Hi Jay, Thanks to acknowledge !
Is there any way to work around this issue ? We definitely need a kind of "join" filter for limiting the returned data based on some permissions/tokens. We are also starting discussions for a support and re-distribution license with both your and our marketing organisation. Is there any way to get a fix within a support contract ? Thanks, Regards, Bert. Op woensdag 22 april 2015 14:34:07 UTC+2 schreef Jay Modi: > > Hi Bert, > > Thank you for the detailed report and reproduction of this issue. This is > a known limitation with Shield and certain operations in elasticsearch. > We're working to resolve this in a future release. > > We will be documenting this limitation and all of the operations affected > shortly; this was something that we had forgotten to document. > > -Jay > > On Monday, April 20, 2015 at 10:46:40 AM UTC-4, Bert Vermeiren wrote: >> >> Hi, >> >> Using: >> * ElasticSearch 1.5.1 >> * SHIELD 1.2 >> >> Whenever I use a terms lookup filter in a search query, I get an >> UnAuthorizedException for the [__es_system_user] user although the actual >> user has even 'admin' role privileges. >> This seems a bug to me, where the terms filter does not have the correct >> security context. >> >> This is very easy to reproduce, see gist : >> >> https://gist.github.com/bertvermeiren/c29e0d9ee54bb5b0b73a >> >> Scenario : >> >> # Add user 'admin' with default 'admin' role. >> ./bin/shield/esusers useradd admin -p admin1 -r admin >> >> # create index. >> curl -XPUT 'admin:admin1@localhost:9200/customer' >> >> # create a document on the index >> curl -XPUT 'admin:admin1@localhost:9200/customer/external/1' -d ' >> { >> "name" : "John Doe", >> "token" : "token1" >> }' >> >> # create additional index for the "terms lookup" filter functionality >> curl -XPUT 'admin:admin1@localhost:9200/tokens' >> >> # create document in 'tokens' index >> curl -XPUT 'admin:admin1@localhost:9200/tokens/tokens/1' -d ' >> { >> "group" : "1", >> "tokens" : ["token1", "token2" ] >> }' >> >> # search with a terms lookup filter on the "customer" index, referring to >> the 'tokens' index. >> >> curl -XGET 'admin:admin1@localhost:9200/customer/external/_search' -d ' >> { >> "query": { >> "filtered": { >> "query": { >> "match_all": {} >> }, >> "filter": { >> "terms": { >> "token": { >> "index": "tokens", >> "type": "tokens", >> "id": "1", >> "path": "tokens" >> } >> } >> } >> } >> } >> }' >> >> >> => org.elasticsearch.shield.authz.AuthorizationException: action >> [indices:data/read/get] is unauthorized for user [__es_system_user] >> > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/4560604a-de24-4150-9c3a-c5386ed3087a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.