stackoom
  简体   繁体   中英

POST request to Amazon Elastic Search from application impersonating user role (e.g. manager, contractor, etc…)

 原文  2021-06-18 15:56:27       security/ elasticsearch/ amazon-elasticsearch

Question

I am working on a search microservice in Spring boot that relies on Amazon Elastic Search.

  • I have an angular Front end and a spring boot service in front of Amazon Elastic Search
  • I created Application Privileges in Elastic search so that my service/application can impersonate three types of users: manager, employee, contractor;
  • Each role is related to fine-grained permissions (eg only a manager can find personal data of the employees, Contractor can find employees but some fields would be scrubbed or not returned at all);

My use case is the following:

GIVEN an authenticated user
   AND the user has been authorized with the role Contractor by an In-House access management system;
WHEN the user searches through my service
THEN only the relevant documents are shown as per his/her privileges;

How would that request (I guess POST) would look like for this to work?

2 answers

solution1
 0  2021-06-21 10:59:28

As long as your request is not changing anything you should use GET instead of POST, but POST will be supported for clients not capable of sending a request body with GET.

In order to show documents the user is allowed to see, you need to set up document-level security for your roles as described here: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/document-level-security/

Users of elastic's elasticsearch should have a look at that: https://www.elastic.co/guide/en/elasticsearch/reference/current/document-level-security.html

solution2
 0 ACCPTED  2021-07-28 16:37:16

I eventually found the answer in the Open Distro ElasticSearch documentation about User Impersonation here .

In short the trick is to add opendistro_security_impersonate_as to the header in the following way:

curl -XGET -u 'admin:admin' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_opendistro/_security/authinfo?pretty

where you can replace:

  • admin:admin with your service user
  • user_1 with the user that you want to impersonate and
  • https://localhost:9200/_opendistro/_security/authinfo?pretty with the URL of your GET request.

This worked like a charm in my case.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What steps are there to prevent someone inside a company to alter user data (e.g. Facebook, Google, etc.)? Restrict actions based on User's auth status (e.g. logged-in, cookied, anonymous) How do you securely provide a sensitive info (e.g. password) to a background application to be started? Generate custom classes from within a security sandbox (e.g., applet) Encrypting constant strings(e.g. Password) in compiled executable How do I prevent AWS Infrastructure contractor from seeing our application code? Setting protected folders e.g. via registry manipulation Protecting IP from Overseas Contractor Theft How do I block people from outside my web server from seeing what technologies I'm using (e.g., Apache or PHP)? How to parse spring security expressions programmatically (e.g. in some controller)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM