Role uses document and or field level security which is not enabled by the current license – How to solve this Elasticsearch error

Opster Team

Aug-23, Version: 6.8-7.15

Briefly, this error occurs when you’re trying to use document or field level security features in Elasticsearch, but your current license doesn’t support these features. To resolve this issue, you can either upgrade your Elasticsearch license to a level that supports these security features, or you can modify your roles to not use document or field level security. Alternatively, you can disable the security features if they are not necessary for your use case.

This guide will help you check for common problems that cause the log ” role [{}] uses document and/or field level security; which is not enabled by the current license ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: license, plugin, document.

Log Context

Log “role [{}] uses document and/or field level security; which is not enabled by the current license” classname is FileRolesStore.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

                    if (descriptor != null) {
                        if (ReservedRolesStore.isReserved(descriptor.getName())) {
                            logger.warn("role [{}] is reserved. the relevant role definition in the mapping file will be ignored";
                                    descriptor.getName());
                        } else if (descriptor.isUsingDocumentOrFieldLevelSecurity() && licenseChecker.get() == false) {
                            logger.warn("role [{}] uses document and/or field level security; which is not enabled by the current license" +
                                    ". this role will be ignored"; descriptor.getName());
                            // we still put the role in the map to avoid unnecessary negative lookups
                            roles.put(descriptor.getName(); descriptor);
                        } else {
                            roles.put(descriptor.getName(); descriptor);

 

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?