2

I'm designing a solution and want to leverage some of Elasticsearch's query capabilities (version 7.x). We are expected to have around 10M documents per index. Documents might have different 'associations' to what we call 'users' (not necessarily same meaning as in ES) -

  1. associated to all, queryable in any context.
  2. associated to single user, should appear only in this user context searches.
  3. associated to a 'groups' of users (of size of up to 1000K), should appear in queries for user's of this group.

We expect to have a lot of users, in the 100Ks or so. which also mean we might have a lot of different groups, each 2 users might form a custom group.

I've been investigating ES's capabilities and it looks like each solution I came up with have disadvantages:

  1. RBAC - will require creating a lot of rolls (per user + per group, can ES even handle that many?)
  2. ABAC - will require creating a lot of users (can ES even handle that many?)
  3. Simple AND clauses on a dedicated properties (complex template of the query as explained here)

it is important to note that I have a single user that I will be using in order to query on behalf of the users I will create, in case I will choose to go down this path.

I came across this question but I figured that thing might have evolved since its been answered Document access control in ElasticSearch

Any other suggestions that I should check out? maybe even custom 3rd party solutions?

Oleg Kaplun
  • 102
  • 10
  • 1
    If you have a single user querying on behalf of all the others then 1 and 2 aren't valid options. I'd go with 3, easy. – Val May 05 '21 at 06:38
  • @Val, why options 1 and 2 not valid? wouldn't I be able to use `run_as` as presented [here](https://www.elastic.co/guide/en/elasticsearch/reference/master/run-as-privilege.html)? – Oleg Kaplun May 05 '21 at 07:02
  • 1
    Yes of course but with 100K users I wouldn't even think about going that way. PS: "valid" wasn't the appropriate word, indeed. – Val May 05 '21 at 07:16

0 Answers0