Add capability to define exclude_patterns in sg_roles.yml

Doug_Renze · July 23, 2020, 3:40pm

TL;DR

Add capability to define exclude_patterns in sg_roles.yml.

Use Case

As an administrator, I need to grant role-based access to specific indices only to certain users; all users (including those users) should have access to all remaining indices.

Background

We primarily use our Elastic Stack for log aggregation, so our permission structure in Elastic is permissive: We grant all users the ability to view all data unless there is a specific reason to exclude them from viewing that data (i.e., specific applications or security logs).

In our environment, there are multiple applications, which need to have data restricted. This can currently be done by using a regex index pattern (see below):

# Grant read access on all indices except for those matching
# regex pattern.
READALL_EXCEPT:
  reserved: false
  hidden: false
  description: 'Grant RO access to indices for users.'
  cluster_permissions:
    - 'SGS_CLUSTER_COMPOSITE_OPS_RO'
  index_permissions:
    - index_patterns:
        - '/^(?!first-app-|second-app-|third-app-|fourth-app-)\S*$/'
      fls: []
      masked_fields: []
      allowed_actions:
        - 'SGS_READ'
  tenant_permissions: []
  static: false

The Problem

While this solution works, when there are multiple index patterns which must have restricted access, it is difficult to write, maintain, and debug this regex pattern. Additionally, it is difficult to do through the Kibana Search Guard Roles UI.

The Solution

A more straightforward solution would be to add an additional dictionary item, which may be defined in an index_permission list item. This would be the exclude_patterns item.

Like the index_patterns item, the value of this item would be a list of index patterns, which would then be excluded from that index permission. In the example below, users who are part of the READALL_EXCEPT role would have READ access to all index patterns, except those listed the exclude_patterns.

# Grant read access on all indices except for those matching
# regex pattern.
READALL_EXCEPT:
  reserved: false
  hidden: false
  description: 'Grant RO access to indices for users.'
  cluster_permissions:
    - 'SGS_CLUSTER_COMPOSITE_OPS_RO'
  index_permissions:
    - index_patterns:
        - '*'
      exclude_patterns:
        - 'first-app-*'
        - 'second-app-*'
        - 'third-app-*'
        - 'fourth-app-*'
      fls: []
      masked_fields: []
      allowed_actions:
        - 'SGS_READ'
  tenant_permissions: []
  static: false

Benefits

This would have the following benefits:

Easier to write/maintain/debug.
Does not require knowledge of regex, allowing permissions create/update/delete to be sourced to an L1 team or security team within the organization, resulting in lower resource costs.

jkressin · July 27, 2020, 11:15am

Upvoted and added to the backlog.

system · August 17, 2020, 11:16am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

nils · November 4, 2020, 2:15am

Just an update to this suggestion:

We have released with the 46 release a similar functionality, with a slightly broader scope:

Topic		Replies	Views
Exclude Role from Access to Multiple Indices Search Guard	5	1220	August 13, 2020
Kibana permissions. Show only allowed index pattern in dashboard Search Guard	2	1660	November 6, 2020
SG role to a specific index pattern Search Guard	4	1493	June 4, 2019
Doubts about sg_roles.yml Search Guard	1	403	September 25, 2018
Adding regex index permissions to role via kibana GUI Search Guard	4	829	September 4, 2020