From 543bff618c48e483b41ed6504bbef21b0d5ec5a5 Mon Sep 17 00:00:00 2001 From: alicejw Date: Fri, 29 Apr 2022 16:46:06 -0700 Subject: [PATCH] for evaluation mode table Signed-off-by: alicejw --- .../access-control/document-level-security.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/_security-plugin/access-control/document-level-security.md b/_security-plugin/access-control/document-level-security.md index ae03a7a9..4c598fc8 100644 --- a/_security-plugin/access-control/document-level-security.md +++ b/_security-plugin/access-control/document-level-security.md @@ -130,20 +130,28 @@ You can perform term-level lookup queries (TLQs) with Document-level security us To learn more about OpenSearch queries, see [Term-level queries](https://opensearch.org/docs/latest/opensearch/query-dsl/term/). + + ### Lucene-level DLS mode Lucene-level mode modifies Lucene queries and data structures directly to implement DLS. This is the most efficient mode but does not allow certain advanced constructs in DLS queries, including TLQs. ### Filter-level DLS mode -OpenSearch automatically applies DLS when it receives modifying queries. This allows for term-level lookup queries in DLS queries, but you can only use the`get`, `search`, `mget`, and `msearch` operations to retrieve data from the protected index. Additionally, cross-cluster searches are limited with this mode. +OpenSearch automatically applies DLS when it receives modifying queries. This allows for term-level lookup queries in DLS queries, but you can only use the `get`, `search`, `mget`, and `msearch` operations to retrieve data from the protected index. Additionally, cross-cluster searches are limited with this mode. -#### How to set the DLS evaluation mode in opensearch.yml +### How to set the DLS evaluation mode in `opensearch.yml` -By default, the DLS evaluation mode is set to `adaptive`. You can also explicitly set the mode in `opensearch.yml`. Add a line to `opensearch.yml` in the following format: +By default, the DLS evaluation mode is set to `adaptive`. You can also explicitly set the mode in `opensearch.yml`with the `plugins.ssecurity.dls.mode:` setting. Add a line to `opensearch.yml` with the desired evaluation mode. +For example, to set it to filter level, add this line: ``` -plugins.security.dls.mode: +plugins.security.dls.mode: filter-level ``` -- **lucene-level** - This setting makes all DLS queries apply to the Lucene level. -- **filter-level** - This setting makes all DLS queries apply to the filter level. -- **adaptive** - The default setting that allows OpenSearch to automatically choose the mode. DLS queries without TLQ are executed on Lucene level, while DLS queries that contain TLQ are executed on filter level. + +#### DLS Evaluation modes + +Evaluation mode | Parameter | Description +:--- | :--- | :--- +Lucene level | `lucene-level` | This setting makes all DLS queries apply to the Lucene level. +Filter level | `filter-level` | This setting makes all DLS queries apply to the filter level. +Lucene level | `adaptive-level` | The default setting that allows OpenSearch to automatically choose the mode. DLS queries without TLQ are executed on Lucene level, while DLS queries that contain TLQ are executed on filter level.