Role hierarchy


(Alain Roy) #1

Hi everybody,
I am looking to design my security model. Based on my initial assumption, I thought that because the security is based on index pattern with shield pattern expansion was done. Let me give you an example, Let say I have a company called abc, with the followings patterns.
abc-, abc-finances- and abc-production-, I thought that giving someone access to the pattern abc- would also give access to the pattern abc-finances-* and abc-production-. I did some testing and it doesn't seem to be true. You can see all the indices with the pattern abc-, but you can't use the pattern abc-finances-* or abc-production-* unless you have a specific grant on each of those patterns. Am I correct ?

(Steve Kearns) #2

Hi Alain,

When you create roles in Shield, you can use wildcards in the index name, so abc-* would expand to include any indexes that also match abc-finances-* and abc-production-*.

Thus, if my user was assigned a role that granted read access to abc-, when I run a search against abc- indexes, wildcard expansion of index names would end up also including abc-finances-* and abc-production-*

However, you are mentioning Index Patterns, which is a Kibana-level concept. The index expansion happens at the ES level, so it should also work, if you create the index pattern with abc-*.

Hope that helps!

(Alain Roy) #3

Hi Steve,
Thanks for your reply. My question was more along the role mamagement stand point of view. Does somebody with grant on abc-* can also uses abc-finances-* and abc-productions-* without having a grant on those two indexes names specifically. I do understand that abc-* will return all the indices includes in abc-finances-*, but it is also less specific and will probably be slower to execute.

(system) #4