-
-
Save mbarretta/924be652103c97c4744eef7796e80f6d to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # NOTE: This script has a dependency on python for parsing | |
| ES_URL=http://localhost:9200 | |
| ES_USER=elastic | |
| ES_PASS=changeme | |
| ################## | |
| JSON_CONTENT_TYPE="-H Content-Type:application/json" | |
| echo -e "Create index\n" | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test -d '{ | |
| "settings": { | |
| "index": { | |
| "number_of_replicas": 0, | |
| "number_of_shards": 1 | |
| } | |
| }, | |
| "mappings": { | |
| "properties": { | |
| "security_attributes": { | |
| "properties": { | |
| "level": {"type":"short"}, | |
| "programs": {"type":"keyword"}, | |
| "min_programs": {"type":"short"} | |
| } | |
| }, | |
| "body":{"type":"text"} | |
| } | |
| } | |
| }' | |
| echo -e "\n\nIngest documents:\n" | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test/_doc/1 -d '{ | |
| "security_attributes": { | |
| "level": 2, | |
| "programs": ["alpha", "beta"], | |
| "min_programs": 2 | |
| }, | |
| "body": "This document contains information that should only be visible to those at level 2 or higher, with access to both the alpha and beta programs" | |
| }' | |
| echo | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test/_doc/2 -d '{ | |
| "security_attributes": { | |
| "level": 2, | |
| "programs": ["alpha", "beta", "charlie"], | |
| "min_programs": 3 | |
| }, | |
| "body": "This document contains information that should only be visible to those at level 2 or higher, with access to the alpha, beta, and charlie programs" | |
| }' | |
| echo | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test/_doc/3 -d '{ | |
| "security_attributes": { | |
| "level": 3, | |
| "programs": ["charlie"], | |
| "min_programs": 1 | |
| }, | |
| "body": "This document contains information that should only be visible to those at level e or higher, with access to the charlie program" | |
| }' | |
| echo -e "\n\nAdd roles and users:\n" | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/role/my_policy -d '{ | |
| "indices": [ | |
| { | |
| "names": ["abac-test"], | |
| "privileges": ["read"], | |
| "query": { | |
| "template": { | |
| "source": "{\"bool\": {\"filter\": [{\"range\": {\"security_attributes.level\": {\"lte\": \"{{_user.metadata.level}}\"}}},{\"terms_set\": {\"security_attributes.programs\": {\"terms\": {{#toJson}}_user.metadata.programs{{/toJson}},\"minimum_should_match_field\": \"security_attributes.min_programs\"}}}, {\"script\": {\"script\": {\"inline\": \"!LocalDateTime.ofInstant(Calendar.getInstance().toInstant(), ZoneId.systemDefault()).isAfter(LocalDateTime.parse('\''{{_user.metadata.certification_date}}'\'').plusYears(1))\"}}}]}}" | |
| } | |
| } | |
| }] | |
| }' | |
| echo | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/jack_black -d '{ | |
| "username": "jack_black", | |
| "password": "testtest", | |
| "roles": ["my_policy"], | |
| "full_name": "Jack Black", | |
| "email": "jb@tenaciousd.com", | |
| "metadata": { | |
| "programs": ["alpha", "beta"], | |
| "level": 2, | |
| "certification_date": "2021-01-02T00:00:00" | |
| } | |
| }' | |
| echo | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/barry_white -d '{ | |
| "username": "barry_white", | |
| "password": "testtest", | |
| "roles": ["my_policy"], | |
| "full_name": "Barry White", | |
| "email": "bw@cantgetenough.com", | |
| "metadata": { | |
| "programs": ["alpha", "beta", "charlie"], | |
| "level": 2, | |
| "certification_date": "2021-01-02T00:00:00" | |
| } | |
| }' | |
| echo | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/earl_grey -d '{ | |
| "username": "earl_grey", | |
| "password": "testtest", | |
| "roles": ["my_policy"], | |
| "full_name": "Earl Grey", | |
| "email": "eg@hot.com", | |
| "metadata": { | |
| "programs": ["charlie"], | |
| "level": 3, | |
| "certification_date": "2021-01-02T00:00:00" | |
| } | |
| }' | |
| echo | |
| curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/james_brown -d '{ | |
| "username": "james_brown", | |
| "password": "testtest", | |
| "roles": ["my_policy"], | |
| "full_name": "James Brown", | |
| "email": "jb2@newbag.com", | |
| "metadata": { | |
| "programs": ["alpha", "beta", "charlie"], | |
| "level": 5, | |
| "certification_date": "2020-01-02T00:00:00" | |
| } | |
| }' | |
| echo -e "\n\nRun tests:" | |
| echo -e "\nJack Black: expect IDs = [1]" | |
| curl -s $JSON_CONTENT_TYPE -u jack_black:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])" | |
| echo -e "\nBarry White: expect IDs = [1,2]" | |
| curl -s $JSON_CONTENT_TYPE -u barry_white:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])" | |
| echo -e "\nEarl Grey: expect IDs = [3]" | |
| curl -s $JSON_CONTENT_TYPE -u earl_grey:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])" | |
| #we don't expect any results for James Brown because his certification date is over one year old | |
| echo -e "\nJames Brown: expect IDs = []" | |
| curl -s $JSON_CONTENT_TYPE -u james_brown:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])" |
hi,
As per the example in your blog https://www.elastic.co/blog/attribute-based-access-control-elasticsearch
when I try this, I get the following error
PUT my_index_1
{
"mappings": {
"doc": {
"properties": {
"security_attributes": {
"properties": {
"level": {"type":"short"},
"programs": {"type":"keyword"},
"min_programs": {"type":"short"}
}
},
"body":{"type":"text"}
}
}
}
}
{
"error" : {
"root_cause" : [
{
"type" : "mapper_parsing_exception",
"reason" : "Root mapping definition has unsupported parameters: [doc : {properties={security_attributes={properties={level={type=short}, min_programs={type=short}, programs={type=keyword}}}, body={type=text}}}]"
}
],
"type" : "mapper_parsing_exception",
"reason" : "Failed to parse mapping [_doc]: Root mapping definition has unsupported parameters: [doc : {properties={security_attributes={properties={level={type=short}, min_programs={type=short}, programs={type=keyword}}}, body={type=text}}}]",
"caused_by" : {
"type" : "mapper_parsing_exception",
"reason" : "Root mapping definition has unsupported parameters: [doc : {properties={security_attributes={properties={level={type=short}, min_programs={type=short}, programs={type=keyword}}}, body={type=text}}}]"
}
},
"status" : 400
}
@Dinakar4323
The example was for v6.x. In 7.x the API changed as types continued their deprecation schedule.
I updated the gist to swap _doc for doc, though haven't tried the rest out in v7.x to see if anything else changed.
Again trying to highlight that the Attributes can be in the document and the policy/roles sections.
#we don't expect any results for James Brown because his certification date is over one year old based on my_policy attribute, and not an attribute of the document.