Skip to content

Instantly share code, notes, and snippets.

@TomonoriSoejima

TomonoriSoejima/bool_query.md

Last active November 2, 2021 16:13
Show Gist options
  • Save TomonoriSoejima/025465d7a7605c9e07d2ed51c1f5eb03 to your computer and use it in GitHub Desktop.
Save TomonoriSoejima/025465d7a7605c9e07d2ed51c1f5eb03 to your computer and use it in GitHub Desktop.
Download ZIP
role test.md
Raw
bool_query.md 
POST /_security/role/access_role_1
{
    "indices" : [
      {
        "names" : [
          "test"
        ],
        "privileges" : [
          "read"
        ],
        "query": "{\"bool\":{\"should\":[{\"term\":{\"condition\":{\"value\":\"a\"}}}]}}",
        "field_security" : {
          "grant" : [
            "access_1"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ]
}


POST /_security/role/access_role_2
{
    "indices" : [
      {
        "names" : [
          "test"
        ],
        "privileges" : [
          "read"
        ],
        "query": "{\"bool\":{\"should\":[{\"term\":{\"condition\":{\"value\":\"b\"}}}]}}",
        "field_security" : {
          "grant" : [
            "access_2"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ]
}
Raw
create_user_and_role.md 
POST /_security/role/access_role_1
{
    "indices" : [
      {
        "names" : [
          "test"
        ],
        "privileges" : [
          "read"
        ],
        "query": "{\"match\": {\"condition\": \"a\"}}",
        "field_security" : {
          "grant" : [
            "access_1"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ]
}


POST /_security/role/access_role_2
{
    "indices" : [
      {
        "names" : [
          "test"
        ],
        "privileges" : [
          "read"
        ],
        "query": "{\"match\": {\"condition\": \"b\"}}",
        "field_security" : {
          "grant" : [
            "access_2"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ]
}



POST _security/user/user_role_1
{
  "password": "j@rV1s",
  "roles": [
    "role_access_1"
  ],
  "full_name": "user_role_1",
  "email": "[email protected]",
  "metadata": {},
  "enabled": true
}

POST _security/user/user_role_2
{
  "password": "j@rV1s",
  "roles": [
    "role_access_2"
  ],
  "full_name": "user_role_2",
  "email": "[email protected]",
  "metadata": {},
  "enabled": true
}
  • ADD data
PUT test/_doc/1
{
  "condition": "a",
  "access_1": "ok",
  "access_2": "ok"
}

PUT test/_doc/2
{
  "condition": "b",
  "access_1": "ok",
  "access_2": "ok"
}
Raw
curl.md 

url='localhost:9200/test/_search'




echo test 1 : with user_role_1 user
# user_role_1 user is only granted access to access_1, so searching for condition won't work since it can not read this field.
curl -u user_role_1:j@rV1s  -s --location --request GET $url \
--header 'Content-Type: application/json' \
--data-raw '{
  "query": {
    "match": {
      "condition": "a"
    }
  }
}' | jq .


echo test 2 : with user_role_1 user
echo 

# this will work.
curl -u user_role_1:j@rV1s  -s --location --request GET $url \
--header 'Content-Type: application/json' \
--data-raw '{
  "query": {
    "match": {
      "access_1": "ok"
    }
  }
}' | jq .


echo ========================================================================

echo test 3 : with user_role_2 user
# user_role_1 user is only granted access to access_1, so searching for condition won't work since it can not read this field.
curl -u user_role_2:j@rV1s  -s --location --request GET $url \
--header 'Content-Type: application/json' \
--data-raw '{
  "query": {
    "match": {
      "condition": "a"
    }
  }
}' | jq .


echo test 4 : with user_role_2 user
echo 

# this will work.
curl -u user_role_2:j@rV1s  -s --location --request GET $url \
--header 'Content-Type: application/json' \
--data-raw '{
  "query": {
    "match": {
      "access_2": "ok"
    }
  }
}' | jq .
Raw
result.md 
test 1 : with user_role_1 user
{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}
test 2 : with user_role_1 user

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 2,
      "relation": "eq"
    },
    "max_score": 0.18232156,
    "hits": [
      {
        "_index": "test",
        "_type": "_doc",
        "_id": "1",
        "_score": 0.18232156,
        "_source": {
          "access_1": "ok"
        }
      },
      {
        "_index": "test",
        "_type": "_doc",
        "_id": "2",
        "_score": 0.18232156,
        "_source": {
          "access_1": "ok"
        }
      }
    ]
  }
}
========================================================================
test 3 : with user_role_2 user
{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}
test 4 : with user_role_2 user

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 2,
      "relation": "eq"
    },
    "max_score": 0.18232156,
    "hits": [
      {
        "_index": "test",
        "_type": "_doc",
        "_id": "1",
        "_score": 0.18232156,
        "_source": {
          "access_2": "ok"
        }
      },
      {
        "_index": "test",
        "_type": "_doc",
        "_id": "2",
        "_score": 0.18232156,
        "_source": {
          "access_2": "ok"
        }
      }
    ]
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment