[DONE] Support @user variable in indices rule (enable document filtering)

presto9292 · April 5, 2017, 5:37am

Hi

For both ldap and external_auth rules, could we enhance the indices part to support “*_@user” notation?
This e.g. will enable allowing only indices w/ pattern that ends w/ user name.

Then I could do document filtering by having one big index, e,g, index_entities, followed by creating an index alias per each user, e.g. index_entities_{user} which uses ES filtered alias feature to attach some condition to the alias.

Thanks

sscarduzio · April 5, 2017, 11:02am

Yes sir, that is correct. And I love to hear I’m not the only one person excited about the direction this plugin is taking

I’ll clarify what makes me giggle: now that we have an onResponse hook in the Rule framework, we can quite easily implement document-level and field-level security. I.e:

Return only documents of type (mapping)
Return only documents whose field “x” equals to “y”

In the meanwhile, doing this with filters as you say, is a “@user” variable away in the “indices” rule, which is exactly what I’m going to add next to the project.

presto9292 · April 5, 2017, 11:11am

Hi,
Be advised that in ES6 they’re going to drop the concept of type, so no point in adding a feature for filtering mapping types

github.com/elastic/elasticsearch

Remove support for types?

opened 05:16PM - 22 Dec 15 UTC

closed 11:40AM - 12 Mar 20 UTC

jpountz

:Search/Mapping Meta

The ability to have several types on the same index is causing problems: - the m…appings APIs need to maintain one mapping per type, yet those mappings can't be independent and keeping them synchronized is complicated (see eg. discussions on #15539) - it gives the feeling that the system can easily deal with documents that have very different mappings in the same index, which is not true. This is why in 2.0 we added more restrictions on mappings across types. In addition types encourage sparsity and sparse fields cause Lucene to either be slow when there is a special impl for the sparse case (eg. doc values) or use tremendous memory and disk space in spite of the fact that few documents have a value (eg. norms, because a fixed amount of memory is used for every doc, regardless of whether they have a value for this field or not). Migrating existing users is certainly going to be complicated but this would also make the system more honest to new users about the fact that we can't do index-level multi-tenancy efficiently. Also I suspect that the restrictions that we added in 2.0 (that eg. two fields that have the same name in different types) already made lots of users migrate to a single index per data type instead of folding them into different types of the same index. See also https://www.elastic.co/blog/index-vs-type.

The index alias concept works great w/ the plugin, it allows for any query to bound to the index.
It’s just that at this point I must add concrete rules per user

  - name: "::USER::"
    auth_key: user:pass
    type: allow
    indices: ["entities_user"]

sscarduzio · April 5, 2017, 11:18am

Yep let’s do the @user variable replacement in indices rule first.