Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Running a nested path query from a user with FLS Includes rules returns empty results #4349

Closed
cwperks opened this issue May 17, 2024 · 2 comments
Closed

[BUG] Running a nested path query from a user with FLS Includes rules returns empty results #4349

cwperks opened this issue May 17, 2024 · 2 comments
Assignees
@cwperks
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.15.0 Issues targeting release v2.15.0

Comments

@cwperks
Copy link
Member

cwperks commented May 17, 2024

What is the bug?

When using a nested query from a user with a role containing FLS Includes rules, the query result is empty but I expect the query results to not be empty.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Create an index
Create test index 
PUT /my-index
{
  "mappings": {
    "properties": {
      "outerNested": {
        "type": "nested",
        "properties": {
          "innerNested": {
            "type": "nested",
            "properties": {
              "name": {
                "type": "keyword"
              }
            }
          }
        }
      }
    }
  }
}
  1. Create a role with FLS includes rules using either wildcard (nestedField*) or each field explicitly (nestedField.name). When listing fields explicitly, list nested fields as dot-separated starting from the root.
Create a role 
PUT _plugins/_security/api/roles/test-role
{
  "cluster_permissions": [
    "cluster_all"
  ],
  "index_permissions": [{
    "index_patterns": [
      "*"
    ],
    "dls": "",
    "fls": ["outerNested*"],
    "masked_fields": [],
    "allowed_actions": [
      "indices_all"
    ]
  }]
}
  1. Map the role to a user
  2. Ingest a few documents
Create documents 
POST my-index/_doc
{
  "outerNested": {
    "innerNested": {
      "name": "Craig"
    }
  }
}

POST my-index/_doc
{
  "outerNested": {
    "innerNested": {
      "name": "John"
    }
  }
}

POST my-index/_doc
{
  "outerNested": {
    "innerNested": {
      "name": "Jane"
    }
  }
}
  1. Create a painless script
Create script 
POST _scripts/name-eq
{
  "script": {
    "lang": "painless",
    "source": "if (doc[params['fieldName']].size() != 0) { doc[params['fieldName']].value == params['value'] }"
  }
}
  1. Search using Nested Query and script
Search 
GET my-index/_search
{
  "query": {
    "nested": {
      "path": "outerNested.innerNested",
      "query": {
        "bool": {
          "must": [
            {
              "script": {
                "script": {
                  "id": "name-eq",
                  "params": {
                    "fieldName": "outerNested.innerNested.name",
                    "value": "Craig"
                  }
                }
              }
            }
          ]
        }
      }
    }
  }
}

> Empty results

What is the expected behavior?

The search query should return the matching documents

Do you have any additional context?

FLS with Includes is evaluated different than FLS with Excludes.

Searching with a painless script will use a __nested_path metaField behind the scenes which is not currently being tracked as a meta field: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/configuration/SecurityFlsDlsIndexSearcherWrapper.java#L41-L59
@cwperks cwperks added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels May 17, 2024
@derek-ho
Copy link
Contributor

[Triage] @cwperks thanks for filing this issue. It looks like there is a clear reproduction steps here and the bug seems like a bad user experience. We would gladly accept a PR to address this bug.

@derek-ho derek-ho added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels May 20, 2024
This was referenced May 24, 2024
Merged
Merged
Merged
@cwperks cwperks self-assigned this May 28, 2024
@cwperks
Copy link
Member Author

cwperks commented Jun 7, 2024

Associated PRs have been merged. Closing this issue.

@cwperks cwperks closed this as completed Jun 7, 2024
@cwperks cwperks added the v2.15.0 Issues targeting release v2.15.0 label Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwperks cwperks

Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.15.0 Issues targeting release v2.15.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @derek-ho