Issue with fields

I’m trying to configure RoR to not let particular users see all data in a given document, but can’t get it to work correctly. I have used this simple setup for testing:

readonlyrest:
enable: true
response_if_req_forbidden: Access denied

audit_collector: true
audit_index_template: "'access-log'-yyyy-MM"  # <--monthly pattern

access_control_rules:

- name: EVERYONE
  type: allow
  actions: ["cluster:monitor/health","cluster:monitor/main"]

- name: Superuser access
  type: allow
  actions: ["*"]
  indices: ["*"]
  proxy_auth:
    users: ["superuser"]

- name: Test restricted access
  type: allow
  actions: ["indices:data/read/*"]
  indices: ["test"]
  fields: [
    "~items.endDate",
    "~secrets*"
  ]
  proxy_auth:
    users: ["restricted"]

Added a document to a test index:

curl -s -XPOST -H ‘Content-Type: application/json’ -u ‘superuser:superuser’ https://server/test/_doc/1 -d ‘{
“id”:1,
“items”: [
{“itemId”: 1, “text”:“text1”,“startDate”:“2019-05-22”,“endDate”:“2019-07-31”},
{“itemId”: 2, “text”:“text2”,“startDate”:“2019-05-22”,“endDate”:“2019-06-30”},
{“itemId”: 3, “text”:“text3”,“startDate”:“2019-05-22”,“endDate”:“2019-09-30”}
],
“secrets”: [
{“key”:1, “text”:“secret1”},
{“key”:2, “text”:“secret2”}
]
}’

But when I try to access the document as user restricted, I get the following returned:

curl -s -XGET -H ‘Content-Type: application/json’ -u ‘restricted:restricted’ https://server/test/_doc/1?pretty
{
“_index” : “test”,
“_type” : “_doc”,
“_id” : “1”,
“_version” : 1,
“_seq_no” : 0,
“_primary_term” : 1,
“found” : true,
“_source” : {
“id” : 1,
“items” : [
{
“itemId” : 1,
“endDate” : “2019-07-31”,
“text” : “text1”,
“startDate” : “2019-05-22”
},
{
“itemId” : 2,
“endDate” : “2019-06-30”,
“text” : “text2”,
“startDate” : “2019-05-22”
},
{
“itemId” : 3,
“endDate” : “2019-09-30”,
“text” : “text3”,
“startDate” : “2019-05-22”
}
]
}
}

so as expected the “secrets” part of the document is not returned, but unexpectedly all instances of “items.endDate” are. Am I doing something wrong or is this not supported?

Hi @mfoldbjerg,

The support for nested items in field level security is already in our Jira. It’s in the next sprint, so I believe it should be available in a month or so.

Hi @sscarduzio,

Thanks for the prompt reply. That definitely sounds great. Just to be on the safe side. So support will be added for blacklisting up til “index.mapping.depth.limit” depth (default: 20)? Not that any of the documents we’re planning will be that deeply nested, but currently we are around 7 levels deep at most, so support for something like “~item.nested1.nested2.nested3.nested4.*” would be super.

@coutoPL does this sound ok?

Hi @sscarduzio,

Are there any news regarding this feature ? When might it be available ?

Thanks,
Michael

It’s the second task in the line in the current sprint.