In reading through the X-Pack security-related documentation, I see that you can impersonate users while executing queries.
First what's best in setting up document-level security? Just a _user.metadata field (hash holding custom metadata of the current authenticated user)? Can I read this hash from the user's index later, to add it to PUT requests?
In my case, a cron job will eventually be writing data to an index. While inserting data for a specific user, does this have to use the 'run_as' mechanism or is it sufficient to populate the document's _user.metadata field with this, to uniquely identify the user?
First, I would like to apologize for your question being unanswered for so long.
In you use case, you may only need to add a field to the documents you are indexing that contains the username of the user or some other unique identifier. Once you have that, you can use a templated role query for your users and limit their access to the documents that match their information.
While inserting data for a specific user, does this have to use the 'run_as' mechanism
The run_as mechanism does not need to be used. Populating the document with a field is all that is needed.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.