In a multi-tiered application, we've normally got separation / an abstraction layer between the application layer and database. To access the database, the application gets a user name to access the database.
In what I've been reading about securing ElasticSearch, most of the text discusses direct database access for users. In a multi-user, application, indices and documents within will be secured to a tenant, while keeping a user list in a separate index. Got it.
Now, what about granting the application layer access to the database - now it's completely isolated from front-end users. Next, add on _user.metadata (hash) to each document as it is written -based on who's document it is.
For retrieval, the application layer will add the logged-in user's meta-data hash.
However, since we are using the application tier's user ID, I just have to ensure that it is in an admin/super-user role in ElasticSearch, correct?
Is this a good strategy for ES or is there a better way of doing this?