Document-level security query params

Hi all,
I am new in x-pack security module. I was wondering, I can use parameters having in the main query inside Doc-level query.

Actually, what I want to do is:
Having application level users which are different from elastic users, I want to filter the documents according to my application level user-names, not elastic user (because all my app users will connect by one elastic user)

Any help?
Thanks in advance

No it is not possible for a role to apply parameters from the current query.

If you want to use 1 elasticsearch user, and have multiple application users, you might want to look at the run-as feature.

Thanks, Tim,

I take a look at run-as feature as you mentioned but even in that case I need to create all my application users in Elsasticsearch user realm (native, file, LDAP or whatever) because the only way to use document level security is to define query on a role and then assign that role to the defined user. Am I right or there is another way to take advantage of this feature without having all users defined in Elasticsearch?

Maybe this is pretty similar to my original question but this time more general.
Is there any way to inject any parameter into the doc-level security query? for example, Sending this parameter in the header of submitted query?!

for example in run-as:
curl -H "es-security-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'
we are sending run as user as a header param and when it comes to doc-level query the _user.username is 'jacknich'. Is there any way to send this kind of parameters by the submitted query and have access to that in doc-level query?

Thanks in advance

You could use a custom realm, in conjunction with run-as, to do this.

Your system user would exist in a standard realm (native/LDAP/etc), with a role that grants run-as: app-*

Then you create a custom realm that supports user-lookups, but not authentication, and matches usernames of the form app-*.
For each user that you need to lookup, you simply return a very lightweight user with a single application-dls role.
The application-dls role is a plain old native role, with a DLS query that is templated by username.

It requires some custom Java development, but it's quite straightforward.

Thanks Tim
So helpful

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.