Customize authorization and filter data


#1

Hi,

I would need to access an external service in order to obtain a list of Elasticsearch roles / privileges a user is restricted to have when performing requests to Elasticsearch. After that, that user will be authorized to see only specific data on Elasticsearch (so I think it will be authenticated with those specific roles / privileges), according to the list taken from the external service.
This way I can implement an authorization mechanism so that, for instance, if user wants to retrieve all cars but is allowed to see only american ones, the result will be filtered according to this restriction.

Is it possible to do that with your product?

Thanks a lot!


(Simone Scarduzio) #2

Hello @Uiifu12, welcome to our community!

Yes it’s possible to retrieve the list of groups from a generic HTTP+JSON API. See the documentation about it.

After you map users into groups, you will need to map the groups to a block of rules, but this is very standard exercise about ACL-based authorization in ReadonlyREST.


#3

Hi @sscarduzio and thank you for the answer.

Ok, I saw that part of ReadonlyREST, but what if I don’t know in advance what groups to add in groups: ["..."] list? I mean the user will be authenticated with any role coming from the external service list, no matter which names the roles have.
Then, in my case, since the external service returns all user authorizations by providing a list of roles / privileges, the resulting data fetched from Elasticsearch will be restricted to those user roles.

So I think I will need to authenticate that user with those roles only so that every next request will be restricted to specific indices according to user roles / privileges.

Is still possible to do something like that?

Thanks.
Regards


(Simone Scarduzio) #4

Well, at the moment the list of groups a user belongs to cannot be used as a dynamic variable like the username, i.e.

      indices: ["@{user}_logstash-*"]

This can be a proposed feature for the Q1 roadmap, we have a forum category to vote for the most wanted features, you can search or add it there.


#5

Ok thank you for the info!