Elasticsearch filter access using a regexp in a dls (document-level security) query

Question

I am trying to control read access to an index using DLS, based on matching the host field with a given regexp.

Documentation for this is limited and I haven't found any examples that use a regexp. I've tried a few different things but at this point I would like to at least confirm this is even possible.

Currently the query looks like:

elastic_dls_test:
  - indices:
    'index1_*':
          '*':
            - READ
          _dls_: '{"bool": { "filter": { "regexp": { "host.keyword": {"value": "/hostname_to_match[0-9]*/"} }}}}}' 
   

This doesn't seem to filter anything for users in the role elastic_dls_test.

Answer 1

Yes, it should be possible. You can use any Elasticsearch query for DLS, including regex ones. Without having a look at the rest of the configuration and the underlying data it is hard to tell why it is not working. But there a couple of general steps to debug the problem:

1. Run the DLS query directly (as in using the "_search" endpoint) with a user that has full access to the index and see if it returns the expected result
2. Check if the user is really assigned to the elastic_dls_test role, so DLS is actually applied. Have a look at the troubleshooting for roles and permissions: https://docs.search-guard.com/latest/troubleshooting-search-guard-user-roles
3. Check the Elasticsearch log file to see if there are any errors

It would also help if you posted a sample document from one of your index1_* indices.