SHIELD: Can we use patterns while naming roles in roles.yml in SHIELD

security

(Krushnat Khawale) #1

I am providing a functionality where I can create users with roles [ admin, user ]
As there will be no of users going fall in both the categories and they will also be
able to upload there files using logstash.
Specifying just admin and user roles in roles.yml file will let every admin access
his own and every other admins 'index' similarly a user can also do the same.

Is there way of using REGEX patterns for specifying roles like we do in index names?


(Jay Modi) #2

Hi,

If I understand correctly, I think the proper solution would be to create individual roles for the admins that administrate different indices using the pattern support in the names for indices.

For example in the roles.yml:

admin_a:
  indices:
    'a': all 

admin_b:
  indices:
    'b-*': all

Then the users would be assigned the appropriate roles. This would allow the administrators to be restricted to only the indices they need to administer.


(Krushnat Khawale) #3

Hi, Is there a utility to create roles? like esusers? or some workaround?
If No what is the best way to programatically update apart from file parsing and update?
Also is there a limitation on maximum no of roles and users per roles?

Regards, K


(Krushnat Khawale) #4

Also IS elasticsearch restart required after adding roles?


(Jay Modi) #5

Currently, the way to do it is to make changes in the files; a automation tool will be helpful here in distributing the files to multiple instances. The users and roles files are watched for changes and will be reloaded during runtime if they have been changed, so there is no need for a restart. Does your use-case require you to create roles often?

In a future version of Shield, there will be APIs for user and role management.


(Krushnat Khawale) #6

Yes! We need to create roles very often. as per usecase we want each user to have secured access...
Kindly guide?

Also appreciate the quick response!


(Jay Modi) #7

Can you explain a bit more? Are you creating new users or new indices often that require new roles? If it is possible can you explain your workflow.


(Krushnat Khawale) #8

@jaymode Here is the workflow,

We are creating a system for uploading csv files quickly and to visualize data easily.
Users who are going to use the system are employees with different designation like
manager, team lead and developers.
As a manager can add users in terms of manager, team lead and developers similarly
a team lead can also add users like team lead and developers. we want to set access as follows,

Manager => should be able to view visualizations of self, team-leads he created and developers
he created

Team-lead => should be able to do the same of self and developers he created

Developer => should be able to do the same of self only.


(system) #9