Document-level security - Multiple attributes based access

Hello,

We just installed lates Open Distro for Elasticsearch - 1.0.0 with Security plugin and Kibana.
And we are started to configure ABAC based on the example: https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/document-level-security/

We have a user with attributes: ID: “1234”, “12345”
We have a role: User-ID
With the following DLSQ:

{
  "terms_set": {
    "ID": {
      "terms": [
      	"${attr.internal.ID}"
      ],
      "minimum_should_match_script": {
        "source": "1"
      }
    }
  }
}

And it shows the data only when we set only one user attribute and without quotes: ID: 123, or ID: 456 but not both.
It dowesn’t work with the:
ID: 123, 456 - 0 hits
ID: "123" - Discover: failed to wrap searcher
ID: "123", "456" - Discover: failed to wrap searcher

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"exception","reason":"failed to wrap searcher"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"user-log-2019-07-22","node":"IoqM6u52Q8SJBFkgfTe3SZ","reason":{"type":"exception","reason":"failed to wrap searcher","caused_by":{"type":"i_o_exception","reason":"java.util.concurrent.ExecutionException: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('2' (code 50)): was expecting comma to separate Array entries\n at [Source: java.io.StringReader@4875e49a; line: 5, column: 11]","caused_by":{"type":"execution_exception","reason":"execution_exception: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('2' (code 50)): was expecting comma to separate Array entries\n at [Source: java.io.StringReader@4875e49a; line: 5, column: 11]","caused_by":{"type":"i_o_exception","reason":"Unexpected character ('2' (code 50)): was expecting comma to separate Array entries\n at [Source: java.io.StringReader@4875e49a; line: 5, column: 11]"}}}}}]},"status":500}

KbnError@https://kibana.dev/bundles/commons.bundle.js:12:40128
RequestFailure@https://kibana.dev/bundles/commons.bundle.js:12:40632
callResponseHandlers/<@https://kibana.dev/bundles/commons.bundle.js:68:977057
Promise.try@https://kibana.dev/bundles/commons.bundle.js:20:3027968
Promise.map/<@https://kibana.dev/bundles/commons.bundle.js:20:3027334
Promise.map@https://kibana.dev/bundles/commons.bundle.js:20:3027295
callResponseHandlers@https://kibana.dev/bundles/commons.bundle.js:68:976069
fetchSearchResults/<@https://kibana.dev/bundles/commons.bundle.js:68:958029
processQueue@https://kibana.dev/built_assets/dlls/vendors.bundle.dll.js:293:199687
scheduleProcessQueue/<@https://kibana.dev/built_assets/dlls/vendors.bundle.dll.js:293:200650
$digest@https://kibana.dev/built_assets/dlls/vendors.bundle.dll.js:293:210412
$evalAsync/<@https://kibana.dev/built_assets/dlls/vendors.bundle.dll.js:293:212944
completeOutstandingRequest@https://kibana.dev/built_assets/dlls/vendors.bundle.dll.js:293:64425
Browser/self.defer/timeoutId<@https://kibana.dev/built_assets/dlls/vendors.bundle.dll.js:293:67267

But it works fine if we place IDs in the DLSQ:

{
  "terms_set": {
    "ID": {
      "terms": [
      	"123",
      	"456"
      ],
      "minimum_should_match_script": {
        "source": "1"
      }
    }
  }
}

What may be wrong?

Thank you!

As a workaround we now use it in the following way:

{
  "terms_set": {
    "ID": {
      "terms": [
        "${attr.internal.ID1}",
        "${attr.internal.ID2}"
      ],
      "minimum_should_match_script": {
        "source": "1"
      }
    }
  }
}

And is there any way to use some kind of regexp/wildcard?:
In order to replace:

      "terms": [
        "${attr.internal.ID1}",
        "${attr.internal.ID2}"
      ]

with:

      "terms": [
        "${attr.internal.ID*}"
      ]

Where * in our case is {[0-9]{1,2}}

If you’re comparing against numbers won’t need the quotations then the following would work:

"terms": [ ${attr.internal.IDs} ]

and on the other side IDs = 1,2,3,4

@faham, I got the message about invalid JSON:

{
  "terms_set": {
    "IDs": {
      "terms": [ ${attr.internal.IDs} ],
      "minimum_should_match_script": {
        "source": "1"
      }
    }
  }
}

It accepts value only with quotes:

Do you have and example of the full query?

I know about the Invalid JSON warning, that’s only a frontend message, ignore and use it without the quotations. It did work for me. I don’t remember if I did create the doc through kibana interface or curled elastic server directly but I did use it without quotations (invalid json) and worked just as intended.

@faham, yes Interface permitted me to save an ‘Invalid JSON’ but it seems that it works. Will continue to test it.

Thank you!

Was there ever a solution for this if comparing strings? I have a JWT claim named groups (containing a list of strings) I want to compare against

Yes, the error with the documentation is documented here: https://github.com/opendistro-for-elasticsearch/security/issues/863

Just found the solution and might update the documentation.

maybe you want to check this blog out

1 Like