Blacklist Indices

I have a requirement to restrict access to specific indices. Once I worked through some previous issues, I have no problems granting access for those indices to the specific groups I want to grant access to.

However, for the remaining indices (the ones which should be accessible to everyone), I want to simply blacklist the restricted indices, in order to avoid the headache of having to whitelist each new index pattern that is allowed to be accessed by all users.

Per the page Defining Search Guard Roles, I should be able to do this using a Java regex. As a result, I wrote the following role:

# Grant read access on all indices except for those matching
# regex pattern.
readall_except:
  cluster:
  - "CLUSTER_COMPOSITE_OPS_RO"
  indices:
    /^(?!myapp-)\S*$/gm:
      '*':
      - "READ"

The regex for the index name should match anything, as long as it doesn’t start with myapp-. This regex appears to work correctly in a regex tester for the following index patterns (not matching the first, matching the second):

myapp-filebeat-6.7.1-2019.05.01
notmyapp-filebeat-6.7.1-2019.05.01

However, when I plug this into Search Guard to test, my test user is denied access to all indices.

can your try

# Grant read access on all indices except for those matching
# regex pattern.
readall_except:
  cluster:
  - "CLUSTER_COMPOSITE_OPS_RO"
  indices:
    '/(?!myapp-)\S*/':
      '*':
      - "READ"

That did the trick. However, won’t that still match notmyapp-...? Admittedly, we don’t currently have any applications with naming schemas that closely matched, but I like to proactively avoid issues.

Modifying it to:

# Grant read access on all indices except for those matching
# regex pattern.
readall_except:
  cluster:
  - "CLUSTER_COMPOSITE_OPS_RO"
  indices:
    '/^(?!myapp-)\S*$/':
      '*':
      - "READ"

still works and avoids the issue of matching similar indices.

Thanks!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.