I would need to access an external service in order to obtain a list of Elasticsearch roles / privileges a user is restricted to have when performing requests to Elasticsearch. After that, that user will be authorized to see only specific data on Elasticsearch (so I think it will be authenticated with those specific roles / privileges), according to the list taken from the external service.
This way I can implement an authorization mechanism so that, for instance, if user wants to retrieve all cars but is allowed to see only american ones, the result will be filtered according to this restriction.
Yes it’s possible to retrieve the list of groups from a generic HTTP+JSON API. See the documentation about it.
After you map users into groups, you will need to map the groups to a block of rules, but this is very standard exercise about ACL-based authorization in ReadonlyREST.
Ok, I saw that part of ReadonlyREST, but what if I don’t know in advance what groups to add in groups: ["..."] list? I mean the user will be authenticated with any role coming from the external service list, no matter which names the roles have.
Then, in my case, since the external service returns all user authorizations by providing a list of roles / privileges, the resulting data fetched from Elasticsearch will be restricted to those user roles.
So I think I will need to authenticate that user with those roles only so that every next request will be restricted to specific indices according to user roles / privileges.