elasticsearch索引answers
{"can_view": ["F1", "F2", "F3"],"firstname": "John","lastname": "Black"}
{"can_view": ["F1", "F2"],"firstname": "Jack","lastname": "Grey"}
{"can_view": ["F2", "F3"],"firstname": "Adam","lastname": "Brown"}
我已经为Elasticsearch设置了XPack安全性。
我的系统中有三个用户:F1,F2,F3。
我为此请求添加了保护文档安全的角色。
POST /_xpack/security/role/alias_read
{
"indices" : [
{
"names": [ "answers" ],
"privileges": [ "read" ],
"query": {
"template": {
"source": {
"match": {
"can_view": "{{_user.username}}"
}
}
}
}
}
]
}
我已将此角色alias_read分配给F1,F2和F3用户。
现在,如果我以F1用户身份登录,那么我只能看到那些文档
{"can_view": ["F1", "F2", "F3"],"firstname": "John","lastname": "Black"}
{"can_view": ["F1", "F2"],"firstname": "Jack","lastname": "Grey"}
如果我以F2用户身份登录,那么我只能看到那些文档
{"can_view": ["F1", "F2"],"firstname": "Jack","lastname": "Grey"}
{"can_view": ["F2", "F3"],"name": "Adam","value": "Brown"}
那是完美而正确的。
现在的问题是,是否有一种方法可以对具体的字段值进行类似的保护(不是针对整个文档,也不是针对整个字段)。
例如。
elasticsearch索引answers
{"firstname": {"can_view": ["F1", "F2", "F3"], "value": "John"} ,"lastname": {"can_view": ["F1"], "value":"Black"} }
{"firstname": {"can_view": ["F3"], "value": "Jack"} ,"lastname": {"can_view": ["F2"], "value":"Grey"} }
{"firstname": {"can_view": ["F3", "F1"], "value": "Adam"} ,"lastname": {"can_view": ["F2", "F3"], "value":"Brown"} }
我想要获得的是,如果我以用户F1的身份登录,那么我应该只能看到那些结果:
{"firstname": {"can_view": ["F1", "F2", "F3"], "value": "John"} ,"lastname": {"can_view": ["F1"], "value":"Black"} }
{"firstname": {"can_view": ["F3", "F1"], "value": "Adam"}}
如果我以用户F2的身份登录,那么我应该只能看到那些结果:
{"firstname": {"can_view": ["F1", "F2", "F3"], "value": "John"}}
{"lastname": {"can_view": ["F2"], "value":"Grey"} }
{"lastname": {"can_view": ["F2", "F3"], "value":"Brown"} }
因此,我想限制具体用户的具体价值。 在使用xpack或其他一些安全软件包的elasticsearch中,有没有办法做到这一点?使用角色还是其他角色?
我使用的版本是:
elasticsearch 6.5.1
kibana 6.5.1
X-Pack