Security discussion


(Daniel McGreal) #1

Hi all x-pack security folk,

We've enjoyed very much the prospect of using X-Pack Security in our products, but find there are some aspects that could be better, either with a better design with the existing version of Security or with some extra functionality.

Usernames

A 30 character limit seems strange! It would seem natural for many applications to use an email address as a username, which seems supported by being allowed to use the '@' and '.' characters. However, there are many email addresses which are larger than 30 characters, even with our existing user base, which is small, so this hasn't been possible for us. We've had to implement a separate username to email address lookup.

Searching user data

We can store Full Name/Email and metadata with the user, but being able to search and aggregate on this data would be extremely useful. Not just for simplifying our implementation to the above problem with usernames, but also for doing analytics on users, etc. Without this, it's preferable not to use the Full Name/Email/Metadata fields but to store this information in a regular index anyway.

Meta security

Some of our users should be able to manage a sub-set of other users. It would be good to have this enforced at an Elastic+Security level. Kind of like document level security, but for users.

I notice that if Security had been implemented, for example, by a special index and data format, these features would all be inherently offered by existing ES functionality as well as making it easier for you without necessarily having to provide a separate API. This approach has been valuable in e.g. the implementation of Watcher.

Any comments, especially pointing out misunderstandings, etc welcome!
Dan.


(Josh Bressers) #2

Hi Dan,

Thanks for this topic. I'll file issues for these internally.

Let me know if you have any questions or comments.

--
Josh


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.