Dynamically changing user access

Hi Elastic Shield folks,

Is it possible to have a dynamic set of changing rules at runtime?

For example, I would like to have a social network approach to data access - where each user manages some groups other users are a part of. I'd like to have a Shield user for every user where what they can access is based on what groups of other users they are in. When this changes, Shield rules would need to change. Is this possible?


PS. I have been thinking of restricting users to their own index, and using index aliases to represent their group permissions. But this would still require dynamic runtime changes, e.g. when a new user signs up. Also, the data within an index would be heterogeneous as there would be lots of types with very differing schemas, I believe the better approach is to have indexes with homogenous documents, that is with low variability between their structures. Therefore a solution where indexes represent schema types and types represent the different groups might make sense, but this seems harder to implement from a Shield point of view?

Hi Daniel,

It sounds like an interesting application :slight_smile:

Yes, you can update Shield users and roles dynamically. Today, you do this by editing config files on all nodes (some folks use puppet/chef to push the updated config files to the nodes). In the near future, we will have an API for this.

I wouldn't recommend using aliases with filters to provide security; it's impossible to fully secure. Shield has real document-level security functionality built in though, which would allow you do to type-based or property-based security (e.g. define a role that grants access to all documents where field foo == "bar").

Shield also has integration with AD/LDAP, and you can assign roles to users based on their AD/LDAP groups, which might make things easier as well.

Hope that helps!

Thanks Steve,
So when I update a configuration file, those changes are reflected immediately by Shield? I don't have to restart?
I mention the aliases and filters approach, in case the Shield rules weren't dynamic.

Do you know what a reasonable number of users is for Shield to handle?

Thanks, Dan.

For roles and mappings, yes.