I need Enterprice license?

Hi Friends, I´m new with ELK and SG, for this I have a single question:

I need ELK users to access only their specific logs.

For example, as the image shows:

user who has that container id, can only read the logs of this container.

I understand that this is only possible with a paid version of search-guard. It is true?

Thanks !

To answer that question I’d need to have more insight into how your data is structured. In other words - it depends :wink:

So if your logs are stored in one index, and you want to show only parts of the documents to a user based on the container id, then the answer is yes. You need to use Document-Level security for that. So say when a user authenticates and has a user attribute container_id, you can use a dynamic DLS query that matches this user attribute with the container.id field of your documents to filter out non-matching documents. This would require an Enterprise license.

If you have multiple indices, one per container id, and the index name contains the container id you can use the Community Edition and the dynamic index name/variable substitution feature to achieve this:

···

On Monday, August 20, 2018 at 3:03:17 AM UTC-5, Daniel Glez wrote:

Hi Friends, I´m new with ELK and SG, for this I have a single question:

I need ELK users to access only their specific logs.

For example, as the image shows:

user who has that container id, can only read the logs of this container.

I understand that this is only possible with a paid version of search-guard. It is true?

Thanks !

Hi Jochen;

It is exactly what I needed to know.

As you say, I have an index and I want to show parts of the index.

I’m going to look at the multiple indices option.

thanks for helping!!

···

El martes, 21 de agosto de 2018, 4:01:36 (UTC+2), Jochen Kressin escribió:

To answer that question I’d need to have more insight into how your data is structured. In other words - it depends :wink:

So if your logs are stored in one index, and you want to show only parts of the documents to a user based on the container id, then the answer is yes. You need to use Document-Level security for that. So say when a user authenticates and has a user attribute container_id, you can use a dynamic DLS query that matches this user attribute with the container.id field of your documents to filter out non-matching documents. This would require an Enterprise license.

If you have multiple indices, one per container id, and the index name contains the container id you can use the Community Edition and the dynamic index name/variable substitution feature to achieve this:

https://docs.search-guard.com/latest/roles-permissions#dynamic-index-names-user-attributes

On Monday, August 20, 2018 at 3:03:17 AM UTC-5, Daniel Glez wrote:

Hi Friends, I´m new with ELK and SG, for this I have a single question:

I need ELK users to access only their specific logs.

For example, as the image shows:

user who has that container id, can only read the logs of this container.

I understand that this is only possible with a paid version of search-guard. It is true?

Thanks !