Proposal: implement group access verification in Data Discovery
In the "old" Faidare application, which was in charge of the searches and of the detailed cards, every access to elastic search targeted one or more indices based on the group IDs of the currently authenticated user.
For reference, these group IDs are obtained by
- looking at the user name in the basic authorization header (in the
AuthenticationFilter
) - storing it in the
AuthenticationStore
(in a ThreadLocal) - fetching the group IDs from an in-memory cache, that loads them from an external web service (in
UserGroupsResourceClient
)
Faidare is now split in two separate applications:
- the Faidare flavor of data-discovery, using Spring Data ES
- the Faidare application, still using the same code as the "old" Faidare
Using the same strategy in data-discovery doesn't seem easily doable, because Spring Data considers (and is right to do so, IMHO) that a document belongs to a single index.
So my proposal is
- to keep the Faidare code as is, because changing it is too much a burden for Ninja Squad, and out of our comfort zone anyway.
- to implement access control in a different, simpler way in data-discovery
In details, here's how it would work in data-discovery:
- The faidare documents would have an additional property of type
int
, namedgroupId
. This would have to be populated, as all the other fields, by the ETL - In a similar way as in Faidare, the faidare flavor of data-discovery would get the user name from the authorization header, get the user groups for that user, and store them in a cache
- The FaidareDaoImpl of data-discovery would add a criterion to the queries used for search and aggregation which, in SQL, would be
AND faidare_document.group_id in (:accessibleGroupsOfCurrentUser)
Note that accessibleGroupsOfCurrentUser
would always contain the ID 0
, even if the user is not authenticated: 0 is the public group ID.
Please tell if this proposa suits you.