ABAC / Custom Realm / Extend JWT authentication


Currently, I'm trying to evaluate the best solution for a customer project.

Some facts about the project environment:

  • User authentication with OIDC/JWT is available.
  • It is not possible to extend the JWT with custom claims.
  • ABAC is required.
  • To implement ABAC, the attribute values will be fetched from a third-party system.
  • There's a desire to use roles with index privileges/granted documents query.
    -- There will be multiple indices with different content but the same ABAC logic, so using roles seems logical.

My initial idea was to create a plugin that extends the JwtRealm and additionally adds the values needed for ABAC to the user's metadata. These values would be transmitted via a custom HTTP header, such as "X-Access-Ids" or something similar.

I set up a small gradle-based project and added the following dependencies:

implementation 'org.elasticsearch:elasticsearch:8.10.2'
implementation group: 'org.elasticsearch.plugin', name: 'x-pack-core', version: '8.10.2'

Unfortunately, it's not possible to extend from the JwtRealm class because the class isn't available within x-pack-core package.

My next idea is to use the JwtRealm and delegate the authorization to a CustomRealm. The CustomRealm would only read the "X-Access-Ids" header and an "X-User-Id" header. With the X-User-Id value, I believe it should be possible to fetch the user. Is this accurate? How can I access the currently signed-in user? I've examined the code, but it appears that each realm implementation has its unique approach. Is there documentation on how to retrieve the user?

The third idea is to bypass the roles/Granted documents query logic and create a search template with filters to implement ABAC.

I would appreciate any insights or feedback on my thoughts.

Thank you,


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.