Dynamic user-authorization

From the Elastic docs, it seems like we can create a role for access-control, give authorization to a list of indices (or resources) to this role, and then use that role to perform the operations on those resources. But is it possible to create a role, which has full authorization over only the resources that will be created by that role?
For example, let's say a role is created called my_role. Now if we make a request with this my_role to create an index (say index1), it should get created. This my_role should not be able to access any resources in the cluster other than the index1 at this point. The Elasticsearch should allow this role to perform all operations to this index1 (index docs, update mappings/settings, delete etc).

I don't think this is possible with the provided functionality based on the documentation. But just want to confirm again. Also, what would be the best way to achieve something like this in Elasticsearch?

As far as I know it is indeed not possible.

Easiest way would be to have a cluster per customer, although I know that is not what you are looking for.

I think it would be very difficult to do something like this if customers require direct access to Elasticsearch. You might be able to create an application that acts as a proxy layer and create per customer namespaces by prefixing all indices based on customer and hgrant access to these based on the prefix, but that would be complex and require a lot of effort. You would also need to rewrite queries as this should be transparent for users.

1 Like

We do have a proxy layer in front of the Elasticsearch cluster, but modifying the queries to add/remove the index prefix would take too much of efforts as you said.

I'll go with making a separate cluster for these specific group of users and give them permissions to access all indices of that cluster.