-
Notifications
You must be signed in to change notification settings - Fork 501
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOC] Getting exception while indexing document with user having role with document level security enabled #1273
Comments
@peternied Hi Peter, Could you please confirm if you are looking into this issue? |
Hi @swapnilsvaidya I am not currently looking into this issue, and it has been added to our work queue. If you would like to create a pull request the maintainers and I would gladly review it. |
i haven't seen the corresponding comment in the OpenSearch Security documentation, but e.g. Search Guard explicitly declares that roles with DLS enabled mustn't have write access: https://docs.search-guard.com/latest/document-level-security#dls-and-write-access i presume the same applies for OpenSearch Security and needs to be documented (and maybe enforced by a check in a new major release?) |
@opensearch-project/transfer-request This looks a documentation issue. Could you transfer to documentation repo? Thanks! |
@cliu123: seems that your transfer request hasn't happened yet. would it make sense to instead raise a new, well described, issue in the documentation repo and then close this one here with a reference to the new one? |
In the right repo now. |
Hi Chris, can you please follow up with the security team to see what needs to be documented here? Thanks. |
@cwillum A little more context, when users have a DLS/FLS rule assigned to them, this is in affect saying "This user XYZ should never see documents with these value(s) or be able to see these fields". If that same user has permissions to add/modify documents in an index with DLS/FLS rules it directly contradicts the cluster security configuration. |
Hi @peternied , can you please help make the update to the file, and is the appropriate file https://github.com/opensearch-project/documentation-website/blob/main/_security/access-control/document-level-security.md? Thanks! |
@hdhalter I can look at this one |
@hdhalter not able to reproduce this issue with the OS 2.13, seems this was updated in code, as user is able to index with role which has DLS and upon query only receive relevant results based on the DLS configured |
Thanks, @AntonEliatra ! I am closing this issue. |
if this behaviour changed (@peternied: was that intentional?) it should nevertheless be documented what needs to be looked out for and what can/cannot be done now. |
Same behaviour is seen in OS 1.3, using DLS and FLS, user able to index any information, but is only able to retrieve the details that are permitted via DLS/FLS. |
then i don't think that anything changed and that the rule still is that there must be no DLS if you're indexing data (but this has to be confirmed by the security plugin team). @hdhalter: please re-open the issue |
@rursprung but the user is able to index with DLS/FLS enabled, I don't follow |
@peternied , @scrawfor99 |
By design, there should be nothing preventing the user from indexing anything, the DLS/FLS is only applied during search/retrieval of data |
Based on the documentation, I think @AntonEliatra is correct. If someone wants to share the configuration they were able to reproduce the issue with then I can try to help them debug the issue. Otherwise, I think things are correct as is and suspect this was a configuration issue at the time of its filing. |
note that we never had an exception (it wasn't us raising the issue) but we were very clearly told by floragunn (CC @nibix) that we should never use a user with a DLS role to index data (and it's still in their Search Guard documentation and since SG & OS-security are closely related the reasoning & behaviour should be the same?). |
So, IMHO, the situation is like this:
|
Signed-off-by: AntonEliatra <[email protected]>
* Adding DLS with write permission recommendation #1273 Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/document-level-security.md Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: AntonEliatra <[email protected]> --------- Signed-off-by: AntonEliatra <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]>
* Adding DLS with write permission recommendation #1273 Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/document-level-security.md Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: AntonEliatra <[email protected]> --------- Signed-off-by: AntonEliatra <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> (cherry picked from commit 8fffcbc) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
… (opensearch-project#7668) * Adding DLS with write permission recommendation opensearch-project#1273 Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/document-level-security.md Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: AntonEliatra <[email protected]> --------- Signed-off-by: AntonEliatra <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: [email protected] <[email protected]>
… (opensearch-project#7668) * Adding DLS with write permission recommendation opensearch-project#1273 Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/document-level-security.md Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: AntonEliatra <[email protected]> --------- Signed-off-by: AntonEliatra <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: Sander van de Geijn <[email protected]>
What is the bug?
A clear and concise description of the bug.
I have created a user which is mapped with role having document level security enabled.
If I try to index the document through Bulkrequest using this user I get following exception:
After looking into the code, it seems DlsFlsValveImpl is trying to read the dls query related header from the request.
------Code snipper from DlsFlsValveImpl -----
However I think this header should not come into picture while indexing the document.
This seems a bug.
How can one reproduce the bug?
Steps to reproduce the behavior:
Create a Role with DLS enabled, associate this role with user. Index the document using bulk request and using this user.
Verify bulkresponse
What is the expected behavior?
While indexing DLS should be ignored
What is your host/environment?
Do you have any screenshots?
NA
Do you have any additional context?
NA
The text was updated successfully, but these errors were encountered: