ACL block allow users with many groups access to index

1

Hello everyone,

I need to write an ACL block to allow users who belongs to multiple groups (group X among them) to access ONLY to index X. Please see the following example scenario:

  • “User A” has the following groups: “read-index1”, “read-index2”, “ec2-admin”, “access-s3bucket”

  • “User B” has the following groups: “read-index2”, “ec2-admin”

  • I have the following indices in Elasticsearch: “index1”, “index2”, “index3”, … “indexN”

If I’d write something like

- name: "Testing ACL"
  type: allow
  kibana_access: rw
  ror_kbn_auth:
    name: keycloak
    groups: ["@explode{acl:available_groups}"]
  indices: [ '@explode{acl:available_groups}#{replace_all("^read-","")}*' ]

I’d be doing a NxM relation, meaning that people in both groups: “read-index1” and “read-index2” would have access to “index1”, giving that way access to “User B” to “index1”, which is not allowed.

I couldn’t find a suitable way to write a block to perform this control.

Could you please give me some clue to get this done?

Thanks in advance.

2

Hi @nicoformoso

I think you are on a good path to achieving your goal.

groups: ["@explode{acl:available_groups}"]

You probably don’t need the above. The ror_kbn_auth authorizes your user and extracts the groups from the JWT. They will be stored in the available_groups var, so there is no need to filter by them.

Then you want to convert the groups to indices. I you can achieve the conversion by removing the “read-” prefix from the name of the group. After the conversion, you get the name of the index.

So at the first glance this:

  indices: [ '@explode{acl:available_groups}#{replace_all("^read-","")}*' ]

looks good. I’m not sure if you need the wildcard at the end.
And I don’t know what about the “c2-admin” and the “access-s3bucket” groups (which don’t fit the pattern).

3

@nicoformoso did @coutoPL’s suggestion work for you?

4

Hi @coutoPL and @sscarduzio, thanks for the follow up.
I’ll be testing this suggestion these days and letting you know.
Best,

1 Like
5

Hi everyone!

Certainly the following line was wrong:

groups: ["@explode{acl:available_groups}"]

However, since I need to log in with users depending on their assigned groups, I need the groups key somewhere.

After a few tests, I think I found the block I need:

- name: "Testing generic block for read- indices"
  type: allow
  kibana_access: rw
  ror_kbn_auth:
    name: keycloak
    groups: ["read-*"]
  indices: ['@explode{acl:available_groups}#{replace_all("^read-","")}']

My tests consisted in the following:

  • I had user1 belonging to LDAP groups read-index1 and read-index2
  • I created in Elasticsearch: index1, index2, index3, index4

Afterwards, when user1 logged in into the cluster, it only had access to index1 and index2.

So, I read the above block as the following:

Every user that have any group with the expression read-* can access through keycloak authentication, and they will have access to the indices within the expression: @explode{acl:available_groups}#{replace_all("^read-","")}

Am I right?

We’ll be doing more complex tests in the following days. I’ll keep you posted.

Best

6

Yes, correct! :slight_smile:

7

Hi all,

Marked as “Solution” my answer, because it contains the block I need to solve the main request.
We made more tests and currently we have this block (with right parameters) in our prod env.

Thanks to all for helping!

2 Likes