Last active
March 30, 2020 08:45
-
-
Save cdahlqvist/a2b39c5af0d636fb33e03686685350f4 to your computer and use it in GitHub Desktop.
Securing GDPR Personal Data with Access Controls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Tested with version 6.2.x of the Elastic Stack | |
# Add index templates | |
PUT _template/identity_store | |
{ | |
"index_patterns": ["identity_store"], | |
"settings": { | |
"number_of_shards": 1 | |
}, | |
"mappings":{ | |
"doc":{ | |
"properties":{ | |
"key":{"type":"keyword"}, | |
"value":{"type":"keyword"} | |
} | |
} | |
} | |
} | |
PUT _template/order_items | |
{ | |
"index_patterns": ["order_items-*"], | |
"settings": { | |
"number_of_shards": 1 | |
}, | |
"mappings":{ | |
"doc":{ | |
"properties":{ | |
"quantity":{"type":"integer"}, | |
"customer_age":{"type":"integer"}, | |
"customer_id":{"type":"integer"}, | |
"price":{"type":"float"}, | |
"created_on":{"type":"date"}, | |
"customer_gender":{"type":"keyword"}, | |
"sku":{"type":"keyword"}, | |
"ip":{"type":"keyword"}, | |
"user":{"type":"keyword"}, | |
"geoip":{ | |
"properties":{ | |
"country_iso_code":{"type":"keyword"}, | |
"location":{"type":"geo_point"} | |
} | |
} | |
} | |
} | |
} | |
} | |
# Add sample data | |
PUT identity_store/doc/6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0 | |
{ | |
"key": "6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0", | |
"value": "86.58.0.0" | |
} | |
PUT order_items-2018/doc/1 | |
{ | |
"geoip": { | |
"country_iso_code": "GB", | |
"location": { | |
"lat": 52.4768, | |
"lon": -1.9341 | |
} | |
}, | |
"quantity": 1, | |
"created_on": "2018-01-15T12:25:55+00:00", | |
"customer_gender": "FEMALE", | |
"customer_age": 31, | |
"sku": "PI911NA30-C11", | |
"customer_id": 46, | |
"ip": "6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0", | |
"user": "81c52b4457b4966544ec582f4e1e6d2e72ec7091ebe68172b2d4dc634998719c", | |
"price": 59.99 | |
} | |
PUT order_items-2018/doc/2 | |
{ | |
"geoip": { | |
"country_iso_code": "FR", | |
"location": { | |
"lat": 43.5513, | |
"lon": 7.0128 | |
} | |
}, | |
"quantity": 1, | |
"created_on": "2018-01-15T12:34:34+00:00", | |
"customer_gender": "FEMALE", | |
"customer_age": 27, | |
"sku": "K4422IA03-P11", | |
"customer_id": 49, | |
"ip": "8dd0255a39f96174c0035687f0c3a420395be6234eba82c4b9f297abfa9c0eea", | |
"user": "46b6f0ae97088f7259ea1daf97deba6535971584da62c71874287406b980fd79", | |
"price": 41.99 | |
} | |
# Add roles | |
PUT _xpack/security/role/identity_store-readonly | |
{ | |
"indices": [ | |
{ | |
"names": ["identity_store"], | |
"privileges": ["read"] | |
} | |
] | |
} | |
PUT _xpack/security/role/identity_store-write | |
{ | |
"indices": [ | |
{ | |
"names": ["identity_store"], | |
"privileges": ["index"] | |
} | |
] | |
} | |
PUT _xpack/security/role/order_items-abac-full | |
{ | |
"indices": [ | |
{ | |
"names": ["order_items-*"], | |
"privileges": ["read"], | |
"query": { | |
"template": { | |
"source": "{\"terms\":{\"geoip.country_iso_code\":{{#toJson}}_user.metadata.visible_countries{{/toJson}}}}" | |
} | |
} | |
} | |
] | |
} | |
PUT _xpack/security/role/order_items-abac-restricted | |
{ | |
"indices": [ | |
