”,“endDate”:“2019-07-31”},
{“itemId”: 2, “text”:“text2”,“startDate”:“2019-05-22”,“endDate”:“2019-06-30”},
{“itemId”: 3, “text”:“text3”,“startDate”:“2019-05-22”,“endDate”:“2019-09-30”}
],
“secrets”: [
{“key”:1, “text”:“secret1”},
{“key”:2, “text”:“secret2”}
]
}’
But when I try to access the document as user restricted, I get the following returned:
curl -s -XGET -H ‘Content-Type: application/json’ -u ‘restricted:restricted’ https://server/test/_doc/1?pretty
{
“_index” : “test”,
“_type” : “_doc”,
“_id” : “1”,
“_version” : 1,
“_seq_no” : 0,
“_primary_term” : 1,
“found” : true,
“_source” : {
“id” : 1,
“items” : [
{
“itemId” : 1,
“endDate” : “2019-07-31”,
“text” : “text1”,
“startDate” : “2019-05-22”
},
{
“itemId” : 2,
“endDate” : “2019-06-30”,
“text” : “text2”,
“startDate” : “2019-05-22”
},
{
“itemId” : 3,
“endDate” : “2019-09-30”,
“text” : “text3”,
“startDate” : “2019-05-22”
}
]
}
}
so as expected the “secrets” part of the document is not returned, but unexpectedly all instances of “items.endDate” are. Am I doing something wrong or is this not supported?