1

I want to create API keys on elasticsearch via POST _security/api_key API, I am able to create these but I want to limit search capability for the generated key which I am unable to do.

Essentially, what I want to achieve is let's say that all my records have a field like "username":"username1" or another one like "username":"username2" i.e. all the records will have a valid value for username field

Now what I want is to be able to create a key where I specify something like "username":"username2" which then gets appended to every search query made using that key as an AND case like if this key searches (/index_name/_search) for 

{
    "query": {
        "match": {
            "key_zz":"value_aa"
        }
    }
}

this query would actually be an AND of both of the below (i.e. if a record with this combination exists "key_zz":"value_aa" but the value for username is not username2, the API would not return that object)

{
    "query": {
        "match": {
            "key_zz":"value_aa"
        }
    }
}

AND

{
    "query": {
        "must": { 
          "match" : {
            "username":"username2"
          } 
        }
    }
}

I have tried creating the key with all of the following combinations:

    "name": "key-name",
    "role_descriptors": {
        "role_name": {
            "indices": [
                {
                    "names": [
                        "index_name"
                    ],
                    "privileges": [
                        "read"
                    ],
                    "query": {
                        "match": {
                            "username": "value_custom"
                        }
                    }
                }
            ]
        }
    }
}

In the query field, I have tried all the following combinations:

           "query": {
                        "and": {
                            "username": "value_custom"
                        }
                    }

          "query": {
                        "bool": {
                            "must": {
                                "match": {
                                    "username": "value_custom"
                                }
                            }
                        }
                    }

           "query": {
                        "bool": {
                            "must": {
                                "bool": {
                                    "must": {
                                        "match": {
                                            "username": "value_custom"
                                        }
                                    }
                                }
                            }
                        }
                    }

But none of the above worked. Also, earlier the mapping type of username field was text but I then updated it to be keyword

In a nutshell, what I am trying to achieve is some kind of document level security. I know ElasticSearch has some kind of Document Level Security (https://www.elastic.co/guide/en/elastic-stack-overview/current/document-level-security.html) but in our architecture, we want to achieve this using API keys with restricted search capabilities. We are currently using Algolia and we were achieving this using the exact implementation I described above. ElasticSearch documentation has references for how to limit a role but not how to limit API keys. Need help to achieve this.

Also, I am using ElasticSearch v7

Some reference links :

  1. https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html
  2. https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html
codechef123
  • 13
  • 5

0 Answers0