Wildcard in DLS filter gives error?

ronald.vanboven · May 12, 2020, 3:48pm

ES 6.8.0
Kibana 6.8.0
RoR 1.19.4

I try to build a filter where we use wildcard or prefix in the DLS filter in RoR config, see below:

  - name: "Test met filters kibana access"
    auth_key: test_filter:xxx
    kibana_access: ro
    indices: [".kibana_2", ".kibana_1", ".kibana"]
    
  - name: "Test met filters"
    auth_key: test_filter:xxx
    indices: ["readonlyrest_audit-*"]
    filter: '{"bool":{"minimum_should_match":1,"should":[{"match":{"user.keyword":"nokibana"}},{"wildcard":{"action.keyword":"cluster*"}}]}}'
    actions: ["indices:data/read/*", "indices:admin/mappings/fields/get", "indices:admin/mappings/get"]

If I try to open the relevant dashboard or discover all shards fail with with the exception:
java.lang.UnsupportedOperationException: Query action.keyword:cluster* does not implement createWeight

Question 1: Is doing this supported?
If yes, question 2:
Why does this not work? Am I doing something wrong?
If no, question 2:
Are there good alternatives? Maybe I need to do this via filtered aliasses or something?

Practical use case:
I have a data set with a lot of HTTP traffic. I want to give a user access only to traffic where the hostname begins with a certain text.
(The above config is from a testing environment to check behaviour)

sscarduzio · May 13, 2020, 3:32pm

@pondzix can you help @ronald.vanboven?

pondzix · May 14, 2020, 3:42pm

Hi @ronald.vanboven

Your query in filter is fine, but currently RoR doesn’t support wildcards in this rule. We’re now working on this - wildcards in filter won’t be a problem in next RoR release. We will provide you with working build as soon as it’s ready

ronald.vanboven · May 18, 2020, 8:25am

Perfect, thank you.
Can you also make sure prefix works?

winnie · May 19, 2020, 2:16pm

Hi @sscarduzio
We also encountered the same problem. When will the RoR version supporting wildcards be released? Thank you very much!

sscarduzio · May 19, 2020, 2:36pm

Hello @winnie

@pondzix is currently at work in a radical refactor of the filter and fields rule that should put ROR ahead of any competitor solution in term of performance, and lift the requirement to have ROR installed in all ES nodes.

The support for variables in the fields rule is part of this refactor. It will be included in the next release: 1.20.0.

winnie · May 19, 2020, 2:50pm

Hello @sscarduzio
This is really good news. I look forward to the release of version 1.20.0.
Thank you for your reply!

pondzix · May 26, 2020, 2:27pm

Hi @ronald.vanboven we have a working pre-release ROR version:

http://readonlyrest-data.s3.amazonaws.com/build/1.20.0-pre4/readonlyrest-1.20.0-pre4_es6.8.0.zip?AWSAccessKeyId=AKIA5SJIWBO54AGBERLX&Expires=1591107741&Signature=uUX1pCHMSFipmgu8A1XYucoZ%2Bc8%3D

You can test if wildcards/prefix in filter rule work

@winnie What ES version do you have? I can send you link to pre-build as well.

winnie · May 27, 2020, 5:45am

Hi @pondzix
The ES version we use are 7.6.2 and 7.7.0, Thank you!

ronald.vanboven · May 27, 2020, 8:44am

@pondzix We are in the middle of upgrading from 6.8.0 to 7.6.2 and we still need to upgrade from 1.19.4 to 1.19.5
I currently don’t have any test environment available anymore to test this right now

pondzix · May 28, 2020, 7:45pm

@winnie
7.6.2:
http://readonlyrest-data.s3.amazonaws.com/build/1.20.0-pre4/readonlyrest-1.20.0-pre4_es7.6.2.zip?AWSAccessKeyId=AKIA5SJIWBO54AGBERLX&Expires=1591299772&Signature=FUWhnCDPvgLlvHsz8Nd2cXe5BMg%3D

7.7.0:
http://readonlyrest-data.s3.amazonaws.com/build/1.20.0-pre4/readonlyrest-1.20.0-pre4_es7.7.0.zip?AWSAccessKeyId=AKIA5SJIWBO54AGBERLX&Expires=1591299785&Signature=SkG1cjNjbVGFtSBlMWth3VZtA6Q%3D