Protect field values in elasticsearch

vphant · November 29, 2018, 9:57am

I have a following structure in the elasticsearch index "answers"

{"can_view": ["F1", "F2", "F3"],"firstname": "John","lastname": "Black"}
{"can_view": ["F1", "F2"],"firstname": "Jack","lastname": "Grey"}
{"can_view": ["F2", "F3"],"firstname": "Adam","lastname": "Brown"}

I have setup XPack Security for elasticsearch. I have three users in the system: F1, F2, F3.

I've added a role for securing documents with this request.

POST /_xpack/security/role/alias_read
{
    "indices" : [
        {
            "names": [ "answers" ],
            "privileges": [ "read" ],
            "query": {
                "template": {
                    "source": {
                        "match": {
                            "can_view": "{{_user.username}}"
                        }
                    }
                }
            }
        }
    ]
}

I've assigned this role alias_read to F1, F2 and F3 users.

Now if I'm logged in as F1 user, I am able to see only those documents.

{"can_view": ["F1", "F2", "F3"],"firstname": "John","lastname": "Black"}
{"can_view": ["F1", "F2"],"firstname": "Jack","lastname": "Grey"}

If I'm logged in as F2 user, I am able to see only those documents

{"can_view": ["F1", "F2"],"firstname": "Jack","lastname": "Grey"}
{"can_view": ["F2", "F3"],"name": "Adam","value": "Brown"}

That works just perfect and correct.

Now the question is if there is a way to do the similar protection but for concrete field values (not for entire documents and not for entire fields).

For example.

I have a following structure in the elasticsearch index "answers"

{"firstname": {"can_view": ["F1", "F2", "F3"], "value": "John"} ,"lastname": {"can_view": ["F1"], "value":"Black"} }
{"firstname": {"can_view": ["F3"], "value": "Jack"} ,"lastname": {"can_view": ["F2"], "value":"Grey"} }
{"firstname": {"can_view": ["F3", "F1"], "value": "Adam"} ,"lastname": {"can_view": ["F2", "F3"], "value":"Brown"} }

What I'm trying to get is, if I'm logged in as a user F1, I should be able to see only those results:

{"firstname": {"can_view": ["F1", "F2", "F3"], "value": "John"} ,"lastname": {"can_view": ["F1"], "value":"Black"} }
{"firstname": {"can_view": ["F3", "F1"], "value": "Adam"}}

If I'm logged in as a user F2, I should be able to see only those results:

{"firstname": {"can_view": ["F1", "F2", "F3"], "value": "John"}}
{"lastname": {"can_view": ["F2"], "value":"Grey"} }
{"lastname": {"can_view": ["F2", "F3"], "value":"Brown"} }

So I would like to restrict concrete values for concrete users. Is there a way to do it in elasticsearch using xpack or maybe some other security package? Using roles or whatever?

Versions that I use are:

elasticsearch 6.5.1

kibana 6.5.1

X-Pack

warkolm · November 29, 2018, 9:59am

I think you may have posted this with some missing information, as it's not clear what you are after.

vphant · November 29, 2018, 10:05am

Sorry, I accidently posted a question with a missing information. I've now added everything and edited my question.

Christian_Dahlqvist · November 29, 2018, 10:11am

No, I don't think that is possible as field level security is applied for the index and not per document.

vphant · November 29, 2018, 10:24am

Is there a way to maybe somehow use a "nested query" in a template?

Christian_Dahlqvist · November 29, 2018, 10:28am

I do not see how that would work, but someone else may have other suggestions. If each user was allowed to see the same fields across all documents I think you can do it through multiple roles though. If the number of permutations was reasonably low or you could group field access into a number of categories or groups you could perhaps also index different versions of the documents and then manage access by document.

system · December 27, 2018, 10:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.