How to give access to few documents in a field on a role?

stramzik · April 6, 2023, 3:59pm

Hi, Lets say I have an index with following documents

{"Country": "India", "sample":1 , "Data":"hi"  }
{"Country": "India", "sample": 2, "Data":"hello"  }
{"Country": "India", "sample": 3, "Data":"how"  }
{"Country": "Buthan", "sample": 4, "Data":"are"  }
{"Country": "Buthan", "sample": 5, "Data":"you"  }
{"Country": "Buthan", "sample": 6, "Data":"Kibana?"  }

I want to create a role where the user has access to all the documents in this case all 6. However I would like to give access to a field where a criteria matches

for example lets say if "Country" : "India" only then show the values in Data field however it should not affect the Sample field., meaning it should still show everything in Sample field

So the role should filter the data as follows

{"Country": "India", "sample":1 , "Data":"hi"  }
{"Country": "India", "sample": 2, "Data":"hello"  }
{"Country": "India", "sample": 3, "Data":"how"  }
{"Country": "Buthan", "sample": 4, "Data": }
{"Country": "Buthan", "sample": 5, "Data":  }
{"Country": "Buthan", "sample": 6, "Data":  }

Also is Document Level and Field Level Security not available on Open Source ElasticStack?

leandrojmp · April 6, 2023, 4:19pm

Elasticsearch is not Open Source since version 7.11, but if you are talking about the Basic and Free License then yes, Document and Field level security are not available with the Basic/Free license.

stramzik · April 7, 2023, 1:06pm

Thank you for your response. Could you please advise if its possible to achieve the top query mentioned in the thread?

stephenb · April 10, 2023, 3:32am

Hi @stramzik

Short Answer: No Not Easy, if users are directly accessing Elasticsearch with Users and Role (perhaps if via Service / API gateway you could use a templated query or something but would need to think about that)

Take a look at this which is pretty much what you are trying to do 1 role gives all documents with 2 of 3 fields ... the Other Role limits the fields to the 3rd fields but limits documents ... but they get OR'd so all documents all fields (BTW I tested that)

I think you are going to need to divide your index by countries or something as suggested...

PUT discuss-test-fls/
{
  "mappings": {
    "properties": {
      "Country": {
        "type": "keyword"
      },
      "Data": {
        "type": "keyword"
      },
      "sample": {
        "type": "long"
      }
    }
  }
}

GET discuss-test-fls/_search

POST discuss-test-fls/_doc
{"Country": "India", "sample":1 , "Data":"hi"  }

POST discuss-test-fls/_doc
{"Country": "India", "sample": 2, "Data":"hello"  }

POST discuss-test-fls/_doc
{"Country": "India", "sample": 3, "Data":"how"  }

POST discuss-test-fls/_doc
{"Country": "Buthan", "sample": 4, "Data":"are"  }

POST discuss-test-fls/_doc
{"Country": "Buthan", "sample": 5, "Data":"you"  }

POST discuss-test-fls/_doc
{"Country": "Buthan", "sample": 6, "Data":"Kibana?"  }

# Create Roles
PUT _security/role/discuss-base-fields
{
  "indices": [
    {
      "names": [
        "discuss-test-fls"
      ],
      "privileges": [
        "read"
      ],
      "field_security": {
        "grant": [
          "Country",
          "sample"
        ]
      }
    }
  ]
}

PUT _security/role/discuss-show-india
{
  "indices": [
    {
      "names": [
        "discuss-test-fls"
      ],
      "privileges": [
        "read"
      ],
      "field_security": {
        "grant": [
          "Data"
        ]
      },
      "query" : {
        "template" : {
          "source" : {
            "term" : { "Country" : "India" }
          }
        }
      }
    }
  ]
}

# Create User and assign Roles

PUT _security/user/testing
{
  "password": "123456",
     "roles": [
      "discuss-show-india",
      "discuss-base-fields"
    ],
    "full_name": "",
    "email": "",
    "metadata": {},
    "enabled": true
}

Then curl you get both as explained in the docs... try with either role you get each part.... try it.

curl -u discuss-test-fls:123456 https://localhost:9200/discuss-test-fls/_search?pretty
{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 6,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "discuss-test-fls",
        "_id" : "ksj6aIcBaxQDBNhISPo3",
        "_score" : 1.0,
        "_source" : {
          "Country" : "India",
          "Data" : "hi",
          "sample" : 1
        }
      },
      {
        "_index" : "discuss-test-fls",
        "_id" : "k8j6aIcBaxQDBNhISPqT",
        "_score" : 1.0,
        "_source" : {
          "Country" : "India",
          "Data" : "hello",
          "sample" : 2
        }
      },
      {
        "_index" : "discuss-test-fls",
        "_id" : "lMj6aIcBaxQDBNhISPrp",
        "_score" : 1.0,
        "_source" : {
          "Country" : "India",
          "Data" : "how",
          "sample" : 3
        }
      },
      {
        "_index" : "discuss-test-fls",
        "_id" : "3Cf6aIcBohX2d_7rScBH",
        "_score" : 1.0,
        "_source" : {
          "Country" : "Buthan",
          "Data" : "are",
          "sample" : 4
        }
      },
      {
        "_index" : "discuss-test-fls",
        "_id" : "lcj6aIcBaxQDBNhISfqp",
        "_score" : 1.0,
        "_source" : {
          "Country" : "Buthan",
          "Data" : "you",
          "sample" : 5
        }
      },
      {
        "_index" : "discuss-test-fls",
        "_id" : "G776aIcBE-JHYtAUSqsF",
        "_score" : 1.0,
        "_source" : {
          "Country" : "Buthan",
          "Data" : "Kibana?",
          "sample" : 6
        }
      }
    ]
  }
}

stramzik · April 11, 2023, 1:52pm

thank you for the explanation I think splitting the documents would work if it OR's the roles.

system · May 9, 2023, 1:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.