Test with FLS (Field Level Security) not working

Hello,
I wanted to test the Field Level Security feature with version 1.16.20_es6.2.4

I have the following config:

- name: test with FLS
  type: allow
  auth_key_sha256: 3fc024c352d161d0603230608d883b58ece6f76f4fa6457a3a19ee3e6035db51
  fields: ["~price"]
  indices: ["test_*"]
  verbosity: info

I see the following in the log
ALLOWED by { name: ‘test with FLS’, policy: ALLOW} req={ ID:935108978-1233956613#41, TYP:GetRequest, CGR:N/A, USR:acm_test_ro, BRS:true, KDX:null, ACT:indices:data/read/get, OA:172.31.0.70, DA:157.168.95.17, IDX:test_xfwb, MET:GET, PTH:/test_xfwb/_doc/3, CNT:<N/A>, HDR:{Authorization=, content-length=0, Connection=Keep-Alive, User-Agent=Apache-HttpClient/4.1.1 (java 1.5), Host=ch13x467:9200, Accept-Encoding=gzip,deflate}, HIS:[test with FLS->[auth_key_sha256->true, indices->true, fields->true]] }

But the response contains the field price:
GET /test_xfwb/_doc/3
{
“_index”: “test_xfwb”,
“_type”: “_doc”,
“_id”: “3”,
“_version”: 3,
“found”: true,
“_source”: {
“price”: 1222,
“name”: “Jeff”
}
}

Am I doing something wrong? :flushed:

I just tried this on my ES 6.2.4 environment:
With settings:

  access_control_rules:

  - name: kibanaserver
    auth_key: kibana:kibana
    verbosity: error

  - name: test with FLS
    type: allow
    auth_key: simone:dev
    fields: ["~price"]

Tested with curl:

# Creation of document with fields "a", and "price"
$ curl -H"Content-Type: application/json" -XPUT -k "https://localhost:9200/index2/doc/1" -d'{"a":1, "price":22}' -ukibana:kibana
{"_index":"index2","_type":"doc","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}

# Get document as kibana -> comes down "a" and "price"
$ curl -H"Content-Type: application/json" -XGET -k "https://localhost:9200/index2/doc/1"  -ukibana:kibana
{"_index":"index2","_type":"doc","_id":"1","_version":1,"found":true,"_source":{"a":1, "price":22}}

# Get document as simone -> only comes down "a"
 curl -H"Content-Type: application/json" -XGET -k "https://localhost:9200/index2/doc/1"  -usimone:dev
{"_index":"index2","_type":"doc","_id":"1","_version":1,"found":true,"_source":{"a":1}}

I also tried to query again alternating the two roles, and there is no cache related issue either.

Could you try enabling debug logs (rootLogger=debug in log4j2.properties)

My bad,
this issue is solved. I didn’t apply the same configuration on all my cluster nodes but only on a single node :frowning:

I though that the filtering would be done on the node replying to the query…

Thank you for your quick answer !

Jeff.

1 Like