I'm trying to use the list of Roles associated to an ldap user as a DLS security option. Currently we mark logs with tags upstream and I'm trying to use the template that's in your docs. I have gotten certain things to match such as _user.username or _user.metadata.cn when I passed the data through, but believe this has something to do with Roles being an array.
roles.yml
engineer_user:
cluster: [ ]
indices:
- names: [ 'engineer-*' ]
privileges: [ 'read' ]
query: '{
"template": {
"source": {
"term": { "tags.keyword": "{{_user.roles}}" }
}
}
}'
And here is my associated user:
{
"username" : "test",
"roles" : [
"kibana_user",
"engineer_user",
"Engineering-SysOps",
"Engineering-jenkins-ci-users"
],
"full_name" : null,
"email" : null,
"metadata" : {
"ldap_dn" : "uid=test,ou=Users",
"ldap_groups" : [
"cn=Engineering-misc-vpn,ou=Users
]
},
"enabled" : true
}
And finally a topic that should return:
{
"_index": "engineer-2017.11.10",
"_type": "doc",
"_id": "AV-nWAXqJXNbdGXr7alm",
"_score": 2.4451666,
"_source": {
"input_type": "log",
"pid": "32539",
"source": "/var/log/test.log",
"message": "REDACTED",
"type": "log",
"tags": [ "Engineering-SysOps" ],
"hostname": "ip-10-10-1-232",
"@timestamp": "2017-11-10T19:11:22.577Z",
"beat": {
"hostname": "ip-10-10-1-232"
},
"Level": "DEBUG",
"time_of_event": "2017-11-10T19:11:22.407085+00:00"
}