0

I am trying to control read access to an index using DLS, based on matching the host field with a given regexp.

Documentation for this is limited and I haven't found any examples that use a regexp. I've tried a few different things but at this point I would like to at least confirm this is even possible.

Currently the query looks like:

elastic_dls_test:
  - indices:
    'index1_*':
          '*':
            - READ
          _dls_: '{"bool": { "filter": { "regexp": { "host.keyword": {"value": "/hostname_to_match[0-9]*/"} }}}}}'

This doesn't seem to filter anything for users in the role elastic_dls_test.

GL2014
  • 6,016
  • 4
  • 15
  • 22

1 Answers1

1

Yes, it should be possible. You can use any Elasticsearch query for DLS, including regex ones. Without having a look at the rest of the configuration and the underlying data it is hard to tell why it is not working. But there a couple of general steps to debug the problem:

  1. Run the DLS query directly (as in using the "_search" endpoint) with a user that has full access to the index and see if it returns the expected result
  2. Check if the user is really assigned to the elastic_dls_test role, so DLS is actually applied. Have a look at the troubleshooting for roles and permissions: https://docs.search-guard.com/latest/troubleshooting-search-guard-user-roles
  3. Check the Elasticsearch log file to see if there are any errors

It would also help if you posted a sample document from one of your index1_* indices.

Jochen Kressin
  • 386
  • 1
  • 5
  • Thanks, I got it working and you're correct, this query does work as-is when other bugs are ironed-out. Unfortunately it seems that there is a bug in ES/SG where if you use DLS this way, and then make a query for something that is restricted by the DLS filter query, you get all of the records that you have access to instead of an empty results set (which is what it should be). – GL2014 Aug 20 '20 at 13:34