configure DLS settings in eg LDAP

I would like to delegate DLS settings to a couple of people who don’t have access to sgadmin. Is there any facility in searchguard to do this?

I took a look at the REST API and can’t see anything appropriate there.

I see that in LDAP roles can be assigned… but I don’t see a way to define roles there.

If there isn’t anything already, I’ll fall back to having the sg_*.yml config files generated by ansible and jinja2 templates (and pull some settings from a source that others can update), which I expect to work nicely.

Thanks.

tom

Yes, this seems to be missing in the docs indeed, thanks for the hint.

If the question is: Is there an endpoint where I can modify DLS and FLS for a role, but nothing more, then the answer is no. However, since the DLS and FLS settings are stored per role, you can use the roles endpoint and just add the settings to the index like:


“myindex”: {
“*”: [
“READ”,
],
dls”: “{ “bool”: { “must_not”: { “match”: { “Designation”: “CEO” }}}}”,
fls”: [
“Designation”,
“FirstName”,
“LastName”,
“Salary”
]
}…

``

Just make sure to escape the quotes in the DLS query correctly.

···

On Tuesday, December 5, 2017 at 1:11:00 AM UTC+1, Tom Ryan wrote:

I would like to delegate DLS settings to a couple of people who don’t have access to sgadmin. Is there any facility in searchguard to do this?

I took a look at the REST API and can’t see anything appropriate there.

I see that in LDAP roles can be assigned… but I don’t see a way to define roles there.

If there isn’t anything already, I’ll fall back to having the sg_*.yml config files generated by ansible and jinja2 templates (and pull some settings from a source that others can update), which I expect to work nicely.

Thanks.

tom