-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DLS overrides broader permissions #13
Comments
@pgagnon Thanks for noting. Can you outline in more detail what your use case expects as correct behavior? |
@alolita Thanks for your reply. I think that a grant on an index without an associated DLS query defined should be treated as if there was a DLS query defined that selected all documents. This way, when DLS queries are OR'ed to create the final filter (as described in the search-guard docs quoted above), all documents would be returned. |
I'm having the same issue. My setup is as follows: I have some users which are in the "all_access" role, and some users which are in the "[project name] developers" role. Some users are also in both roles. For those only with the project developer role, I restrict them to accessing only their project's logs using DLS. However for users who are in BOTH roles, I would expect that they are not restricted (since "all_access" would imply they can see all documents). However currently, the "all_access" users who are also "project developer" users experience the same restrictions as "project developer" users, i.e. they can only see logs for [project] and nothing else. As a workaround I have created a new role "all_access_dls" which applies the following DLS query: |
Same issue here, I would also expect if someone has all_access role without DLS applied, the defined dls for another role should be overwritten! @shawnz Will try the work around, but that will make the queries obviously slower. |
Indeed, it made things very slow and we ended up dropping the DLS usage for now. |
Ideally, if user has two roles with different set of permissions, resultant permission will be always broader permissions. |
Hello, I am in the process of coding a fix for this and will soon provide the community with a PR. |
@chrousto Thanks! Could you please link the PR to this issue? |
Hello it's not finished yet I have to test a couple of things first. |
@hardik-k-shah is there an update on this? Seems like it slipped out of the radar. |
@spapadop thanks for tagging me. Checking it now. |
Thanks for connecting the two, @rursprung ! Closing the issue. |
Assume
user1
has two roles (assume they areadmin
andread_index1_dls
).The
admin
role grantsUNLIMITED
permissions on*
indices. Theread_index1_dls
role grantsREAD
permissions onindex1
, but also restricts this user from seeing certain documents inindex1
through a DLS query.It would be expected that the user would have access to all documents in
index1
through theadmin
role, however actual behavior is that the DLS query is applied, anduser1
is unable to read documents that the DLS query filters.As a side note, the search-guard documentation (see section Multiple roles and document-level security) states:
So this actually might be expected behavior, however it is not "correct" from a usability standpoint, IMO.
The text was updated successfully, but these errors were encountered: