Document Level Security: Query indices with and without ACL index in parallel by a single API key

Hi,

I am investigating the new Document Level Security feature in combination with Search Applications.

Leverage document-level security from connectors in Search Applications | Enterprise Search documentation [8.10] | Elastic

I am planning to query multiple indices. Some indices have content which should only be available to specific users and groups. We plan to use the ACL-indices for them. But some indices have content which is open and available to all users (e.g. crawled content). We don't have ACL indices for them.

I've found out that it is possible to create an API key via POST /_security/api_key which can combine multiple indices with DLS based on their specific ALC indices.

But can I create an API key which also includes indices which are "open" and don't have an ACL index?

So the single API key should grant access to both: indices with and without ACL indices.

Best regards

Sebastian

Hi @sebastianboelling :

You can create an API key with both DLS and non-DLS indices in mind:

POST /_security/api_key
{
  "name": "my-api-key",
  "role_descriptors": {
    "role": {
      "index": [
        {
          "names": [
            "restricted-indices-*"
            ],
            "privileges": [
              "read"
              ],
              "query": {
                "template": {
                  "params": {
                    "access_control": [
                      "john@example.co",
                      "Engineering Members"
                      ]
                  },
                  "source": """
                  {
                    "bool": {
                      "filter": {
                        "bool": {
                          "should": [
                            {
                              "bool": {
                                "must_not": {
                                  "exists": {
                                    "field": "_allow_access_control"
                                  }
                                }
                              }
                            },
                            {
                              "terms": {
                                "_allow_access_control.enum": {
                                  {
                                    #
                                    toJson
                                  }
                                }
                                access_control
                                {
                                  {
                                    /toJson
                                  }
                                }
                              }
                            }
                            ]
                        }
                      }
                    }
                  }
                  """
                }
              }
        },
        {
          "names": [
            "public-indices-*"
            ],
            "privileges": [
              "read"
              ]
        }
        ],
        "restriction": {
          "workflows": [
            "search_application_query"
            ]
        }
    }
  }
}

You can see that different indices can have different security level.

You could as well create separate role descriptors for public and restricted content instead of having a single role with both index types - it's up to you for organizing indices into separate roles or combine them in a single role.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.