Custom Realm create roles dynamically using an external microservice for document level security

Hello everyone.

I'm trying to implement a custom role provider that each time the user is logged in, I can be able to create the role(s) for this particular user using an external http microservice that based on the username I will retrieve the rolename(s) that he is assigned and the index privileges for each one of them, including document level security filtering.

The idea is to construct this role in realtime and not having it saved in elasticsearch.

This is shown in this blog article but the link to the .zip file is broken, so I can't get a full working example.

My questions specifically are:

  • can this be done in current versions of elasticsearch?
  • Should I do this implementing the implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> interface? or extending a Realm?
  • Will the roles be fetched each time the user authenticates? if that's so, is there some way to implement a caching BiConsumer interface similar to the CachingUsernamePasswordRealm class?

That blog post is indeed a little old. Take a look at this sample plugin:

Also keep the caching realm in mind:

Hope that helps!

I've seen that AuthorizationEngine before, but my question remains: is it possible to apply Document Level Security using this approach? I know that creating the roles dynamically will allow me to do this, but this AuthorizationEngine I'm not so sure if I can get that level of granularity to grant access or not. For what I understand here is that the AuthorizationEngine is for index level security only, if it is possible, it's there a way to avoid fetching from the rest microservice for every request using some Cache in this AuthorizationEngine?

You most likely don't want implement your own AuthorizationEngine. It's really for people who wants to almost completely overridde Elasticsearch's authorization model. Based on my reading, I think your use case is not like that.

Your use case can certainly be implemented with current versions (7.x) of elasticsearch. Elasticsearch has separate steps for authentication and authorization. If you don't need a different authentication mechanism, you don't need implementing your own Realm. Implementing SecurityExtenstion#getRolesProviders is the way to go (just ignore the realm part of the example).

However, authorization only resolves the role names to actual definitions (as can be seen in the above method signature). It does not resolve the role names for the user, which is done at authentication time. So if you need to control this process, you will then need a Realm.

Roles are cached after they are built from the names. This happens automatically and you don't need actively do anything about it. But since the role definitions are fetched from an external service, this means Elasticsearch will not be aware of any role definition changes and hence will keep using the same cached role.In this, you need manually clear the roles cache so that it fetches again from the external service.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.