Document-level security (DLS)

Document-level security uses the OpenSearch query DSL to define which documents a role grants access to. In OpenSearch Dashboards, choose an index pattern and provide a query in the Document level security section:

This query specifies that for the role to have access to a document, its genres field must include Comedy.

A typical request to the _search API includes { "query": { ... } } around the query, but in this case, you only need to specify the query itself.

In the REST API, you provide the query as a string, so you must escape your quotes. This role allows a user to read any document in any index with the field public set to true:

  1. PUT _plugins/_security/api/roles/public_data
  2. {
  3.   "cluster_permissions": [
  4.     "*"
  5.   "index_permissions": [{
  6.     "index_patterns": [
  7.       "pub*"
  8.     ],
  9.     "dls": "{\"term\": { \"public\": true}}",
  10.     "allowed_actions": [
  11.       "read"
  12.     ]
  13.   }]
  14. }

Due to word boundaries associated with Unicode special characters, the Unicode standard analyzer cannot index a value as a whole value when it includes one of these special characters. As a result, a text field value that includes a special character is parsed by the standard analyzer as multiple values separated by the special character, effectively tokenizing the different elements on either side of it. This can lead to unintentional filtering of documents and potentially compromise control over their access.

The examples below illustrate values containing special characters that will be parsed improperly by the standard analyzer. In this example, the existence of the hyphen/minus sign in the value prevents the analyzer from distinguishing between the two different users for user.id and interprets them as one and the same:

  2.   "bool": {
  3.     "must": {
  4.         "user.id": "User-2"
  5.       }
  6.     }
  7.   }
  8. }

To avoid this circumstance when using either Query DSL or the REST API, you can use a custom analyzer or map the field as keyword, which performs an exact-match search. See Keyword field type for the latter option.

For a list of characters that should be avoided when field type is text, see .

A number of variables exist that you can use to enforce rules based on the properties of a user. For example, ${user.name} is replaced with the name of the current user.

This table lists substitutions.

You can use roles and parameter substitution with the query to enable attribute-based security.

User definition

  1. PUT _plugins/_security/api/internalusers/user1
  2. {
  3.   "password": "asdf",
  4.   "backend_roles": ["abac"],
  5.   "attributes": {
  6.     "permissions": "\"att1\", \"att2\", \"att3\""
  7.   }
  8. }

Role definition

You can perform term-level lookup queries (TLQs) with document-level security (DLS) using either of two modes: adaptive or filter level. The default mode is adaptive, where OpenSearch automatically switches between Lucene-level or filter-level mode depending on whether or not there is a TLQ. DLS queries without TLQs are executed in Lucene-level mode, whereas DLS queries with TLQs are executed in filter-level mode.

By default, the Security plugin detects if a DLS query contains a TLQ or not and chooses the appropriate mode automatically at runtime.

How to set the DLS evaluation mode in opensearch.yml

By default, the DLS evaluation mode is set to adaptive. You can also explicitly set the mode in opensearch.yml with the plugins.security.dls.mode setting. Add a line to opensearch.yml with the desired evaluation mode. For example, to set it to filter level, add this line:

    DLS evaluation modes

    Evaluation modeParameterDescriptionUsage
    Lucene-level DLSlucene-levelThis setting makes all DLS queries apply to the Lucene level.Lucene-level DLS modifies Lucene queries and data structures directly. This is the most efficient mode but does not allow certain advanced constructs in DLS queries, including TLQs.
    Filter-level DLSfilter-levelThis setting makes all DLS queries apply to the filter level.In this mode, OpenSearch applies DLS by modifying queries that OpenSearch receives. This allows for term-level lookup queries in DLS queries, but you can only use the get, search, mget, and msearch operations to retrieve data from the protected index. Additionally, cross-cluster searches are limited with this mode.
    AdaptiveThe default setting that allows OpenSearch to automatically choose the mode.DLS queries without TLQs are executed in Lucene-level mode, while DLS queries that contain TLQ are executed in filter- level mode.