Briefly, this error occurs when a user tries to profile a search request while document level security is enabled. Document level security restricts access to certain documents within an index, and profiling such requests can lead to security issues. To resolve this, you can disable profiling for the search request or disable document level security if it’s not necessary. However, be aware that disabling document level security might expose sensitive data to unauthorized users. Always consider the security implications before making changes.
This guide will help you check for common problems that cause the log ” A search request cannot be profiled if document level security ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin, search, document, request.
Overview
Search refers to the searching of documents in an index or multiple indices. The simple search is just a GET API request to the _search endpoint. The search query can either be provided in query string or through a request body.
Examples
When looking for any documents in this index, if search parameters are not provided, every document is a hit and by default 10 hits will be returned.
GET my_documents/_search
A JSON object is returned in response to a search query. A 200 response code means the request was completed successfully.
{ "took" : 1, "timed_out" : false, "_shards" : { "total" : 2, "successful" : 2, "failed" : 0 }, "hits" : { "total" : 2, "max_score" : 1.0, "hits" : [ ... ] } }
Notes and good things to know
- Distributed search is challenging and every shard of the index needs to be searched for hits, and then those hits are combined into a single sorted list as a final result.
- There are two phases of search: the query phase and the fetch phase.
- In the query phase, the query is executed on each shard locally and top hits are returned to the coordinating node. The coordinating node merges the results and creates a global sorted list.
- In the fetch phase, the coordinating node brings the actual documents for those hit IDs and returns them to the requesting client.
- A coordinating node needs enough memory and CPU in order to handle the fetch phase.
Document in Elasticsearch
What is an Elasticsearch document?
While an SQL database has rows of data stored in tables, Elasticsearch stores data as multiple documents inside an index. This is where the analogy must end however, since the way that Elasticsearch treats documents and indices differs significantly from a relational database.
For example, documents could be:
- Products in an e-commerce index
- Log lines in a data logging application
- Invoice lines in an invoicing system
Document fields
Each document is essentially a JSON structure, which is ultimately considered to be a series of key:value pairs. These pairs are then indexed in a way that is determined by the document mapping. The mapping defines the field data type as text, keyword, float, time, geo point or various other data types.
Elasticsearch documents are described as schema-less because Elasticsearch does not require us to pre-define the index field structure, nor does it require all documents in an index to have the same structure. However, once a field is mapped to a given data type, then all documents in the index must maintain that same mapping type.
Each field can also be mapped in more than one way in the index. This can be useful because we may want a keyword structure for aggregations, and at the same time be able to keep an analysed data structure which enables us to carry out full text searches for individual words in the field.
For a full discussion on mapping please see here.
Document source
An Elasticsearch document _source consists of the original JSON source data before it is indexed. This data is retrieved when fetched by a search query.
Document metadata
Each document is also associated with metadata, the most important items being:
_index – The index where the document is stored
_id – The unique ID which identifies the document in the index
Documents and index architecture
Note that different applications could consider a “document” to be a different thing. For example, in an invoicing system, we could have an architecture which stores invoices as documents (1 document per invoice), or we could have an index structure which stores multiple documents as “invoice lines” for each invoice. The choice would depend on how we want to store, map and query the data.
Examples:
Creating a document in the user’s index:
POST /users/_doc { "name" : "Petey", "lastname" : "Cruiser", "email" : "petey@gmail.com" }
In the above request, we haven’t mentioned an ID for the document so the index operation generates a unique ID for the document. Here _doc is the type of document.
POST /users/_doc/1 { "name" : "Petey", "lastname" : "Cruiser", "email" : "petey@gmail.com" }
In the above query, the document will be created with ID 1.
You can use the below ‘GET’ query to get a document from the index using ID:
GET /users/_doc/1
Below is the result, which contains the document (in _source field) as metadata:
{ "_index": "users", "_type": "_doc", "_id": "1", "_version": 1, "_seq_no": 1, "_primary_term": 1, "found": true, "_source": { "name": "Petey", "lastname": "Cruiser", "email": "petey@gmail.com" } }
Notes
Starting version 7.0 types are deprecated, so for backward compatibility on version 7.x all docs are under type ‘_doc’, starting 8.x type will be completely removed from ES APIs.
Log Context
Log “A search request cannot be profiled if document level security” class name is SearchRequestInterceptor.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
if (indexAccessControlByIndex.values().stream().anyMatch(iac -> iac.getDocumentPermissions().hasDocumentLevelPermissions())) { if (source != null && source.suggest() != null) { listener.onFailure(new ElasticsearchSecurityException("Suggest isn't supported if document level security is enabled"; RestStatus.BAD_REQUEST)); } else if (source != null && source.profile()) { listener.onFailure(new ElasticsearchSecurityException("A search request cannot be profiled if document level security " + "is enabled"; RestStatus.BAD_REQUEST)); } else { listener.onResponse(null); } } else {