Index/search with ACLs and parent/child relationship


(Manuel Vacelet-2) #1

Hi,

I'm struggling with an ES design and I'd like to share with you.

I have a set of different documents stored in ES, those documents can be
seen only by a set of people.
To address this point, for each document, I have a property 'groups' with
the list of user groups allowed to access it ('all', 'project_members',
'designers', etc)
On query, I just have to add the list of groups a user belongs to and tada,
it works. Great.

Now some of those documents are hierarchically stored, so the permissions
are.
Pretty much like unix folders:

  • I can have a document that is world readable
  • but as long as this doc is in a folder that is only readable by one user,
    only this user can access the doc.

How can I map this in ES?

I've read


Sounds like parent/child might be a solution but:

  • How do I write the query to have permissions applied ?

Thanks for your help;
Manuel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/bf69d9fe-5cb1-4d2b-bf24-8564b3b643c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Ümit Seren) #2

You can check out https://github.com/salyh/elasticsearch-security-pluginwhich supports authorization and ACLs on document level.

If you implement your own ACLs I would recommend to de-normalize the
permissions for your hierarchical documents (i.e store only the effective
permissions for each document inside the document).
Otherwise the queries (if you store the in a client/parent relationship)
will quickly become very complex and also it performance might be suffering
if you have many documents.

On Sunday, May 18, 2014 11:01:02 AM UTC+2, Manuel Vacelet wrote:

Hi,

I'm struggling with an ES design and I'd like to share with you.

I have a set of different documents stored in ES, those documents can be
seen only by a set of people.
To address this point, for each document, I have a property 'groups' with
the list of user groups allowed to access it ('all', 'project_members',
'designers', etc)
On query, I just have to add the list of groups a user belongs to and
tada, it works. Great.

Now some of those documents are hierarchically stored, so the permissions
are.
Pretty much like unix folders:

  • I can have a document that is world readable
  • but as long as this doc is in a folder that is only readable by one
    user, only this user can access the doc.

How can I map this in ES?

I've read
http://www.elasticsearch.org/blog/managing-relations-inside-elasticsearch
Sounds like parent/child might be a solution but:

  • How do I write the query to have permissions applied ?

Thanks for your help;
Manuel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8ec9e5ac-ee20-4863-bb51-d52c39dbe64b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #3