Indexing data with document-level security - is it necessary to use 'run_as'?


#1

In reading through the X-Pack security-related documentation, I see that you can impersonate users while executing queries.

First what's best in setting up document-level security? Just a _user.metadata field (hash holding custom metadata of the current authenticated user)? Can I read this hash from the user's index later, to add it to PUT requests?

In my case, a cron job will eventually be writing data to an index. While inserting data for a specific user, does this have to use the 'run_as' mechanism or is it sufficient to populate the document's _user.metadata field with this, to uniquely identify the user?


(Jay Modi) #2

Hi @baden0x1,

First, I would like to apologize for your question being unanswered for so long.

In you use case, you may only need to add a field to the documents you are indexing that contains the username of the user or some other unique identifier. Once you have that, you can use a templated role query for your users and limit their access to the documents that match their information.

While inserting data for a specific user, does this have to use the 'run_as' mechanism

The run_as mechanism does not need to be used. Populating the document with a field is all that is needed.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.