{ | |
"names": ["order_items-*"], | |
"privileges": ["read"], | |
"query": { | |
"template": { | |
"source": "{\"terms\":{\"geoip.country_iso_code\":{{#toJson}}_user.metadata.visible_countries{{/toJson}}}}" | |
} | |
}, | |
"field_security" : { | |
"grant" : [ "*"], | |
"except": [ "geoip.location.*", "customer_gender", "customer_age" ] | |
} | |
} | |
] | |
} | |
PUT _xpack/security/role/order_items-fr-rbac-full | |
{ | |
"indices": [ | |
{ | |
"names": ["order_items-*"], | |
"privileges": ["read"], | |
"query" : { | |
"term" : { "geoip.country_iso_code" : "FR" } | |
} | |
} | |
] | |
} | |
PUT _xpack/security/role/order_items-fr-rbac-restricted | |
{ | |
"indices": [ | |
{ | |
"names": ["order_items-*"], | |
"privileges": ["read"], | |
"query" : { | |
"term" : { "geoip.country_iso_code" : "FR" } | |
}, | |
"field_security" : { | |
"grant" : [ "*"], | |
"except": [ "geoip.location.*", "customer_gender", "customer_age" ] | |
} | |
} | |
] | |
} | |
PUT _xpack/security/role/order_items-gb-rbac-full | |
{ | |
"indices": [ | |
{ | |
"names": ["order_items-*"], | |
"privileges": ["read"], | |
"query" : { | |
"term" : { "geoip.country_iso_code" : "GB" } | |
} | |
} | |
] | |
} | |
PUT _xpack/security/role/order_items-gb-rbac-restricted | |
{ | |
"indices": [ | |
{ | |
"names": ["order_items-*"], | |
"privileges": ["read"], | |
"query" : { | |
"term" : { "geoip.country_iso_code" : "GB" } | |
}, | |
"field_security" : { | |
"grant" : [ "*"], | |
"except": [ "geoip.location.*", "customer_gender", "customer_age" ] | |
} | |
} | |
] | |
} | |
# Add users | |
PUT _xpack/security/user/identity_reader | |
{ | |
"username": "identity_reader", | |
"password": "testtest", | |
"roles": ["kibana_user", "identity_store-readonly"], | |
"full_name": "Identity Reader", | |
"email": "identity_reader@example.com" | |
} | |
PUT _xpack/security/user/identity_writer | |
{ | |
"username": "identity_writer", | |
"password": "testtest", | |
"roles": ["kibana_user", "identity_store-write"], | |
"full_name": "Identity Writer", | |
"email": "identity_writer@example.com" | |
} | |
PUT _xpack/security/user/abac1 | |
{ | |
"username": "abac1", | |
"password": "testtest", | |
"roles": ["kibana_user", "order_items-abac-restricted"], | |
"full_name": "ABAC 1", | |
"email": "abac1@example.com", | |
"metadata": { | |
"visible_countries": ["GB", "FR"] | |
} | |
} | |
PUT _xpack/security/user/abac2 | |
{ | |
"username": "abac2", | |
"password": "testtest", | |
"roles": ["kibana_user", "order_items-abac-full"], | |
"full_name": "ABAC 2", | |
"email": "abac2@example.com", | |
"metadata": { | |
"visible_countries": ["GB"] | |
} | |
} | |
PUT _xpack/security/user/rbac1 | |
{ | |
"username": "rbac1", | |
"password": "testtest", | |
"roles": ["kibana_user", "order_items-fr-rbac-restricted", "order_items-gb-rbac-restricted"], | |
"full_name": "RBAC 1", | |
"email": "rbac1@example.com" | |
} | |
PUT _xpack/security/user/rbac2 | |
{ | |
"username": "rbac2", | |
"password": "testtest", | |
"roles": ["kibana_user", "order_items-gb-rbac-full"], | |
"full_name": "RBAC 2", | |
"email": "rbac2@example.com" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment