Skip to content

ESQL: Make LOOKUP JOIN respect document level permissions #120509

New issue
New issue
Closed
#120617
Closed
ESQL: Make LOOKUP JOIN respect document level permissions#120509
#120617
Assignees
luigidellaquila
Labels
:Analytics/ES|QLAKA ESQL>bugTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)
@alex-spies

Description

@alex-spies
alex-spies
opened on Jan 21, 2025

Currently, LOOKUP JOIN respects index level permissions, and it seems like it also correctly respects field level permissions. It does not, however, respect document level permissions.

We should:

  • Fix the latter and add tests.
  • Also add tests for field level security, and
  • add tests for a mix of both to guard against regressions in any possible weird edge cases.

What follows is a way to locally see that document level security is not yet respected.

Setup:

./gradlew run -Dlicense.key=x-pack/license-tools/src/test/resources/public.key -Dtests.es.xpack.license.self_generated.type=trial -Dtests.es.xpack.security.enabled=true 

curl -u elastic:password -H "Content-Type: application/json" "127.0.0.1:9200/_security/role/test_role" -d '{
  "indices": [
    {                                                
      "names": [ "test*" ], 
      "privileges": [ "read" ],
      "field_security" : {          
        "grant" : [ "x", "y" ]
      }, "query": "{\"match\": {\"z\": 1}}"
    }
  ]
}'

curl -u elastic:password -H "Content-Type: application/json" "127.0.0.1:9200/_security/user/test_user" -d'
{
  "password" : "123456",                             
  "roles" : [ "test_role" ],
  "full_name" : "Test Role",
  "email" : "test.role@example.com"
}'

curl -u elastic-admin:elastic-password -H "Content-Type: application/json" "127.0.0.1:9200/test_lookup" -XPUT -d '{
  "mappings": {        
        "properties": {"x": {"type": "integer"}, "y": {"type": "integer"}}}, "settings": {"index": {"mode": "lookup"}}}'

curl -u elastic:password -HContent-Type:application/json 'localhost:9200/test_lookup/_doc?refresh' -d '{"x": 1, "y": 1, "z": null}'

Confirming that permissions work if using FROM test_lookup:


curl -u test_user:123456 -H "Content-Type: application/json" "127.0.0.1:9200/_query?format=txt" -d '
{                                                                                                                                  
  "query": "from test_lookup"
}'
       x       |       y       
---------------+---------------

Now, using LOOKUP JOIN, we still have access to the document that didn't show up above:

curl -u test_user:123456 -H "Content-Type: application/json" "127.0.0.1:9200/_query?format=txt" -d '
{
  "query": "row x = 1 | lookup join test_lookup on x"
}'
       x       |       y       
---------------+---------------
1              |1

Metadata

Metadata

Assignees

Labels

:Analytics/ES|QLAKA ESQL>bugTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions