Issue with fields

I’m trying to configure RoR to not let particular users see all data in a given document, but can’t get it to work correctly. I have used this simple setup for testing:

readonlyrest:
enable: true
response_if_req_forbidden: Access denied

audit_collector: true
audit_index_template: "'access-log'-yyyy-MM"  # <--monthly pattern

access_control_rules:

- name: EVERYONE
  type: allow
  actions: ["cluster:monitor/health","cluster:monitor/main"]

- name: Superuser access
  type: allow
  actions: ["*"]
  indices: ["*"]
  proxy_auth:
    users: ["superuser"]

- name: Test restricted access
  type: allow
  actions: ["indices:data/read/*"]
  indices: ["test"]
  fields: [
    "~items.endDate",
    "~secrets*"
  ]
  proxy_auth:
    users: ["restricted"]

Added a document to a test index:

curl -s -XPOST -H ‘Content-Type: application/json’ -u ‘superuser:superuser’ https://server/test/_doc/1 -d ‘{
“id”:1,
“items”: [
{“itemId”: 1, “text”:“text1”,“startDate”:“2019-05-22”,“endDate”:“2019-07-31”},
{“itemId”: 2, “text”:“text2”,“startDate”:“2019-05-22”,“endDate”:“2019-06-30”},
{“itemId”: 3, “text”:“text3”,“startDate”:“2019-05-22”,“endDate”:“2019-09-30”}
],
“secrets”: [
{“key”:1, “text”:“secret1”},
{“key”:2, “text”:“secret2”}
]
}’

But when I try to access the document as user restricted, I get the following returned:

curl -s -XGET -H ‘Content-Type: application/json’ -u ‘restricted:restricted’ https://server/test/_doc/1?pretty
{
“_index” : “test”,
“_type” : “_doc”,
“_id” : “1”,
“_version” : 1,
“_seq_no” : 0,
“_primary_term” : 1,
“found” : true,
“_source” : {
“id” : 1,
“items” : [
{
“itemId” : 1,
“endDate” : “2019-07-31”,
“text” : “text1”,
“startDate” : “2019-05-22”
},
{
“itemId” : 2,
“endDate” : “2019-06-30”,
“text” : “text2”,
“startDate” : “2019-05-22”
},
{
“itemId” : 3,
“endDate” : “2019-09-30”,
“text” : “text3”,
“startDate” : “2019-05-22”
}
]
}
}

so as expected the “secrets” part of the document is not returned, but unexpectedly all instances of “items.endDate” are. Am I doing something wrong or is this not supported?

Hi @mfoldbjerg,

The support for nested items in field level security is already in our Jira. It’s in the next sprint, so I believe it should be available in a month or so.

Hi @sscarduzio,

Thanks for the prompt reply. That definitely sounds great. Just to be on the safe side. So support will be added for blacklisting up til “index.mapping.depth.limit” depth (default: 20)? Not that any of the documents we’re planning will be that deeply nested, but currently we are around 7 levels deep at most, so support for something like “~item.nested1.nested2.nested3.nested4.*” would be super.

@coutoPL does this sound ok?

Hi @sscarduzio,

Are there any news regarding this feature ? When might it be available ?

Thanks,
Michael

It’s the second task in the line in the current sprint.

Hi @sscarduzio,

Has this feature been released?
If not is there an ETA for when it will be released?

@esmann sorry for the delay on this, but we discovered two security bugs that took priority :frowning_face:

Will try to squeeze this in for next week.

Any news on this? :slight_smile:

@coutoPL do you have an estimate on when we can expect this?

This is next task, so it should be done this month for sure.

Any news with regards to this? - some sort of release outlook would be highly appreciated! We have some impatient external clients whom we cannot service until we have the fix - and we have been putting them off for more than 3 months now…

@AndersBruun, this issue is being currently being worked on.