Field level security for writes

security

(Rich Sutton) #1

Are there any plans for adding field-level security for writes?

I would like to allow users in a specific role to add information to existing documents, but only under a certain top level field. All other fields should remain read only.

As I understand it, field-level security today is only for hiding data on read.


(Tim Vernum) #2

There are no plans for FLS for writes.

Although it sounds simple, it is complicated by the fact that Elasticsearch doesn't really do updates. It does DELETE + PUT, and has a convenience API to wrap that in a single action.

So we could have security around Update actions that confirm that the user is only updating specific field, but then users would be forced into using the Update action, and in a lot of cases we discourage that, and recommend doing an Index action instead.

To do it well we need to enforce it on Index which means we'd need to check whether the document exists, compare the incoming fields to the existing fields and check that the only fields that have been changed are those that the user is permitted to update.

But, if we want to make FLS read/write, then we also need to work out what to do about the fields they were never allowed to see. If you Get a document (but it has fields redacted due to FLS), change 1 field and then Index it again, what should that do?

Once you get into this, there's enough rabbit holes that it would end up being a very complex feature with a lot of edge cases that simply cannot be supported. We may do it at some point, but for now we don't think it's useful enough to justify the complexity it would bring.

However, one feature we are looking at is to make some authorization decisions pluggable: https://github.com/elastic/elasticsearch/issues/32435
The feature is not fully fleshed out yet, but it might be that you could solve your specific use case by adding your own authorization rule for Update actions.
That is most definitely not a commitment that we will add this feature, or that the feature will solve your specific needs, it's just an indication of where we've been having discussions.


(Rich Sutton) #3

Thanks for the thorough response Tim. Much appreciated.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.