2

I am working on a search service. My Spring Boot search service stands between my internal userbase and my Amazon Elastic Search cluster. I want to enable fine-grained access control, however I can't rely on AWS IAM as we have an in-house service to manage Authentication and authorization. Is there any way I can enable fine-grained access control for search without mapping all the users from my system to either IAM, Cognito or Kibana internal database?

AR1
  • 4,507
  • 4
  • 26
  • 42
  • 1
    good question! did you find a way forward? – Leo Sep 22 '21 at 23:41
  • @Leo since this question has been unanswered for a while, I posted the method we used to get around the obstacle. While not particularly elegant it works and it's secure. – AR1 Jan 24 '23 at 14:00

1 Answers1

1

The way we addressed this challenge is:

  1. Create roles and assign permissions to roles. This is not as cumbersome as adding user by user and it can be easily achieved as in general there should be just a bunch of roles to be used and re-used. Relevant documentation can be found here.
  2. For each role create one user and map it to that role. Here you can find how to do it.
  3. Create service users to be used by applications
  4. Use service users to impersonate the user (as per step 2) associated to the role we need. User impersonation docs can be found here.
  5. Let the calling application to authenticate with the in-house service and then impersonate the relevant role.

Even if not particularly elegant, this solution works and it's secure.

AR1
  • 4,507
  • 4
  • 26
  • 42