What is a good user security strategy in a muti-tiered application?


#1

In a multi-tiered application, we've normally got separation / an abstraction layer between the application layer and database. To access the database, the application gets a user name to access the database.

In what I've been reading about securing ElasticSearch, most of the text discusses direct database access for users. In a multi-user, application, indices and documents within will be secured to a tenant, while keeping a user list in a separate index. Got it.

Now, what about granting the application layer access to the database - now it's completely isolated from front-end users. Next, add on _user.metadata (hash) to each document as it is written -based on who's document it is.

For retrieval, the application layer will add the logged-in user's meta-data hash.

However, since we are using the application tier's user ID, I just have to ensure that it is in an admin/super-user role in ElasticSearch, correct?

Is this a good strategy for ES or is there a better way of doing this?


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.