Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Role with Document-level security (DLS) masks more generic permissions #3773

Closed
rufdoSICKAG opened this issue Nov 28, 2023 · 3 comments
Closed

[BUG] Role with Document-level security (DLS) masks more generic permissions #3773

rufdoSICKAG opened this issue Nov 28, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@rufdoSICKAG
Copy link

What is the bug?
When a user has 2 roles, one that permits him to read all documents of an index and one that restricts the permissions to certain documents via DLS, he only has access to the ones meeting the DLS criteria.

I noticed this because, even though my user all_access role, he was not able to see a lot of documents.
The reason was, that via a backend_role, my user had also a role that limited the access via DLS.

Only after creating another role with the DLS { "match_all": {}}, and adding this role to my user, was I able to see the documents again.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. create role
myrole:
  index_permissions:
  - index_patterns:
    - myindex-*
    dls: "{\"terms\": { \"myfield.keyword\": [\"nonexistincvalue\"]}}"
    allowed_actions:
    - search
  1. Give this role to a user that already has all_access role
  2. With this user search for any documents GET myindex-*/_search
  3. Even though the index contains some documents and the user has the all_access role the search has no results

What is the expected behavior?
I expected the permissions to be additiv and not loose permissions when getting an additional role.
@rufdoSICKAG rufdoSICKAG added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 28, 2023
@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Nov 30, 2023
@peternied
Copy link
Member

@rufdoSICKAG I know this can be counter-intuitive - DLS operates to deny access to documents unless they pass the all checks - this is the expected behavior.

@peternied
Copy link
Member

I think this confusing behavior is a good example to indicate why providing an alternative approach [1] might be a good option:

@peternied peternied mentioned this issue Feb 14, 2024
Closed
5 tasks
This was referenced Feb 21, 2024
Open
Open
@rufdoSICKAG
Copy link
Author

This problem is also mentioned in the documentation now.
https://opensearch.org/docs/latest/security/access-control/document-level-security/#dls-and-multiple-roles

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peternied @rufdoSICKAG