Hi Bert, Thank you for the detailed report and reproduction of this issue. This is a known limitation with Shield and certain operations in elasticsearch. We're working to resolve this in a future release.
We will be documenting this limitation and all of the operations affected shortly; this was something that we had forgotten to document. -Jay On Monday, April 20, 2015 at 10:46:40 AM UTC-4, Bert Vermeiren wrote: > > Hi, > > Using: > * ElasticSearch 1.5.1 > * SHIELD 1.2 > > Whenever I use a terms lookup filter in a search query, I get an > UnAuthorizedException for the [__es_system_user] user although the actual > user has even 'admin' role privileges. > This seems a bug to me, where the terms filter does not have the correct > security context. > > This is very easy to reproduce, see gist : > > https://gist.github.com/bertvermeiren/c29e0d9ee54bb5b0b73a > > Scenario : > > # Add user 'admin' with default 'admin' role. > ./bin/shield/esusers useradd admin -p admin1 -r admin > > # create index. > curl -XPUT 'admin:admin1@localhost:9200/customer' > > # create a document on the index > curl -XPUT 'admin:admin1@localhost:9200/customer/external/1' -d ' > { > "name" : "John Doe", > "token" : "token1" > }' > > # create additional index for the "terms lookup" filter functionality > curl -XPUT 'admin:admin1@localhost:9200/tokens' > > # create document in 'tokens' index > curl -XPUT 'admin:admin1@localhost:9200/tokens/tokens/1' -d ' > { > "group" : "1", > "tokens" : ["token1", "token2" ] > }' > > # search with a terms lookup filter on the "customer" index, referring to > the 'tokens' index. > > curl -XGET 'admin:admin1@localhost:9200/customer/external/_search' -d ' > { > "query": { > "filtered": { > "query": { > "match_all": {} > }, > "filter": { > "terms": { > "token": { > "index": "tokens", > "type": "tokens", > "id": "1", > "path": "tokens" > } > } > } > } > } > }' > > > => org.elasticsearch.shield.authz.AuthorizationException: action > [indices:data/read/get] is unauthorized for user [__es_system_user] > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/670b111f-54d0-46e8-8b8e-6ec47e8d4a1e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
