X-Pack Security :: Role Index Restriction with Regexp

We have an ES cluster we're using for logs. We have many indexes that are prefixed with "log-". I'm trying to create two roles, one which has access to all log indexes which is easy enough, but another that has access to all log indexes except a few. I've tried using the lucene regex to exclude index patterns that contain certain phrases but i'm having no luck. I've found little to no documentation or examples on how to do various regex based tasks with lucene. I've gone through the Elasticsearch regexp syntax but that also is not getting me to what i want. Am i stuck whitelisting all indexes by name or can i solve this with a regexp and am just not knowing what to do?

Example use case, given the following indexes:

log-widget-alpha-2017.01
log-doodad-wubwub-2017.01
log-widget-alpha-2017.02
log-doodad-wubwub-2017.02
log-wuble-wamwam-2017.01
log-monkey-2017.01

i want a role that can only have read access to all but "log-wuble-wamwam-" and "log-monkey-". if i were using standard-ish regex, i would do something like this:

POST /_xpack/security/role/untrusted-user
{
  "indices": [
    {
      "names": [ "/log-((?!wuble-wamwam|monkey).*?)-[0-9]{4}\.[0-9]{2}/" ],
      "privileges": [ "read" ]
    }
  ]
}

https://regex101.com/r/4WyyKu/1

but this clearly doesn't work. Any suggestions? Any solutions is helpful as long as i dont have to individually list out every index pattern individually.

Thank you

You can do this with regular expressions, but the syntax isn't super-obvious.
We use Lucene RegExp syntax for this, which is powerful, but slightly different to standard java Patterns.

This is what you want:

POST /_xpack/security/user/test
{
  "password": "changeme",
  "roles": [ "untrusted-user" ],
  "enabled": true
}
POST /_xpack/security/role/untrusted-user
{
  "indices": [
    {
      "names": [ "/log-@&~(log-wuble-wamwam-@|log-monkey-@)/" ],
      "privileges": [ "read" ]
    }
  ]
}

Then as user test

GET /_xpack/security/user/_has_privileges
{
  "index" : [
    {
      "names": [
        "log-widget-alpha-2017.01",
        "log-doodad-wubwub-2017.01",
        "log-widget-alpha-2017.02",
        "log-doodad-wubwub-2017.02",
        "log-wuble-wamwam-2017.01",
        "log-monkey-2017.01",
        "log-log-monkey-2017.01",
        "not-log-widget-alpha-2017.02"
        ],
      "privileges": [ "read" ]
    }
  ]
}
---
{
  "username" : "test",
  "has_all_requested" : false,
  "cluster" : { },
  "index" : {
    "log-widget-alpha-2017.01" : {
      "read" : true
    },
    "log-doodad-wubwub-2017.01" : {
      "read" : true
    },
    "log-widget-alpha-2017.02" : {
      "read" : true
    },
    "log-doodad-wubwub-2017.02" : {
      "read" : true
    },
    "log-wuble-wamwam-2017.01" : {
      "read" : false
    },
    "log-monkey-2017.01" : {
      "read" : false
    },
    "log-log-monkey-2017.01" : {
      "read" : true
    },
    "not-log-widget-alpha-2017.02" : {
      "read" : false
    }
  }
}
1 Like

I found that lucene javadoc on regex but it wasn't particularly helpful for me. your response and this page were much more helpful.

https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html

with your response, i was able to achieve what i needed.

many thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.