How to limit user's access to a group of indices only

flyhigh72 · March 30, 2021, 5:25am

I created a few indices, they are in the name of:
booksfiction202102
booksfiction202103
booksscience202102
booksscience202103
booksart202102
booksart202103
In Kibana I define an index pattern “books*” so I can search across all indices.

Now, I’m trying to define a few roles, each role will have access only to one type of books. So “rolefiction” will only be able to search on the index booksfinction but not on other two indices. The other 2 roles will be similar.

I created this role by specifying the index pattern “booksfiction*” in hoping it will allow the user access to both booksfiction202102 and booksfiction202103 but not other indices.

When user logs in, however, he gets a forbidden error when accessing the data in Discover using the index pattern “books*”. Is there something I missed?

I’m using the latest ODFE 1.13.1 version.

Thanks,
Sean

ThibaudF · March 30, 2021, 12:26pm

Hi !
You gave rights on booksfiction* not on books*.
So you get an error when you search for books*.

You can only use booksfiction*
You have to make a specific index-pattern for booksfiction*

EDIT : Maybe you can try to filter documents by index-name ? I never tried but you can give it a try if you want to keep a unique index-pattern books* .

Thi

clsa · March 30, 2021, 12:26pm

Hi Sean,

what is the result of this call in Dev Tools?

GET _opendistro/_security/api/roles/rolefiction

Regards
Clifford

flyhigh72 · March 30, 2021, 12:52pm

{
“rolefiction" : {
“reserved” : false,
“hidden” : false,
“cluster_permissions” : [
“cluster_composite_ops”
],
“index_permissions” : [
{
“index_patterns” : [
“booksfiction*”
],
“dls” : “”,
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“read”,
“suggest”,
“search”
]
}
],
“tenant_permissions” : [
{
“tenant_patterns” : [
“global_tenant”
],
“allowed_actions” : [
“kibana_all_write”
]
}
],
“static” : false
}
}

flyhigh72 · March 30, 2021, 1:01pm

Well, you are right. I did try creating an index-pattern “booksfiction*” and it works without error, however, then this security doesn’t make sense. So for every role I created with a special index pattern I’d have to create an index-pattern using “Stack Management?” Then if I created visualizations that used the books* pattern then these roles will not be able to share just because some more restricted index patterns? I remembered back in the version of ODFE last September, I can define this kind of role successfully but not in the newer version.

ThibaudF · March 30, 2021, 1:31pm

I understand, I always had the problem but for my use case I didn’t need to use the same index-pattern for two different roles, with one more restricted than the other one. So i never searched another solution.

If you find something, i’m interested

Maybe you can try to filter documents by index-name ? I never tried but you can give it a try if you want to keep a unique index-pattern books*

Have you tried Document Level Security thing?
https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/document-level-security/
I would give a try there.
You define same index pattern books* for every role but you define different document level security?

Thi

flyhigh72 · March 30, 2021, 1:44pm

I did try index-level, doc-level, and field-level of permission and they all worked well then.

When using doc-level or field-level the search performance gets a hit so I’m thinking to have the restriction implemented at the index-level if I can.

Thanks for sharing your thoughts.

Sean

Anthony · April 14, 2021, 4:01pm

Hi @flyhigh72
There is an option in config.yml that needs to be enabled

config:
  dynamic:
    do_not_fail_on_forbidden: true

Don’t forget to load the config after changing it, using securityadmin.sh script.

flyhigh72 · April 16, 2021, 2:01pm

Hi Anthony,

That fixed it! Really appreciate your help!

Sean