Integrating REST API call into role template


(Eric Walters) #1

I am trying to implement an ABAC scheme, similar to the link below.

I would like to add on certain functionality - my users authenticate through PKI and their attributes, instead of being hardcoded into Elasticsearch through a metadata field, are stored in and accessible through a third-party API. Using a DN, I can retrieve a JSON object containing the attributes that I need.

My issue is then integrating this JSON object into the mustache template so I can use the fields for terms_set. My idea so far, mostly based off of the example scripting plugin (https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting-engine.html
) is to write a custom ScriptEngine plugin so that I can make the API call and get my JSON object in Java, then retrieve it and access it similar to below.

        "script":{
            "source": "custom_API_call",
            "lang" : "expert_scripts",
            "params": {
                "DN": "CN=test,...,...",
            }
        }

{\"terms\": {{#toJson}}API_JSON_RESULT.metadata.security_attributes{{/toJson}},":...}

Would anybody be able to give me some guidance on how best to do this? I haven't been able to make much headway looking at the Javadocs - I don't really need any of the advanced functionality that many of the plugin classes give. Could the TemplateScript class be used to return what is essentially simple text?

I'm pretty new to this-thanks for the help!


(Mike Barretta) #2

@ewalters-cspace
I don't think the role creation step is the right place to do this.

Since you want to add metadata to the user, I think the best idea is creating a custom realm. That way, you could add the API call into the authentication logic.

You should be able to call most of the existing PkiRealm methods from your custom implementation so as to minimize the amount of code you have to write.

That make sense?

With the custom realm in place, the role creation step using the user metadata templates should work as illustrated in the blog.


(Eric Walters) #3

That makes a lot more sense, thank you! That should work great.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.