Range query in doc lvl security

Hi, I am trying to set policy/rule for a user role in elasticsearch, to allow them to search 2 weeks old data only.

One solution would be rotating aliases, and set permissions for those, but it isn't ideal. Better solution seems to be with document level security query:
"query" : "{\"range\":{\"date\":{\"gte\":\"2020-10-22\"}}}"
But to make it dynamic I wanted to use "now-14d" which doesn't work and apparently isn't supported according to https://github.com/elastic/elasticsearch/issues/64405.

Is there some other way to achieve what I want?

There's no great solution.

Typically we would recommend that you control that via indices. Have a daily index (or the minimum granularity you really need) and either:

  1. move them in/out of an alias each day (potentially you could use ILM to do something here)
  2. rewrite the role every day to change which indices it has access to

It's also possible to do something with a custom roles provider (in Java), though there are some caching issues to deal with.

  1. Use an index per day as above, but have role provider automatically calculate the set of allowed days
  2. Use DLS and have the role provider build a query that uses fixed dates (but that fixed date is dependent on the current date).

In general, if you have the option to solve a security problem with either index names or DLS, our guidance is to use index names. It has better performance properties, and can be extended to support write operations if you ever need them (which DLS doesn't support).

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.