Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Securing GDPR Personal Data with Access Controls
# Tested with version 6.2.x of the Elastic Stack
# Add index templates
PUT _template/identity_store
{
"index_patterns": ["identity_store"],
"settings": {
"number_of_shards": 1
},
"mappings":{
"doc":{
"properties":{
"key":{"type":"keyword"},
"value":{"type":"keyword"}
}
}
}
}
PUT _template/order_items
{
"index_patterns": ["order_items-*"],
"settings": {
"number_of_shards": 1
},
"mappings":{
"doc":{
"properties":{
"quantity":{"type":"integer"},
"customer_age":{"type":"integer"},
"customer_id":{"type":"integer"},
"price":{"type":"float"},
"created_on":{"type":"date"},
"customer_gender":{"type":"keyword"},
"sku":{"type":"keyword"},
"ip":{"type":"keyword"},
"user":{"type":"keyword"},
"geoip":{
"properties":{
"country_iso_code":{"type":"keyword"},
"location":{"type":"geo_point"}
}
}
}
}
}
}
# Add sample data
PUT identity_store/doc/6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0
{
"key": "6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0",
"value": "86.58.0.0"
}
PUT order_items-2018/doc/1
{
"geoip": {
"country_iso_code": "GB",
"location": {
"lat": 52.4768,
"lon": -1.9341
}
},
"quantity": 1,
"created_on": "2018-01-15T12:25:55+00:00",
"customer_gender": "FEMALE",
"customer_age": 31,
"sku": "PI911NA30-C11",
"customer_id": 46,
"ip": "6be0f12c7026124f637097b7af98dfe82711e7982648ef5c2f2cf51167ed17d0",
"user": "81c52b4457b4966544ec582f4e1e6d2e72ec7091ebe68172b2d4dc634998719c",
"price": 59.99
}
PUT order_items-2018/doc/2
{
"geoip": {
"country_iso_code": "FR",
"location": {
"lat": 43.5513,
"lon": 7.0128
}
},
"quantity": 1,
"created_on": "2018-01-15T12:34:34+00:00",
"customer_gender": "FEMALE",
"customer_age": 27,
"sku": "K4422IA03-P11",
"customer_id": 49,
"ip": "8dd0255a39f96174c0035687f0c3a420395be6234eba82c4b9f297abfa9c0eea",
"user": "46b6f0ae97088f7259ea1daf97deba6535971584da62c71874287406b980fd79",
"price": 41.99
}
# Add roles
PUT _xpack/security/role/identity_store-readonly
{
"indices": [
{
"names": ["identity_store"],
"privileges": ["read"]
}
]
}
PUT _xpack/security/role/identity_store-write
{
"indices": [
{
"names": ["identity_store"],
"privileges": ["index"]
}
]
}
PUT _xpack/security/role/order_items-abac-full
{
"indices": [
{
"names": ["order_items-*"],
"privileges": ["read"],
"query": {
"template": {
"source": "{\"terms\":{\"geoip.country_iso_code\":{{#toJson}}_user.metadata.visible_countries{{/toJson}}}}"
}
}
}
]
}
PUT _xpack/security/role/order_items-abac-restricted
{
"indices": [
{
"names": ["order_items-*"],
"privileges": ["read"],
"query": {
"template": {
"source": "{\"terms\":{\"geoip.country_iso_code\":{{#toJson}}_user.metadata.visible_countries{{/toJson}}}}"
}
},
"field_security" : {
"grant" : [ "*"],
"except": [ "geoip.location.*", "customer_gender", "customer_age" ]
}
}
]
}
PUT _xpack/security/role/order_items-fr-rbac-full
{
"indices": [
{
"names": ["order_items-*"],
"privileges": ["read"],
"query" : {
"term" : { "geoip.country_iso_code" : "FR" }
}
}
]
}
PUT _xpack/security/role/order_items-fr-rbac-restricted
{
"indices": [
{
"names": ["order_items-*"],
"privileges": ["read"],
"query" : {
"term" : { "geoip.country_iso_code" : "FR" }
},
"field_security" : {
"grant" : [ "*"],
"except": [ "geoip.location.*", "customer_gender", "customer_age" ]
}
}
]
}
PUT _xpack/security/role/order_items-gb-rbac-full
{
"indices": [
{
"names": ["order_items-*"],
"privileges": ["read"],
"query" : {
"term" : { "geoip.country_iso_code" : "GB" }
}
}
]
}
PUT _xpack/security/role/order_items-gb-rbac-restricted
{
"indices": [
{
"names": ["order_items-*"],
"privileges": ["read"],
"query" : {
"term" : { "geoip.country_iso_code" : "GB" }
},
"field_security" : {
"grant" : [ "*"],
"except": [ "geoip.location.*", "customer_gender", "customer_age" ]
}
}
]
}
# Add users
PUT _xpack/security/user/identity_reader
{
"username": "identity_reader",
"password": "testtest",
"roles": ["kibana_user", "identity_store-readonly"],
"full_name": "Identity Reader",
"email": "identity_reader@example.com"
}
PUT _xpack/security/user/identity_writer
{
"username": "identity_writer",
"password": "testtest",
"roles": ["kibana_user", "identity_store-write"],
"full_name": "Identity Writer",
"email": "identity_writer@example.com"
}
PUT _xpack/security/user/abac1
{
"username": "abac1",
"password": "testtest",
"roles": ["kibana_user", "order_items-abac-restricted"],
"full_name": "ABAC 1",
"email": "abac1@example.com",
"metadata": {
"visible_countries": ["GB", "FR"]
}
}
PUT _xpack/security/user/abac2
{
"username": "abac2",
"password": "testtest",
"roles": ["kibana_user", "order_items-abac-full"],
"full_name": "ABAC 2",
"email": "abac2@example.com",
"metadata": {
"visible_countries": ["GB"]
}
}
PUT _xpack/security/user/rbac1
{
"username": "rbac1",
"password": "testtest",
"roles": ["kibana_user", "order_items-fr-rbac-restricted", "order_items-gb-rbac-restricted"],
"full_name": "RBAC 1",
"email": "rbac1@example.com"
}
PUT _xpack/security/user/rbac2
{
"username": "rbac2",
"password": "testtest",
"roles": ["kibana_user", "order_items-gb-rbac-full"],
"full_name": "RBAC 2",
"email": "rbac2@example.com"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.