0

I am working on a search microservice in Spring boot that relies on Amazon Elastic Search.

  • I have an angular Front end and a spring boot service in front of Amazon Elastic Search
  • I created Application Privileges in Elastic search so that my service/application can impersonate three types of users: manager, employee, contractor;
  • Each role is related to fine-grained permissions (e.g. only a manager can find personal data of the employees, Contractor can find employees but some fields would be scrubbed or not returned at all);

My use case is the following:

GIVEN an authenticated user
   AND the user has been authorized with the role Contractor by an In-House access management system;
WHEN the user searches through my service
THEN only the relevant documents are shown as per his/her privileges;

How would that request (I guess POST) would look like for this to work?

AR1
  • 4,507
  • 4
  • 26
  • 42

2 Answers2

0

As long as your request is not changing anything you should use GET instead of POST, but POST will be supported for clients not capable of sending a request body with GET.

In order to show documents the user is allowed to see, you need to set up document-level security for your roles as described here: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/document-level-security/

Users of elastic's elasticsearch should have a look at that: https://www.elastic.co/guide/en/elasticsearch/reference/current/document-level-security.html

ibexit
  • 3,465
  • 1
  • 11
  • 25
  • Thanks for answering. As per the Elastic Search documentation (https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-searching.html#es-searching-dsl), GET supports just a subset of the ES functionalities so independently from support, you need a post for complex features. While the link is useful this unfortunately doesn't answer the question. – AR1 Jun 23 '21 at 12:55
  • Why exactly document level security is not a solution for you? It will full your requirement and you don't need to change your queries at all because the security layer will do the filtering. – ibexit Jun 23 '21 at 14:00
  • Document level is already part of the fine-grained permissions. The solution to provide is the answer to the following question (as per question posted): "How would that request (I guess POST) would look like for this to work?". Such answer (if working) would be considered a solution to my particular problem. – AR1 Jun 23 '21 at 14:13
  • If you have document security already in place, all queries will satisfy your requirements even a plain match_all query will yield just documents which the current user is permitted to view. – ibexit Jun 23 '21 at 14:57
0

I eventually found the answer in the Open Distro ElasticSearch documentation about User Impersonation here.

In short the trick is to add opendistro_security_impersonate_as to the header in the following way:

curl -XGET -u 'admin:admin' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_opendistro/_security/authinfo?pretty

where you can replace:

  • admin:admin with your service user
  • user_1 with the user that you want to impersonate and
  • https://localhost:9200/_opendistro/_security/authinfo?pretty with the URL of your GET request.

This worked like a charm in my case.

AR1
  • 4,507
  • 4
  • 26
  • 42