Extend Elasticsearch Authorization mechanism to existing instances


I have a situation where there are existing Elasticsearch instances that uses X-Pack security and need to extend Authorization mechanism in order to change the default behaviour and contact an external service to obtain a list of authorizations (I still need to decide what kind of data to return) so that I will use those authorizations to allow or deny user requests or retrieve only a specific set of data according to a specific filter coming from the authorizations list.

What do you think are my options for something like that?
Do I need to do creating a security extension like it was done in this official blog post?
Any other idea or advice?

Thanks a lot!

Hi @Uiidoi12,

From your problem description, it seems like you want to do authorization based on some data fetched from an external system. As you have not mentioned what data will look like or what authorization controls you want it is hard to give possible solutions.

With version 6.5 you have an option of authorization realm which can then fetch data from your external system, https://www.elastic.co/guide/en/elastic-stack-overview/master/realm-chains.html#authorization_realms

[Future] For customizable authorization, we have an issue open which is under consideration but we do not have any timelines or what it would look like:

Hope this helps

Thanks and Regards,
Yogesh Gaikwad

Hi @Yogesh_Gaikwad and thank you for your answer!
I actually have also requirements for the Elasticsearch version, it is 6.2 and so I also have more limitations as far as I understood.
About the type of authorization controls, a possible scenario of what I need is the following:

  1. a user with id "johndoe" asks to retrieve all existing fruits from an Elasticsearch instance
  2. then, Elasticsearch authorization mechanism will ask an external service to retrieve the list of authorizations for the user "johndoe"
  3. at this point, the search on Elasticsearch will be executed but it won't be "retrieve all fruits", but it will be "retrieve all fruits that user 'johndoe' is authorized to see" (e.g. "retrieve all red colored fruits")

any way to implement something like this on Elasticsearch 6.2 (or 6.5 in case I will have the chance to work with that new version)?



any idea about how I can implement something like that?


You may want to look into combining custom authentication with attribute-based access controls. Not sure whether this would fit your needs or not, but you can find a bit more information in these blogs:

Thanks @Christian_Dahlqvist I'll check them.
One question: do I need premium X-Pack to use "Attribute-based access controls"?

Yes, the document and field level security used in these blog posts are a Platinum level feature.

@Christian_Dahlqvist thanks.
Any other way to do that without using Platinum X-Pack features?



alternatively, would it be possible to build a plugin to catch all requests toward Elasticsearch so that I will be able to edit them and add some kind of filtering before sending them?

I believe all our commercial features are technically built as plugins, so I am reasonably sure it is possible. I do however not think it necessarily is easy and would expect it to require a good amount of effort. On top of that you also need to factor in the effort required to maintain and upgrade it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.