Alias Filter with Template Search

Elastic Stack Elasticsearch
1

I have an index pattern with documents that all have an owner field (owner_username). This field contains the ES username of the person who owns the document.

I'd like to set up a templated search alias, by which I mean I want a "user" alias that filters on the owner field such that each user when they view a given dashboard only sees their own documents through that particular alias.

I feel like it should be something like what I'm showing below, but this doesn't parse and I have not been able to figure out a syntax that does. I'm not against using a template script, but again, no luck figuring out the syntax. The closest I have come is in setting up an Application search, which actually returns the right documents, but I can't figure out how to get the alias filter to use it (there doesn't seem to be a way to do that). Has anyone done anything like this?

PUT /_alias/my-user-alias
{
  "actions": [
    {
      "update": {
        "index": "all-documents",
        "alias": "my-user-alias",
        "filter": {
            "source": {
              "term": {
                "owner_username.keyword": "{{_user.username}}"
              }
            }
        }
      }
    }
  ]
}
2

Welcome!

I think you are looking for this feature: Document level security | Elasticsearch Guide [8.13] | Elastic

3

Thanks for the response.

Sorry, I failed to mention in my original post that we have that feature, yes. But the question is about using that feature to create a filtered alias using a search template. Document level security on its own is not sufficient for our purposes, specifically because it is Role-based. The trouble with this approach on its own is that we have users with multiple roles and the document level security doesn't resolve the role conflicts in a manner that works for us. I left that out of the original post to try to keep the question somewhat simple.

I can explain in more detail if you would like, but so far I haven't found this feature on its own to meet our needs sufficiently.

4

Seems like I can't edit the original post anymore, so here's a little clarification:

We have document level security, but because it is role-based it doesn't quite fit our needs on its own. What we need is something that filters based on the Dashboard they are looking at -- hence the idea of an Alias Filter. Each dashboard would point to a different filtered alias, and each alias would be filtered on a different field in the document.

A dashboard filter, you might say. Sure, but we'd need it to be partially immutable -- the part that filters to just their documents should not be changeable, but they should be able to filter on other dimensions (time, etc.). I looked and a partially immutable dashboard filter does not exist yet in ES/Kibana.

So here's the more detailed example:

We have multiple dashboards targeting various roles. I'll use two in this example, but there are more than this (5 or so), and each person might have as many as 3 or 4 roles.

One is a User Dashboard that shows info about a user's documents -- this would filter on the owner_username field. The second is a Site Manager Dashboard that shows info about documents created at a particular site. This would filter on the site_manager_username field.

It's important to note that each user can create documents at any site.

When I try to make this role-based (User role and Site Manager Role) using DLS, the role-based index filter on the Site field keeps the Site Manager (who has both the User and Site Manager roles) from seeing their documents that were created at any other site -- it's too restrictive.

The alternative I'm trying to pursue is that the Site Manager dashboard would point to the Site Manager filtered alias and the User dashboard would point to the User filtered alias. The dashboards are read-only, so they wouldn't be able to change the source of the data.