jQuery Autocomplete and security injection in a multi-tenanted environment


(Paul Smith) #1

Following up from a tweet kimchy did about the jQuery autocomplete
integration with ElasticSearch, I wondered how I would do the same thing,
but automatically inject on an application layer a 'security' filter.

In our multi-tenanted case we could never expose our ES instance out to the
wild because it combines data between parties and certain people could only
see certain slices of that data (done via a 'security' filter).

One could embed the security filter into the jQuery autocomplete snippet
but obviously anyone with half a brain could easily just strip that out...

So for performance reasons I would like the UI to do the jQuery autocomplete
and send that ajax call to our application tier, which takes that, converts
it back to a Java object version of the query object, injects the
appropriate security filter for this user and submits it to the internal ES
instance. The result stream could just be streamed back direct to the
client browser.

Can someone point out where in the source code is the JSon structure of a
request to ES converted back to object form.. I'm going blind, again. Is it
the XContentIndexQueryParser ? I'd only want the object that can convert it
back to Java object form without needing all the other ES internals that
object requires.

But other than that, is there a different pattern someone else has tried for
this sort of thing? Most autocomplete stuff I've seen with ES implies a
direct connect to the ES instance, which in this case isn't a good idea.

cheers,

Paul


(Shay Banon) #2

Confused a bit, if you are after converting a Json search request to a Java "SearchSource", then there is no such code, since its not needed in elasticsearch.

You can simplify the jquery part, have it send what you need (the query), and build the search request out of it. Another option is to munge the json you get and pass it to elasticsearch (though, Java is probably the worst language to munge things like json).
On Wednesday, March 23, 2011 at 6:55 AM, Paul Smith wrote:

Following up from a tweet kimchy did about the jQuery autocomplete integration with ElasticSearch, I wondered how I would do the same thing, but automatically inject on an application layer a 'security' filter.

In our multi-tenanted case we could never expose our ES instance out to the wild because it combines data between parties and certain people could only see certain slices of that data (done via a 'security' filter).

One could embed the security filter into the jQuery autocomplete snippet but obviously anyone with half a brain could easily just strip that out...

So for performance reasons I would like the UI to do the jQuery autocomplete and send that ajax call to our application tier, which takes that, converts it back to a Java object version of the query object, injects the appropriate security filter for this user and submits it to the internal ES instance. The result stream could just be streamed back direct to the client browser.

Can someone point out where in the source code is the JSon structure of a request to ES converted back to object form.. I'm going blind, again. Is it the XContentIndexQueryParser ? I'd only want the object that can convert it back to Java object form without needing all the other ES internals that object requires.

But other than that, is there a different pattern someone else has tried for this sort of thing? Most autocomplete stuff I've seen with ES implies a direct connect to the ES instance, which in this case isn't a good idea.

cheers,

Paul


(system) #3