I thought that might be the case.
The problem with Shield for my use case is authentication and authorization
are closely tied together. Generally speaking, we want to limit access to
indexes via LDAP/AD groups which are assigned to Shield roles. We want to
be able to use a "system/daemon" account to query Elasticserach, but pass
in a "proxy" or "impersonation" user which can be used to looked up to see
what effective groups they have and from which indexes they can get
results. Without the proxy user ability, we are forced to login the user
via their username and password. The problem is that users will not
directly access Easticsearch and we don't have access to their password.
Our users will be authenticated via a separate application/user interface
which will be using single sign on tokens. The application doesn't have
access to the user's password to pass to Elasticsearch. So there isn't an
easy way to say "I have user1234 running a query and I need you to filter
index results appropriately for this authenticated user".
We want to manage index permissions using LDAP/AD groups and roles using
Shield. We don't want to have to do that in the application. The current
work around seems to be some sort of api overlay to elasticsearch which
will first check to see if the user exists using an admin account. If the
user account doesn't exist (first time logging in), then create the user
account using a hash of the users group permissions from LDAP/AD. It's not
ideal, but it'll probably get the job done until Shield is
On Wednesday, April 29, 2015 at 5:03:51 PM UTC-4, Jay Modi wrote:
We don't currently have a way to do this with Shield. Can you tell us a
little more about your scenario? Your users are logging into your
application and then accessing data in Elasticsearch, which is protected by
This type of information is helpful for us as we plan features for future
releases of Shield.
On Wednesday, April 29, 2015 at 3:06:57 PM UTC-4, Michael Young wrote:
I have Elasticsearch 1.5.2 and Shield 1.2.0 configured and working
against Active Directory. This seems to work pretty well. However, I was
wondering if there was a way to pass in a "proxy user" from an application
to get the appropriate index filtering via access controls without having
to pass in the username AND password from the application.
Is there a way to do this with Shield?
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/22d65456-b661-46f9-91ad-0d331816705e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.