[BUG] Role with Document-level security (DLS) masks more generic permissions

[rufdoSICKAG]

What is the bug?
When a user has 2 roles, one that permits him to read all documents of an index and one that restricts the permissions to certain documents via DLS, he only has access to the ones meeting the DLS criteria.

I noticed this because, even though my user all_access role, he was not able to see a lot of documents.
The reason was, that via a backend_role, my user had also a role that limited the access via DLS.

Only after creating another role with the DLS { "match_all": {}}, and adding this role to my user, was I able to see the documents again.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. create role

myrole:
  index_permissions:
  - index_patterns:
    - myindex-*
    dls: "{\"terms\": { \"myfield.keyword\": [\"nonexistincvalue\"]}}"
    allowed_actions:
    - search

2. Give this role to a user that already has all_access role
3. With this user search for any documents GET myindex-*/_search
4. Even though the index contains some documents and the user has the all_access role the search has no results

What is the expected behavior?
I expected the permissions to be additiv and not loose permissions when getting an additional role.

[peternied]

@rufdoSICKAG I know this can be counter-intuitive - DLS operates to deny access to documents unless they pass the all checks - this is the expected behavior.

[peternied]

I think this confusing behavior is a good example to indicate why providing an alternative approach [1] might be a good option:

• [1] Data projection with views OpenSearch#6181

[rufdoSICKAG]

This problem is also mentioned in the documentation now.
https://opensearch.org/docs/latest/security/access-control/document-level-security/#dls-and-multiple-roles