Shield document and field level security


(Seamus M) #1

So I have a somewhat unusual use case that I am wondering if ES Security can handle.

I have documents indexed into my ES cluster and I want to set up security such that:
A) Documents and Fields are searched even if the user doesn't have access to a document. Basically if the user searches for "water" and we have a document about water which they are not allowed access to. I want to show the search result so they can request access to the document.

Also, it wasn't clear to me from the documentation how the roles stack. So I want a field to require:
(ROLE_A AND ROLE_B) OR ROLE_C does xpack security support that?


(Tim Vernum) #2

X-Pack security doesn't provide that feature.
Document Level Security is specifically designed to hide documents that the user cannot access. They will always be excluded search results.

For what you're after, you'd need to do something within your own application.

Roles stack additively with respect to permissions.

Because the model is that roles have access to fields (rather than fields are restricted to roles), a user has access to a field if any of their roles grant them access to that field.

So "ROLE_A or ROLE_C" is totally possible - because you simply enable that field in each of those roles.
But "ROLE_A and ROLE_B" is not possible - there's no way to express dependencies between 2 roles.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.