I have a situation where there are existing Elasticsearch instances that uses X-Pack security and need to extend Authorization mechanism in order to change the default behaviour and contact an external service to obtain a list of authorizations (I still need to decide what kind of data to return) so that I will use those authorizations to allow or deny user requests or retrieve only a specific set of data according to a specific filter coming from the authorizations list.
What do you think are my options for something like that?
Do I need to do creating a security extension like it was done in this official blog post?
Any other idea or advice?
From your problem description, it seems like you want to do authorization based on some data fetched from an external system. As you have not mentioned what data will look like or what authorization controls you want it is hard to give possible solutions.
[Future] For customizable authorization, we have an issue open which is under consideration but we do not have any timelines or what it would look like:
Hi @Yogesh_Gaikwad and thank you for your answer!
I actually have also requirements for the Elasticsearch version, it is 6.2 and so I also have more limitations as far as I understood.
About the type of authorization controls, a possible scenario of what I need is the following:
a user with id "johndoe" asks to retrieve all existing fruits from an Elasticsearch instance
then, Elasticsearch authorization mechanism will ask an external service to retrieve the list of authorizations for the user "johndoe"
at this point, the search on Elasticsearch will be executed but it won't be "retrieve all fruits", but it will be "retrieve all fruits that user 'johndoe' is authorized to see" (e.g. "retrieve all red colored fruits")
any way to implement something like this on Elasticsearch 6.2 (or 6.5 in case I will have the chance to work with that new version)?
You may want to look into combining custom authentication with attribute-based access controls. Not sure whether this would fit your needs or not, but you can find a bit more information in these blogs:
@Christian_Dahlqvist thanks.
Any other way to do that without using Platinum X-Pack features?
Thanks
edit:
alternatively, would it be possible to build a plugin to catch all requests toward Elasticsearch so that I will be able to edit them and add some kind of filtering before sending them?
I believe all our commercial features are technically built as plugins, so I am reasonably sure it is possible. I do however not think it necessarily is easy and would expect it to require a good amount of effort. On top of that you also need to factor in the effort required to maintain and upgrade it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.