I have a requirement to restrict access to specific indices. Once I worked through some previous issues, I have no problems granting access for those indices to the specific groups I want to grant access to.
However, for the remaining indices (the ones which should be accessible to everyone), I want to simply blacklist the restricted indices, in order to avoid the headache of having to whitelist each new index pattern that is allowed to be accessed by all users.
Per the page Defining Search Guard Roles, I should be able to do this using a Java regex. As a result, I wrote the following role:
# Grant read access on all indices except for those matching
# regex pattern.
readall_except:
cluster:
- "CLUSTER_COMPOSITE_OPS_RO"
indices:
/^(?!myapp-)\S*$/gm:
'*':
- "READ"
The regex for the index name should match anything, as long as it doesn’t start with myapp-
. This regex appears to work correctly in a regex tester for the following index patterns (not matching the first, matching the second):
myapp-filebeat-6.7.1-2019.05.01
notmyapp-filebeat-6.7.1-2019.05.01
However, when I plug this into Search Guard to test, my test user is denied access to all indices.