Role uses document and/or field level security; which is not enabled by the current license – How to solve related issues

Opster Team

Jan-20, Version: 1.7-8.0

Before you begin reading this guide, we recommend you run Elasticsearch Error Check-Up which analyzes 2 JSON files to detect many errors.

To easily locate the root cause and resolve this issue try AutoOps for Elasticsearch & OpenSearch. It diagnoses problems by analyzing hundreds of metrics collected by a lightweight agent and offers guidance for resolving them.

This guide will help you check for common problems that cause the log ” Role uses document and/or field level security; which is not enabled by the current license ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: discovery-file, document, license, plugin and rest-high-level.

 
 

discovery-file

 
 

document

Document in Elasticsearch

What is an Elasticsearch document?

While an SQL database has rows of data stored in tables, Elasticsearch stores data as multiple documents inside an index. This is where the analogy must end however, since the way that Elasticsearch treats documents and indices differs significantly from a relational database.

For example, documents could be:

  • Products in an e-commerce index
  • Log lines in a data logging application
  • Invoice lines in an invoicing system

Document fields

Each document is essentially a JSON structure, which is ultimately considered to be a series of key:value pairs. These pairs are then indexed in a way that is determined by the document mapping. The mapping defines the field data type as text, keyword, float, time, geo point or various other data types.

Elasticsearch documents are described as schema-less because Elasticsearch does not require us to pre-define the index field structure, nor does it require all documents in an index to have the same structure. However, once a field is mapped to a given data type, then all documents in the index must maintain that same mapping type.

Each field can also be mapped in more than one way in the index. This can be useful because we may want a keyword structure for aggregations, and at the same time be able to keep an analysed data structure which enables us to carry out full text searches for individual words in the field.

For a full discussion on mapping please see here.

Document source

An Elasticsearch document _source consists of the original JSON source data before it is indexed. This data is retrieved when fetched by a search query.

Document metadata

Each document is also associated with metadata, the most important items being:

_index – The index where the document is stored

_id – The unique ID which identifies the document in the index

Documents and index architecture

Note that different applications could consider  a “document” to be a different thing.  For example, in an invoicing system, we could have an architecture which stores invoices as documents (1 document per invoice),  or we could have an index structure which stores multiple documents as “invoice lines” for each invoice. The choice would depend on how we want to store, map and query the data.

Examples:

Creating a document in the user’s index:

POST  /users/_doc 
{
    "name" : "Petey",
    "lastname" : "Cruiser",
    "email" : "petey@gmail.com"
}

In the above request, we haven’t mentioned an ID for the document so the index operation generates a unique ID for the document. Here _doc is the type of document.

POST  /users/_doc/1
{
    "name" : "Petey",
    "lastname" : "Cruiser",
    "email" : "petey@gmail.com"
}

In the above query, the document will be created with ID 1.

You can use the below ‘GET’ query to get a document from the index using ID:

GET  /users/_doc/1

Below is the result, which contains the document (in _source field) as metadata:

{
    "_index": "users",
    "_type": "_doc",
    "_id": "1",
    "_version": 1,    "_seq_no": 1,    "_primary_term": 1,
    "found": true,
    "_source": {
        "name": "Petey",
        "lastname": "Cruiser",
        "email": "petey@gmail.com"
    }
}

Notes

Starting version 7.0 types are deprecated, so for backward compatibility on version 7.x all docs are under type ‘_doc’, starting 8.x type will be completely removed from ES APIs.

 
 

license

Log Context

Log “Role [{}] uses document and/or field level security; which is not enabled by the current license” classname is FileRolesStore.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

                     if (descriptor != null) {
                        if (ReservedRolesStore.isReserved(descriptor.getName())) {
                            logger.warn("role [{}] is reserved. the relevant role definition in the mapping file will be ignored";
                                    descriptor.getName());
                        } else if (flsDlsLicensed == false && descriptor.isUsingDocumentOrFieldLevelSecurity()) {
                            logger.warn("role [{}] uses document and/or field level security; which is not enabled by the current license" +
                                    ". this role will be ignored"; descriptor.getName());
                            // we still put the role in the map to avoid unnecessary negative lookups
                            roles.put(descriptor.getName(); descriptor);
                        } else {
                            roles.put(descriptor.getName(); descriptor);

 

How useful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Analyze your cluster & get personalized recommendations

Analyze Your Cluster

Related Articles

Back to all articles
Skip to content