[DONE] Support @user variable in indices rule (enable document filtering)


#1

Hi

For both ldap and external_auth rules, could we enhance the indices part to support “*_@user” notation?
This e.g. will enable allowing only indices w/ pattern that ends w/ user name.

Then I could do document filtering by having one big index, e,g, index_entities, followed by creating an index alias per each user, e.g. index_entities_{user} which uses ES filtered alias feature to attach some condition to the alias.

https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html#filtered

Thanks


(Simone Scarduzio) #2

Yes sir, that is correct. And I love to hear I’m not the only one person excited about the direction this plugin is taking :slight_smile:

I’ll clarify what makes me giggle: now that we have an onResponse hook in the Rule framework, we can quite easily implement document-level and field-level security. I.e:

  • Return only documents of type (mapping)
  • Return only documents whose field “x” equals to “y”

In the meanwhile, doing this with filters as you say, is a “@user” variable away in the “indices” rule, which is exactly what I’m going to add next to the project. :raised_hand: :arrow_up: :five:


#3

Hi,
Be advised that in ES6 they’re going to drop the concept of type, so no point in adding a feature for filtering mapping types

The index alias concept works great w/ the plugin, it allows for any query to bound to the index.
It’s just that at this point I must add concrete rules per user

  - name: "::USER::"
    auth_key: user:pass
    type: allow
    indices: ["entities_user"]

(Simone Scarduzio) #4

Yep let’s do the @user variable replacement in indices rule first.