How to deny access to the index by suffix

trautw · May 2, 2022, 5:05pm

Hello.
I need to provide access to indices like project_{random suffix}, but deny access to project_system and project_kubernetes

This doesn’t work (user see records from all indices):

project:
  index_permissions:
  - allowed_actions:
    - "SGS_READ"
    index_patterns:
    - "project*"
  - allowed_actions:
    index_patterns:
    - "project_system"
    - "project_kubernetes"

Could you please assist?
We use elk 7.10.2 and modern SearchGuard plugins.

Thanks

sirHusky · May 3, 2022, 9:41am

@trautw You would want to use Permission Exclusions, see example below:

my_role_using_exclusions:
  cluster_permissions:
    - "*"
  exclude_cluster_permissions:
    - SGS_MANAGE_SNAPSHOTS
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - SGS_CRUD
  exclude_index_permissions:
    - index_patterns:
       - "secret"
      actions:
       - "*"

Ensure the sg_config.yaml has do_not_fail_on_forbidden set to true
Further details available here