Dynamically appending a query (for data entitlements)

I have a use case where for every query that is coming from the user to
elasticsearch (ES), I want to add another query on ES server side before ES
executes the query.

The reason I need to dynamically add this other query is for
enforcing data-level entitlements.

e.g. Let's say that I am storing Orders in one of my ES indexes. Each Order
has a vendorid associated with it.

When a user of my app submits a query for Orders, I want to make sure that
only those Orders are returned by ES search that belong to the vendorid of
this user

e.g. the user may have submitted a query to show all orders where order
value >= $100. I want to append another query to this saying that only the
Orders that are associated with the vendor id of this user should be
returned.

How can I achieve this? In the servlet world we have the mechanism of
FILTERS. Is something similar available in ES?

Thanks

Lokesh

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a308903e-0653-4de6-a2f8-1747c94b006b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hello!

Are you allowing your users to directly talk to Elasticsearch? If so apart from modifying Elasticsearch (either the base code itself, or through dedicated plugin) you can't achieve what you want. You could use aliases (http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/indices-aliases.html ) and define an alias per vendor that would restrict the data returned. However if users are allowed to directly talk to Elasticsearch there is a high risk that one would just omit the alias and go directly to the indices.

On the other hand you probably have some application in front of Elasticsearch and this is a perfect place to take the query from the user and modify it to include additional filter.

--

Regards,

Rafał Kuć

Performance Monitoring * Log Analytics * Search Analytics

Solr & Elasticsearch Support * http://sematext.com/

I have a use case where for every query that is coming from the user to elasticsearch (ES), I want to add another query on ES server side before ES executes the query.

The reason I need to dynamically add this other query is for enforcing data-level entitlements.

e.g. Let's say that I am storing Orders in one of my ES indexes. Each Order has a vendorid associated with it.

When a user of my app submits a query for Orders, I want to make sure that only those Orders are returned by ES search that belong to the vendorid of this user

e.g. the user may have submitted a query to show all orders where order value >= $100. I want to append another query to this saying that only the Orders that are associated with the vendor id of this user should be returned.

How can I achieve this? In the servlet world we have the mechanism of FILTERS. Is something similar available in ES?

Thanks

Lokesh

--

You received this message because you are subscribed to the Google Groups "elasticsearch" group.

To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a308903e-0653-4de6-a2f8-1747c94b006b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I am allowing users to talk to Elasticsearch (ES) through Kibana. As of now
I am not planning to write my own user interface on top of ES.

But even with an app on top of ES, I would like the data entitlements
checks to happen on the ES server side to ensure that no matter where the
query comes from the server is ensuring that only entitled data is returned.

Aliasing won't work as a solution for our use case.

Let me check the plugins route. Are there any good references on the web
that provide a tutorial on how to write ES plugins?

Thanks

Lokesh

On Sunday, December 21, 2014 1:22:19 AM UTC+5:30, Rafał Kuć wrote:

Hello!

Are you allowing your users to directly talk to Elasticsearch? If so apart
from modifying Elasticsearch (either the base code itself, or through
dedicated plugin) you can't achieve what you want. You could use aliases (
Elasticsearch Platform — Find real-time answers at scale | Elastic
) and define an alias per vendor that would restrict the data returned.
However if users are allowed to directly talk to Elasticsearch there is a
high risk that one would just omit the alias and go directly to the
indices.

On the other hand you probably have some application in front of
Elasticsearch and this is a perfect place to take the query from the user
and modify it to include additional filter.

*-- Regards, Rafał Kuć Performance Monitoring * Log Analytics * Search
Analytics Solr & Elasticsearch Support * *http://sematext.com/

I have a use case where for every query that is coming from the user to
elasticsearch (ES), I want to add another query on ES server side before ES
executes the query.

The reason I need to dynamically add this other query is for enforcing
data-level entitlements.

e.g. Let's say that I am storing Orders in one of my ES indexes. Each
Order has a vendorid associated with it.

When a user of my app submits a query for Orders, I want to make sure that
only those Orders are returned by ES search that belong to the vendorid of
this user

e.g. the user may have submitted a query to show all orders where order
value >= $100. I want to append another query to this saying that only the
Orders that are associated with the vendor id of this user should be
returned.

How can I achieve this? In the servlet world we have the mechanism of
FILTERS. Is something similar available in ES?

Thanks

Lokesh

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/a308903e-0653-4de6-a2f8-1747c94b006b%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/a308903e-0653-4de6-a2f8-1747c94b006b%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/082e9dc1-3c7c-4947-895f-cdac9b3a4425%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.