Automatically create role based on index

sthomps · September 16, 2019, 3:48pm

Hi,

In my setup I'll be creating indexes where the index is the id = an associated group of applications.
This id will be in an LDAP tree where the user has access to a # of id's.

Is there a way to automatically setup/create an READ only index role when a new index is created in ES?

ikakavas · September 25, 2019, 9:38am

Apologies, but I'm not sure I follow this. Could you try to elaborate or add a more concrete example ?

If you mean internally to elasticsearch, no. There is no functionality to trigger role creation based on index creation and there is no template option for roles that would take into consideration the index name. One possibility might be to have a watch with a short trigger that would perform a search as input and then use the webhook action to call the Create Role API to add the role you want. I haven't done something similar before but it looks possible.

sthomps · September 25, 2019, 4:33pm

As an example:

elasticsearch indexes = [1,2,3]

LDAP
Search Base: ou=groups,dc=com
Search Filter: (member=cn=sthomps,ou=users,dc=com)

LDAP Results
cn=1,dc=com
cn=2,dc=com

The user will be authenticated via SAML but authorized via LDAP. When they login, they should only be able to view indexes: 1 & 2 - not 3.

Yogesh_Gaikwad · September 26, 2019, 1:25pm

Hi @sthomps,

I think you could achieve your use case by implementing a custom role provider and having a role mapping configured to use role templates.

First, you need to use the role mapping API to assign roles to the user.
Here you can use the role-template which can make use of the user fields and generate the role names dynamically.
For more details check:
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role-mapping.html#_role_templates
In your case, the role template could generate based on cn the role names like 1-read, 2-read
Then you need to write a security extension and implement a custom role provider.
This allows you to define what the role is. The role names you would receive would be the ones generated dynamically as mentioned above.
https://www.elastic.co/guide/en/elastic-stack-overview/7.x/custom-roles-authorization.html#implementing-custom-roles-provider
For example, the role descriptor that you generate for a user having roles 1-read, 2-read as

{
  "indices": [
    {
      "names": [ "1", "2" ],
      "privileges": [ "read" ]
    }
  ]
}

You can check out the blog on how to write a custom extension and a custom role provider

Hope this helps.

system · October 24, 2019, 1:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Role that would allow a user to create index in ES Elasticsearch elastic-stack-security	5	3662	June 28, 2021
Elasticsearch put role API Elasticsearch	2	353	August 19, 2020
Dynamic user-authorization Elastic Search	2	15	November 1, 2024
Securing data by creating AD roles Elasticsearch	1	387	January 8, 2018
Elastic privilege to create index Elasticsearch elastic-stack-security	2	378	April 15, 2020

Automatically create role based on index

Related topics