Entity Object Security with Elastic Search

Charles_Gardiner · December 5, 2013, 6:49pm

Howdy yall,

Has anyone here had to deal with entity object security with Elastic
Search?

What I mean by "entity object security" is that the entity the Document
represents is not readable by everyone who may be searching the Elastic
Search database. It would be nice if there was a way that Elastic Search
had some notion of document security or is this something I would have to
build into the document representing the entity.

Here is a more specific scenario:

I perform a query against Elastic Search for a specific page and size. I
get the results and translate the results into domain objects. I then
check if the user who is about to see these results has the ability to see
each domain object and if not remove it. The problem with this solution is
that it removes results from the page after the query and could result in a
page with no results. Is there a way to integrate user level security into
Elastic Search?

I realize this question is somewhat broad. Any suggestions are appreciated.
Thanks
Charles

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/2ec71eba-7451-4c34-9b69-7e4357d3adb7%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

dadoonet · December 5, 2013, 7:02pm

Add a security field or object in your json source doc, for ex:
{
"groupid":"sales",
// your content
}

Then add a filter to filter your docs by groupid.

You can also define filtered aliases to simplify your search requests.

--
David
Twitter : @dadoonet / @elasticsearchfr / @scrutmydocs

Le 5 déc. 2013 à 19:49, Charles Gardiner charles@sourceclear.com a écrit :

Howdy yall,

Has anyone here had to deal with entity object security with Elastic Search?

What I mean by "entity object security" is that the entity the Document represents is not readable by everyone who may be searching the Elastic Search database. It would be nice if there was a way that Elastic Search had some notion of document security or is this something I would have to build into the document representing the entity.

Here is a more specific scenario:

I perform a query against Elastic Search for a specific page and size. I get the results and translate the results into domain objects. I then check if the user who is about to see these results has the ability to see each domain object and if not remove it. The problem with this solution is that it removes results from the page after the query and could result in a page with no results. Is there a way to integrate user level security into Elastic Search?

I realize this question is somewhat broad. Any suggestions are appreciated.
Thanks
Charles

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/2ec71eba-7451-4c34-9b69-7e4357d3adb7%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/ED94EFEB-B04C-479C-9B26-49835AF9E9F9%40pilato.fr.
For more options, visit https://groups.google.com/groups/opt_out.

Umit_Seren · December 6, 2013, 9:41am

I am using Spring Security with their ACL schema for having permissions for
entity objects.

So I added following mapping to those entities in ES:

"acl": {
"type": "nested",
"properties": {
"id": {
"type": "integer"
},
"permissions": {
"type": "string",
"index": "not_analyzed"
}
}
},
"owner": {
"type": "object",
"properties": {
"id": {
"type": "integer"
},
"sid": {
"type": "string",
"index": "not_analyzed"
},
"name": {
"type": "multi_field",
"fields": {
"name": {
"type": "string"
},
"partial": {
"type": "string",
"index_analyzer": "my_ngram"
}
}
}
}
}

an entry could look like this:

{
"owner": {
"id":1,
"sid":"ROLE_ADMIN",
"name":"Admin"
}
"acl": [
{
"id":1,
"permissions": ["READ"]
},
{
"id": 2,
"permissions" : ["READ","WRITE","ADMIN"]
}
]
}

This way you can easily use an ACL filter to filter the entities:

{
"filter": {
"nested" : {
"filter" : {
"bool" : {

       "must" : [ 
         {
           "terms" : {
             "acl.id" : [ "1", "2"]
           }
         }, 
         {
           "terms" : {
             "acl.permissions" : [ "read" ]
           }
         }
        ]
      }
    },

      "path" : "acl"
 }

}

On Thursday, December 5, 2013 7:49:28 PM UTC+1, Charles Gardiner wrote:

Howdy yall,

Has anyone here had to deal with entity object security with Elastic
Search?

What I mean by "entity object security" is that the entity the Document
represents is not readable by everyone who may be searching the Elastic
Search database. It would be nice if there was a way that Elastic Search
had some notion of document security or is this something I would have to
build into the document representing the entity.

Here is a more specific scenario:

I perform a query against Elastic Search for a specific page and size. I
get the results and translate the results into domain objects. I then
check if the user who is about to see these results has the ability to see
each domain object and if not remove it. The problem with this solution is
that it removes results from the page after the query and could result in a
page with no results. Is there a way to integrate user level security into
Elastic Search?

I realize this question is somewhat broad. Any suggestions are
appreciated.
Thanks
Charles

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/64075f8b-a796-422b-bd67-e4e3604a0177%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.