Hi, I am trying to set policy/rule for a user role in elasticsearch, to allow them to search 2 weeks old data only.
One solution would be rotating aliases, and set permissions for those, but it isn't ideal. Better solution seems to be with document level security query: "query" : "{\"range\":{\"date\":{\"gte\":\"2020-10-22\"}}}"
But to make it dynamic I wanted to use "now-14d" which doesn't work and apparently isn't supported according to https://github.com/elastic/elasticsearch/issues/64405.
Typically we would recommend that you control that via indices. Have a daily index (or the minimum granularity you really need) and either:
move them in/out of an alias each day (potentially you could use ILM to do something here)
rewrite the role every day to change which indices it has access to
It's also possible to do something with a custom roles provider (in Java), though there are some caching issues to deal with.
Use an index per day as above, but have role provider automatically calculate the set of allowed days
Use DLS and have the role provider build a query that uses fixed dates (but that fixed date is dependent on the current date).
In general, if you have the option to solve a security problem with either index names or DLS, our guidance is to use index names. It has better performance properties, and can be extended to support write operations if you ever need them (which DLS doesn't support).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.