Add capability to define exclude_patterns in sg_roles.yml

TL;DR

Add capability to define exclude_patterns in sg_roles.yml.

Use Case

As an administrator, I need to grant role-based access to specific indices only to certain users; all users (including those users) should have access to all remaining indices.

Background

We primarily use our Elastic Stack for log aggregation, so our permission structure in Elastic is permissive: We grant all users the ability to view all data unless there is a specific reason to exclude them from viewing that data (i.e., specific applications or security logs).

In our environment, there are multiple applications, which need to have data restricted. This can currently be done by using a regex index pattern (see below):

# Grant read access on all indices except for those matching
# regex pattern.
READALL_EXCEPT:
  reserved: false
  hidden: false
  description: 'Grant RO access to indices for users.'
  cluster_permissions:
    - 'SGS_CLUSTER_COMPOSITE_OPS_RO'
  index_permissions:
    - index_patterns:
        - '/^(?!first-app-|second-app-|third-app-|fourth-app-)\S*$/'
      fls: []
      masked_fields: []
      allowed_actions:
        - 'SGS_READ'
  tenant_permissions: []
  static: false

The Problem

While this solution works, when there are multiple index patterns which must have restricted access, it is difficult to write, maintain, and debug this regex pattern. Additionally, it is difficult to do through the Kibana Search Guard Roles UI.

The Solution

A more straightforward solution would be to add an additional dictionary item, which may be defined in an index_permission list item. This would be the exclude_patterns item.

Like the index_patterns item, the value of this item would be a list of index patterns, which would then be excluded from that index permission. In the example below, users who are part of the READALL_EXCEPT role would have READ access to all index patterns, except those listed the exclude_patterns.

# Grant read access on all indices except for those matching
# regex pattern.
READALL_EXCEPT:
  reserved: false
  hidden: false
  description: 'Grant RO access to indices for users.'
  cluster_permissions:
    - 'SGS_CLUSTER_COMPOSITE_OPS_RO'
  index_permissions:
    - index_patterns:
        - '*'
      exclude_patterns:
        - 'first-app-*'
        - 'second-app-*'
        - 'third-app-*'
        - 'fourth-app-*'
      fls: []
      masked_fields: []
      allowed_actions:
        - 'SGS_READ'
  tenant_permissions: []
  static: false

Benefits

This would have the following benefits:

  • Easier to write/maintain/debug.
  • Does not require knowledge of regex, allowing permissions create/update/delete to be sourced to an L1 team or security team within the organization, resulting in lower resource costs.

Upvoted and added to the backlog.

1 Like