I'm having the same problem with Elasticsearch 1.4.5 with shield 1.1 On Thursday, April 23, 2015 at 2:03:23 PM UTC-5, Jay Modi wrote: > > Hi Bert, > > I don't know of a workaround to accomplish this in a single query right > now. We have been discussing how to fix this issue in depth over the past > few days and have ideas on how to move forward but no timeline on it being > resolved. > > Regarding support contracts and fixes, I'm going to defer that question to > the person your company is in contact with. They'll be able to answer that > much better than I can. > > On Wednesday, April 22, 2015 at 9:15:21 AM UTC-4, Bert Vermeiren wrote: >> >> Hi Jay, >> >> Thanks to acknowledge ! >> >> Is there any way to work around this issue ? We definitely need a kind of >> "join" filter for limiting the returned data based on some >> permissions/tokens. >> >> We are also starting discussions for a support and re-distribution >> license with both your and our marketing organisation. >> >> Is there any way to get a fix within a support contract ? >> >> Thanks, >> >> Regards, Bert. >> >> >> >> Op woensdag 22 april 2015 14:34:07 UTC+2 schreef Jay Modi: >>> >>> Hi Bert, >>> >>> Thank you for the detailed report and reproduction of this issue. This >>> is a known limitation with Shield and certain operations in elasticsearch. >>> We're working to resolve this in a future release. >>> >>> We will be documenting this limitation and all of the operations >>> affected shortly; this was something that we had forgotten to document. >>> >>> -Jay >>> >>> On Monday, April 20, 2015 at 10:46:40 AM UTC-4, Bert Vermeiren wrote: >>>> >>>> Hi, >>>> >>>> Using: >>>> * ElasticSearch 1.5.1 >>>> * SHIELD 1.2 >>>> >>>> Whenever I use a terms lookup filter in a search query, I get an >>>> UnAuthorizedException for the [__es_system_user] user although the actual >>>> user has even 'admin' role privileges. >>>> This seems a bug to me, where the terms filter does not have the >>>> correct security context. >>>> >>>> This is very easy to reproduce, see gist : >>>> >>>> https://gist.github.com/bertvermeiren/c29e0d9ee54bb5b0b73a >>>> >>>> Scenario : >>>> >>>> # Add user 'admin' with default 'admin' role. >>>> ./bin/shield/esusers useradd admin -p admin1 -r admin >>>> >>>> # create index. >>>> curl -XPUT 'admin:admin1@localhost:9200/customer' >>>> >>>> # create a document on the index >>>> curl -XPUT 'admin:admin1@localhost:9200/customer/external/1' -d ' >>>> { >>>> "name" : "John Doe", >>>> "token" : "token1" >>>> }' >>>> >>>> # create additional index for the "terms lookup" filter functionality >>>> curl -XPUT 'admin:admin1@localhost:9200/tokens' >>>> >>>> # create document in 'tokens' index >>>> curl -XPUT 'admin:admin1@localhost:9200/tokens/tokens/1' -d ' >>>> { >>>> "group" : "1", >>>> "tokens" : ["token1", "token2" ] >>>> }' >>>> >>>> # search with a terms lookup filter on the "customer" index, referring >>>> to the 'tokens' index. >>>> >>>> curl -XGET 'admin:admin1@localhost:9200/customer/external/_search' -d ' >>>> { >>>> "query": { >>>> "filtered": { >>>> "query": { >>>> "match_all": {} >>>> }, >>>> "filter": { >>>> "terms": { >>>> "token": { >>>> "index": "tokens", >>>> "type": "tokens", >>>> "id": "1", >>>> "path": "tokens" >>>> } >>>> } >>>> } >>>> } >>>> } >>>> }' >>>> >>>> >>>> => org.elasticsearch.shield.authz.AuthorizationException: action >>>> [indices:data/read/get] is unauthorized for user [__es_system_user] >>>> >>> --
CONFIDENTIAL COMMUNICATION: This email may contain confidential or legally privileged material, and is for the sole use of the intended recipient. Use or distribution by an unintended recipient is prohibited, and may be a violation of law. If you believe that you received this email in error, please do not read, forward, print or copy this email or any attachments. Please delete the email and all attachments, and inform the sender that you have deleted the email and all attachments. Thank you. -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/7ca71964-2c03-4a26-8f1f-f63ac40269e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
