Extend Elasticsearch Authorization mechanism to existing instances

security

#1

Hi,

I have a situation where there are existing Elasticsearch instances that uses X-Pack security and need to extend Authorization mechanism in order to change the default behaviour and contact an external service to obtain a list of authorizations (I still need to decide what kind of data to return) so that I will use those authorizations to allow or deny user requests or retrieve only a specific set of data according to a specific filter coming from the authorizations list.

What do you think are my options for something like that?
Do I need to do creating a security extension like it was done in this official blog post?
Any other idea or advice?

Thanks a lot!


(Yogesh Gaikwad) #2

Hi @Uiidoi12,

From your problem description, it seems like you want to do authorization based on some data fetched from an external system. As you have not mentioned what data will look like or what authorization controls you want it is hard to give possible solutions.

With version 6.5 you have an option of authorization realm which can then fetch data from your external system, https://www.elastic.co/guide/en/elastic-stack-overview/master/realm-chains.html#authorization_realms

[Future] For customizable authorization, we have an issue open which is under consideration but we do not have any timelines or what it would look like:

Hope this helps

Thanks and Regards,
Yogesh Gaikwad


#3

Hi @Yogesh_Gaikwad and thank you for your answer!
I actually have also requirements for the Elasticsearch version, it is 6.2 and so I also have more limitations as far as I understood.
About the type of authorization controls, a possible scenario of what I need is the following:

  1. a user with id "johndoe" asks to retrieve all existing fruits from an Elasticsearch instance
  2. then, Elasticsearch authorization mechanism will ask an external service to retrieve the list of authorizations for the user "johndoe"
  3. at this point, the search on Elasticsearch will be executed but it won't be "retrieve all fruits", but it will be "retrieve all fruits that user 'johndoe' is authorized to see" (e.g. "retrieve all red colored fruits")

any way to implement something like this on Elasticsearch 6.2 (or 6.5 in case I will have the chance to work with that new version)?

Thanks