Enquiry about X-Pack Role Based Control for Documents

Ong · December 10, 2017, 9:28am

I am looking at implementing role based access control using X-Pack on a document level. From the documentation, a role could be defined for my document like this:

{ "indices": [ { "names": [ "events-*" ], "privileges": [ "read" ], "query": "{"term": {"tags": "blog","sub-tags": "games","year": 2017 }}" } ]
}

For the query part, is it possible to extract the attributes "sub-tags" and "year" and place them in a template like Year_Game so that the query becomes like this:

{ "indices": [ { "names": [ "events-*" ], "privileges": [ "read" ], "query": "{"term": {"tags": "blog","Year_Game.sub-tags": "games","Year_Game.year": 2017 }}" } ]
}

The purpose is to simplify the administrator's task of creating roles so that they can simply re-use existing templates to create new roles.

How could I do this in X-pack?

TimV · December 11, 2017, 5:01am

You cannot do this out of the box, but there's a few options that might work.

The query can be templated by metadata stored on the user, so if you're able to manage the "Year_Game" on the user, it could work:

"query": {
   "template": {
      "source": {
          "term": {
              "tags": "blog",
              "{{_user.metadata.Year_Game}}.sub-tags": "games",
              "{{_user.metadata.Year_Game}}.year": 2017 }}
      }
   }
}

I'm not 100% sure I provided the example you want though - I'm a little confused about your example and what you want to template.

Alternatively, you can implement custom roles providers, so if you wanted to, you could just do all this in code, or pull your role definitions from an external system.

system · January 8, 2018, 5:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.