Hello. I am considering to use document level security for one big index or to use multiple indexes with index-level security.
So either:
winlogbeat-YYYY.MM.DD containing millions of documents, index size more than 100 GB and set document level security so ROLE1 can see documents which contains server name SERVER1
Or multiple indexes:
group1-winlogbeat-YYYY.MM.DD with smaller size and security set just per index pattern, so ROLE1 can see group1-winlogbeat-* indexes.
It is obvious multiple indexes security will be faster. But how much? How big is document level security performance impact for large index?
if you want to have concrete numbers for your scenario I think the best you can do is measure it with a benchmark. You can use any load testing tool to model the scenarios that you are interested in like JMeter, ... . At Elastic we build and use Rally for such things which is specifically geared towards benchmarking Elasticsearch (Disclaimer: I work for Elastic and I am the main author of Rally).
I do not need concrete numbers. I just need to know if it is no performance impact or +- 10-20% performance impact. Because if there is some considerable performance impact we will use multiple indexes, if there is no or almost none performance impact, so there is no reason to use multiple indexes.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.