Issue with fields

mfoldbjerg · May 22, 2019, 11:32pm

I’m trying to configure RoR to not let particular users see all data in a given document, but can’t get it to work correctly. I have used this simple setup for testing:

readonlyrest:
enable: true
response_if_req_forbidden: Access denied

audit_collector: true
audit_index_template: "'access-log'-yyyy-MM"  # <--monthly pattern

access_control_rules:

- name: EVERYONE
  type: allow
  actions: ["cluster:monitor/health","cluster:monitor/main"]

- name: Superuser access
  type: allow
  actions: ["*"]
  indices: ["*"]
  proxy_auth:
    users: ["superuser"]

- name: Test restricted access
  type: allow
  actions: ["indices:data/read/*"]
  indices: ["test"]
  fields: [
    "~items.endDate",
    "~secrets*"
  ]
  proxy_auth:
    users: ["restricted"]

Added a document to a test index:

curl -s -XPOST -H ‘Content-Type: application/json’ -u ‘superuser:superuser’ https://server/test/_doc/1 -d ‘{
“id”:1,
“items”: [
{“itemId”: 1, “text”:“text1”,“startDate”:“2019-05-22”,“endDate”:“2019-07-31”},
{“itemId”: 2, “text”:“text2”,“startDate”:“2019-05-22”,“endDate”:“2019-06-30”},
{“itemId”: 3, “text”:“text3”,“startDate”:“2019-05-22”,“endDate”:“2019-09-30”}
],
“secrets”: [
{“key”:1, “text”:“secret1”},
{“key”:2, “text”:“secret2”}
]
}’

But when I try to access the document as user restricted, I get the following returned:

curl -s -XGET -H ‘Content-Type: application/json’ -u ‘restricted:restricted’ https://server/test/_doc/1?pretty
{
“_index” : “test”,
“_type” : “_doc”,
“_id” : “1”,
“_version” : 1,
“_seq_no” : 0,
“_primary_term” : 1,
“found” : true,
“_source” : {
“id” : 1,
“items” : [
{
“itemId” : 1,
“endDate” : “2019-07-31”,
“text” : “text1”,
“startDate” : “2019-05-22”
},
{
“itemId” : 2,
“endDate” : “2019-06-30”,
“text” : “text2”,
“startDate” : “2019-05-22”
},
{
“itemId” : 3,
“endDate” : “2019-09-30”,
“text” : “text3”,
“startDate” : “2019-05-22”
}
]
}
}

so as expected the “secrets” part of the document is not returned, but unexpectedly all instances of “items.endDate” are. Am I doing something wrong or is this not supported?

sscarduzio · May 23, 2019, 1:28am

Hi @mfoldbjerg,

The support for nested items in field level security is already in our Jira. It’s in the next sprint, so I believe it should be available in a month or so.

mfoldbjerg · May 23, 2019, 6:38am

Hi @sscarduzio,

Thanks for the prompt reply. That definitely sounds great. Just to be on the safe side. So support will be added for blacklisting up til “index.mapping.depth.limit” depth (default: 20)? Not that any of the documents we’re planning will be that deeply nested, but currently we are around 7 levels deep at most, so support for something like “~item.nested1.nested2.nested3.nested4.*” would be super.

sscarduzio · May 23, 2019, 2:42pm

@coutoPL does this sound ok?

mfoldbjerg · June 20, 2019, 12:16pm

Hi @sscarduzio,

Are there any news regarding this feature ? When might it be available ?

Thanks,
Michael

sscarduzio · June 20, 2019, 4:34pm

It’s the second task in the line in the current sprint.

esmann · August 6, 2019, 10:57am

Hi @sscarduzio,

Has this feature been released?
If not is there an ETA for when it will be released?

sscarduzio · August 6, 2019, 8:57pm

@esmann sorry for the delay on this, but we discovered two security bugs that took priority

Will try to squeeze this in for next week.

esmann · August 20, 2019, 7:23am

Any news on this?

sscarduzio · August 20, 2019, 8:58am

@coutoPL do you have an estimate on when we can expect this?

coutoPL · August 20, 2019, 3:48pm

This is next task, so it should be done this month for sure.

AndersBruun · September 9, 2019, 6:59am

Any news with regards to this? - some sort of release outlook would be highly appreciated! We have some impatient external clients whom we cannot service until we have the fix - and we have been putting them off for more than 3 months now…

sscarduzio · September 10, 2019, 10:43am

@AndersBruun, this issue is being currently being worked on.

coutoPL · September 22, 2019, 4:27pm

the improvement is almost ready:

sscarduzio · September 24, 2019, 3:04am

@AndersBruun @esmann @mfoldbjerg is any of you available for a pre-release early access to this feature? Would be amazing to have your feedback. Once again, sorry for the delay.

mfoldbjerg · September 24, 2019, 9:05am

Not a problem - will be glad to try it out

coutoPL · September 24, 2019, 5:28pm

what ES version do you use? I’ll send proper build

mfoldbjerg · September 24, 2019, 6:08pm

version 6.6.2 and 6.8.3 (different clusters)

mfoldbjerg · September 26, 2019, 9:40am

Any ETA on the builds?

coutoPL · September 26, 2019, 4:02pm

sorry, yesterday we figured out that we have regression bug, so I didn’t want to send you build with the bug. Now it is fixed, so here are the builds:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.18.7/readonlyrest-1.18.7_es6.6.2.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20190926/eu-west-1/s3/aws4_request&X-Amz-Date=20190926T160012Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=9567870da83f075bbcce9688cd4b6e852ed47196ed3aee12daf7108f1317c311

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.18.7/readonlyrest-1.18.7_es6.8.3.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20190926/eu-west-1/s3/aws4_request&X-Amz-Date=20190926T160033Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=c11ecd37d9d7a810e5bbc15aec80d8e39bd7cda67942993442ce6be00888971d