I need to modify Elasticsearch query results based on user permissions determined by an external authorizer, before the results are used for aggregations. Anyone know if it's possible to intercept the query results, modify them, and return these results back to Elasticsearch right before aggregations are calculated using the modified results?
Hi @Dalin,
Do the permissions definitely need to come from an external provider? There is document level permissions capabilities that can be configured in Elasticsearch as covered here, but if the provider is external that might be tricky.
Are you making use of an application layer to get the results from Elasticsearch? If so I would be inclined to do the authorizer exclusion logic and aggregation there.
Hi @carly.richmond,
Thank you for your response. Yes, in my case, the permissions do come from an external provider, specifically an application using OpenFGA as a base. I understand that Elasticsearch has document-level permissions capabilities, but I'm not sure if it's what I am aiming for since I have an external authorizer to provide permissions. DLS also requires me to specify the access permissions for each role, but the problem with that is hierarchical structures. I'm not sure how well DLS would handle that.
As for the application layer, I do have one, but I'm trying to avoid performing the aggregation logic there due to the potential scalability issues. My goal is to let Elasticsearch handle the aggregations, but with the search results already filtered based on the user permissions from OpenFGA.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.