Submit the Query with Role defined using Document Level Security

shri_palchuri · November 23, 2019, 12:32am

Our system has around 100,000 users and
each user has different permission on the data.
I am planning to use elastic search roles concept
to support permission/authorization.
I will be defining one role on elasticsearch for each user exists in our system
(I want to avoid creating the users on elasticsearch)
by using Document level security which is part of xpack.
In this case how to specify role as part of the query/search?

In the end, I will have a single user and thousands of roles defined on elasticsearch
and based on who is querying, I will be submitting the role as part of the query for authorization.
Is this possible? Any suggestions are welcome.

I see the documentation to submit a query on behalf of another user but not as a different role
https://www.elastic.co/guide/en/elasticsearch/reference/6.5/run-as-privilege.html

Thanks in advance.
Sri

Christian_Dahlqvist · November 23, 2019, 6:40am

This is not how it works, so will not be possible. Roles are linked to users and assigned when they log in and not submitted per query. Each role gives access to all data in an index unless you use document-level security.

What you potentially could do is store access controls on your documents and then in your application make sure that you always add a specific filter that provides the correct combination. This would probably work with a single role and user.

system · December 21, 2019, 6:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.