Error on field and document level security

teeraw · May 23, 2025, 8:07am

I want to filter the server list for each user role based on the servers they are responsible for. During my research, I found that this can be done using "document level security"

I prepared the following JSON request to create a role in DevTools:

PUT _security/role/role_team_a
{
  "indices": [
    {
      "names": [ "metricbeat-*", "logs-*" ],
      "privileges": [ "read" ],
      "query": {
        "bool": {
          "filter": [
            { "terms": { "host.name.keyword": [ "server-1", "server-2" ] } }
          ]
        }
      }
    }
  ]
}

However, I received the following error:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "current license is non-compliant for [field and document level security]",
        "license.expired.feature": "field and document level security"
      }
    ],
    "type": "security_exception",
    "reason": "current license is non-compliant for [field and document level security]",
    "license.expired.feature": "field and document level security"
  },
  "status": 403
}

I have already enabled the following parameters in elasticsearch.yml:

xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

I use Elastic OSS (Open Source) v8.17.2. However when license check it said 'Basic edition'. (GET _license)

{
  "license": {
    "status": "active",
    "uid": "820c6e65-4b4e-4707-a9d8-0067dc497a1e",
    "type": "basic",
    "issue_date": "2025-03-10T07:14:07.783Z",
    "issue_date_in_millis": 1741590847783,
    "max_nodes": 1000,
    "max_resource_units": null,
    "issued_to": "elasticsearch",
    "issuer": "elasticsearch",
    "start_date_in_millis": -1
  }
}

Please suggest solution for this issue.

stephenb · May 25, 2025, 12:23am

Hi @teeraw

Document Level Security require a Platinum or Enterprise License commercial paid license.
You can see this here

If you want to try the Dcoeu

Technically you are using the Basic License Version, if you want to learn more about the Open Source Licensing please read this

teeraw:

{
  "license": {
    "status": "active",
    "uid": "820c6e65-4b4e-4707-a9d8-0067dc497a1e",
    "type": "basic",  <<<<<<<<<<< BASIC LICENSE 
    "issue_date": "2025-03-10T07:14:07.783Z",
    "issue_date_in_millis": 1741590847783,
    "max_nodes": 1000,
    "max_resource_units": null,
    "issued_to": "elasticsearch",
    "issuer": "elasticsearch",
    "start_date_in_millis": -1
  }
}

You can try the feature by enabling the Trial License which I believe lasts for 30 days, if you want to use Document Level Security on going you will need to purchase a license, you will need to reach out to sales if you want to do that.

teeraw · May 27, 2025, 3:59am

Thank you @stephenb .
However, do you have idea about grouping the servers that logged in user has permission to monitor on OSS/Basic version? (This may be some workaround.)

leandrojmp · May 27, 2025, 4:10am

The only other way would be if you had the name of the user or some group in the name of index, like in the namespace of the data stream, then you would use it in the permissions.

But I would not recommend it as this is not a good approach and can lead to performance issues depending on the number of users/servers/indices.

Topic		Replies	Views
Security error when create new role with field_security Kibana elastic-stack-monitoring , elastic-stack-security	3	699	January 7, 2021
Role not get created Elasticsearch	3	462	May 10, 2020
Filed Security For Gold Membership Elasticsearch	4	518	April 9, 2019
How to give access to few documents in a field on a role? Kibana elastic-stack-security	5	333	May 9, 2023
Unable to create users and roles Elasticsearch elastic-stack-security	12	1975	June 20, 2019

Error on field and document level security

Related topics