ACL block allow users with many groups access to index

nicoformoso · December 23, 2024, 3:43pm

Hello everyone,

I need to write an ACL block to allow users who belongs to multiple groups (group X among them) to access ONLY to index X. Please see the following example scenario:

“User A” has the following groups: “read-index1”, “read-index2”, “ec2-admin”, “access-s3bucket”
“User B” has the following groups: “read-index2”, “ec2-admin”
I have the following indices in Elasticsearch: “index1”, “index2”, “index3”, … “indexN”

If I’d write something like

- name: "Testing ACL"
  type: allow
  kibana_access: rw
  ror_kbn_auth:
    name: keycloak
    groups: ["@explode{acl:available_groups}"]
  indices: [ '@explode{acl:available_groups}#{replace_all("^read-","")}*' ]

I’d be doing a NxM relation, meaning that people in both groups: “read-index1” and “read-index2” would have access to “index1”, giving that way access to “User B” to “index1”, which is not allowed.

I couldn’t find a suitable way to write a block to perform this control.

Could you please give me some clue to get this done?

Thanks in advance.

coutoPL · December 23, 2024, 4:33pm

Hi @nicoformoso

I think you are on a good path to achieving your goal.

groups: ["@explode{acl:available_groups}"]

You probably don’t need the above. The ror_kbn_auth authorizes your user and extracts the groups from the JWT. They will be stored in the available_groups var, so there is no need to filter by them.

Then you want to convert the groups to indices. I you can achieve the conversion by removing the “read-” prefix from the name of the group. After the conversion, you get the name of the index.

So at the first glance this:

  indices: [ '@explode{acl:available_groups}#{replace_all("^read-","")}*' ]

looks good. I’m not sure if you need the wildcard at the end.
And I don’t know what about the “c2-admin” and the “access-s3bucket” groups (which don’t fit the pattern).