Hi all,
I am new in x-pack security module. I was wondering, I can use parameters having in the main query inside Doc-level query.
Actually, what I want to do is:
Having application level users which are different from elastic users, I want to filter the documents according to my application level user-names, not elastic user (because all my app users will connect by one elastic user)
I take a look at run-as feature as you mentioned but even in that case I need to create all my application users in Elsasticsearch user realm (native, file, LDAP or whatever) because the only way to use document level security is to define query on a role and then assign that role to the defined user. Am I right or there is another way to take advantage of this feature without having all users defined in Elasticsearch?
Maybe this is pretty similar to my original question but this time more general.
Is there any way to inject any parameter into the doc-level security query? for example, Sending this parameter in the header of submitted query?!
for example in run-as:
curl -H "es-security-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/'
we are sending run as user as a header param and when it comes to doc-level query the _user.username is 'jacknich'. Is there any way to send this kind of parameters by the submitted query and have access to that in doc-level query?
You could use a custom realm, in conjunction with run-as, to do this.
Your system user would exist in a standard realm (native/LDAP/etc), with a role that grants run-as: app-*
Then you create a custom realm that supports user-lookups, but not authentication, and matches usernames of the form app-*.
For each user that you need to lookup, you simply return a very lightweight user with a single application-dls role.
The application-dls role is a plain old native role, with a DLS query that is templated by username.
It requires some custom Java development, but it's quite straightforward.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.