search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
869 stars 24.81k forks source link

Document Level Security - Expand wildcards in `multi_match` query #112130

Open jfreden opened 2 months ago

jfreden commented 2 months ago

Elasticsearch Version

8.15

Installed Plugins

No response

Java Version

bundled

OS Version

NA

Problem Description

When using wildcards to match fields in a multi_match query within a DLS query in a role, the fields are not properly expanded because there is no index reader that can read the index mapping to expand the wildcards.

This happens because a searcher is needed to read the mappings to figure out what fields are available for an index, but since no reader has been constructed yet, it's not possible (it's null).

The searcher is expected to be supplied by the Security plugin when it calls IndexModule::setReaderWrapper to override the IndexReader factory. Currently it passes null for the searcher parameter, which makes expansions of wildcard fields impossible.

The factory is called once the IndexService is fully constructed. This is to enable the custom behaviour that DLS offers, where documents not matched by the DLS query are treated as deleted when searching.

Steps to Reproduce

Create a Role Descriptor with this DLS Query: 

"query": {
    "multi_match": {
        "query": "test_value",
        "fields": [
            "*test_field"
        ]
    }
}

Ingest some documents that should match and see that they're not returned.

Logs (if relevant)

No response

elasticsearchmachine commented 2 months ago

Pinging @elastic/es-security (Team:Security)

elasticsearchmachine commented 2 months ago

Pinging @elastic/es-search-foundations (Team:Search Foundations)