Securing GDPR Personal Data with Access Controls

gdpr_access_controls.txt

# Tested with version 6.2.x of the Elastic Stack

# Add index templates

PUT _template/identity_store
{
  "index_patterns": ["identity_store"],
  "settings": {
    "number_of_shards": 1
  },
  "mappings":{
    "doc":{
      "properties":{
        "key":{"type":"keyword"},
        "value":{"type":"keyword"}
      }
    }
  }
}

PUT _template/order_items
{
  "index_patterns": ["order_items-*"],
  "settings": {
    "number_of_shards": 1
  },
  "mappings":{
    "doc":{
      "properties":{
        "quantity":{"type":"integer"},
        "customer_age":{"type":"integer"},
        "customer_id":{"type":"integer"},
        "price":{"type":"float"},
        "created_on":{"type":"date"},
        "customer_gender":{"type":"keyword"},
        "sku":{"type":"keyword"},
        "ip":{"type":"keyword"},
        "user":{"type":"keyword"},
        "geoip":{
          "properties":{
            "country_iso_code":{"type":"keyword"},
            "location":{"type":"geo_point"}
          }
        }
      }
    }
  }
}

# Add sample data

PUT identity_store/doc/6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0
{
  "key": "6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0",
  "value": "86.58.0.0"
}

PUT order_items-2018/doc/1
{
  "geoip": {
    "country_iso_code": "GB",
    "location": {
      "lat": 52.4768,
      "lon": -1.9341
    }
  },
  "quantity": 1,
  "created_on": "2018-01-15T12:25:55+00:00",
  "customer_gender": "FEMALE",
  "customer_age": 31,
  "sku": "PI911NA30-C11",
  "customer_id": 46,
  "ip": "6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0",
  "user": "81c52b4457b4966544ec582f4e1e6d2e72ec7091ebe68172b2d4dc634998719c",
  "price": 59.99
}

PUT order_items-2018/doc/2
{
  "geoip": {
    "country_iso_code": "FR",
    "location": {
      "lat": 43.5513,
      "lon": 7.0128
    }
  },
  "quantity": 1,
  "created_on": "2018-01-15T12:34:34+00:00",
  "customer_gender": "FEMALE",
  "customer_age": 27,
  "sku": "K4422IA03-P11",
  "customer_id": 49,
  "ip": "8dd0255a39f96174c0035687f0c3a420395be6234eba82c4b9f297abfa9c0eea",
  "user": "46b6f0ae97088f7259ea1daf97deba6535971584da62c71874287406b980fd79",
  "price": 41.99
}

# Add roles

PUT _xpack/security/role/identity_store-readonly
{    
  "indices": [
    {
      "names": ["identity_store"],
      "privileges": ["read"]
    }
  ]
}

PUT _xpack/security/role/identity_store-write
{    
  "indices": [
    {
      "names": ["identity_store"],
      "privileges": ["index"]
    }
  ]
}

PUT _xpack/security/role/order_items-abac-full
{    
  "indices": [
    {
      "names": ["order_items-*"],
      "privileges": ["read"],
      "query": {
        "template": {
          "source": "{\"terms\":{\"geoip.country_iso_code\":{{#toJson}}_user.metadata.visible_countries{{/toJson}}}}"
        } 
      }
    }
  ]
}

PUT _xpack/security/role/order_items-abac-restricted
{    
  "indices": [
    {
      "names": ["order_items-*"],
      "privileges": ["read"],
      "query": {
        "template": {
          "source": "{\"terms\":{\"geoip.country_iso_code\":{{#toJson}}_user.metadata.visible_countries{{/toJson}}}}"
        } 
      },
      "field_security" : {
        "grant" : [ "*"],
        "except": [ "geoip.location.*", "customer_gender", "customer_age" ]
      }
    }
  ]
}

PUT _xpack/security/role/order_items-fr-rbac-full
{    
  "indices": [
    {
      "names": ["order_items-*"],
      "privileges": ["read"],
      "query" : {
        "term" : { "geoip.country_iso_code" : "FR" }
      }
    }
  ]
}

PUT _xpack/security/role/order_items-fr-rbac-restricted
{    
  "indices": [
    {
      "names": ["order_items-*"],
      "privileges": ["read"],
      "query" : {
        "term" : { "geoip.country_iso_code" : "FR" }
      },
      "field_security" : {
        "grant" : [ "*"],
        "except": [ "geoip.location.*", "customer_gender", "customer_age" ]
      }
    }
  ]
}

PUT _xpack/security/role/order_items-gb-rbac-full
{    
  "indices": [
    {
      "names": ["order_items-*"],
      "privileges": ["read"],
      "query" : {
        "term" : { "geoip.country_iso_code" : "GB" }
      }
    }
  ]
}

PUT _xpack/security/role/order_items-gb-rbac-restricted
{    
  "indices": [
    {
      "names": ["order_items-*"],
      "privileges": ["read"],
      "query" : {
        "term" : { "geoip.country_iso_code" : "GB" }
      },
      "field_security" : {
        "grant" : [ "*"],
        "except": [ "geoip.location.*", "customer_gender", "customer_age" ]
      }
    }
  ]
}


# Add users

PUT _xpack/security/user/identity_reader
{
  "username": "identity_reader",
  "password": "testtest",
  "roles": ["kibana_user", "identity_store-readonly"],
  "full_name": "Identity Reader",
  "email": "identity_reader@example.com"
}

PUT _xpack/security/user/identity_writer
{
  "username": "identity_writer",
  "password": "testtest",
  "roles": ["kibana_user", "identity_store-write"],
  "full_name": "Identity Writer",
  "email": "identity_writer@example.com"
}

PUT _xpack/security/user/abac1
{
  "username": "abac1",
  "password": "testtest",
  "roles": ["kibana_user", "order_items-abac-restricted"],
  "full_name": "ABAC 1",
  "email": "abac1@example.com",
  "metadata": {
    "visible_countries": ["GB", "FR"]
  }
}

PUT _xpack/security/user/abac2
{
  "username": "abac2",
  "password": "testtest",
  "roles": ["kibana_user", "order_items-abac-full"],
  "full_name": "ABAC 2",
  "email": "abac2@example.com",
  "metadata": {
    "visible_countries": ["GB"]
  }
}

PUT _xpack/security/user/rbac1
{
  "username": "rbac1",
  "password": "testtest",
  "roles": ["kibana_user", "order_items-fr-rbac-restricted", "order_items-gb-rbac-restricted"],
  "full_name": "RBAC 1",
  "email": "rbac1@example.com"
}

PUT _xpack/security/user/rbac2
{
  "username": "rbac2",
  "password": "testtest",
  "roles": ["kibana_user", "order_items-gb-rbac-full"],
  "full_name": "RBAC 2",
  "email": "rbac2@example.com"
}