Hi, Using: * ElasticSearch 1.5.1 * SHIELD 1.2
Whenever I use a terms lookup filter in a search query, I get an UnAuthorizedException for the [__es_system_user] user although the actual user has even 'admin' role privileges. This seems a bug to me, where the terms filter does not have the correct security context. This is very easy to reproduce, see gist : https://gist.github.com/bertvermeiren/c29e0d9ee54bb5b0b73a Scenario : # Add user 'admin' with default 'admin' role. ./bin/shield/esusers useradd admin -p admin1 -r admin # create index. curl -XPUT 'admin:admin1@localhost:9200/customer' # create a document on the index curl -XPUT 'admin:admin1@localhost:9200/customer/external/1' -d ' { "name" : "John Doe", "token" : "token1" }' # create additional index for the "terms lookup" filter functionality curl -XPUT 'admin:admin1@localhost:9200/tokens' # create document in 'tokens' index curl -XPUT 'admin:admin1@localhost:9200/tokens/tokens/1' -d ' { "group" : "1", "tokens" : ["token1", "token2" ] }' # search with a terms lookup filter on the "customer" index, referring to the 'tokens' index. curl -XGET 'admin:admin1@localhost:9200/customer/external/_search' -d ' { "query": { "filtered": { "query": { "match_all": {} }, "filter": { "terms": { "token": { "index": "tokens", "type": "tokens", "id": "1", "path": "tokens" } } } } } }' => org.elasticsearch.shield.authz.AuthorizationException: action [indices:data/read/get] is unauthorized for user [__es_system_user] -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/4419d9d4-9bcc-4fab-afa3-a70799891f44%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
