Configuring security for Web services

Prerequisites

When security is enabled in Investigate, the following permissions must be added to the investigate_system role:

Search Guard on Elasticsearch 6.x
indices:
  'web-service-*':
    '*':
      - READ
      - VIEW_INDEX_METADATA
      - MANAGE
      - WRITE
Search Guard on Elasticsearch 7.x
index_permissions:
  - index_patterns:
      - web-service-*
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
      - MANAGE
      - WRITE
Elastic Stack Security
{
  "indices": [
    {
      "names": ["web-service-*"],
      "privileges": ["read", "view_index_metadata", "manager", "write"]
    }
  ]
}

Allowing users to view Web service data

A role should be created with the following permissions so users can see data produced by Web service invocations:

Search Guard on Elasticsearch 6.x
indices:
  web-service-*-invocations:
    '*':
      - READ
      - VIEW_INDEX_METADATA
      _dls_: '{"term" : {"invocation.user" : "${user.name}"}}'
  web-service-*-results-*:
    '*':
      - READ
      - VIEW_INDEX_METADATA
Search Guard on Elasticsearch 7.x
index_permissions:
  - index_patterns:
      - web-service-*-invocations
    dls: '{"term" : {"invocation.user" : "${user.name}"}}'
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
  - index_patterns:
      - web-service-*
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
Elastic Stack Security
{
  "indices": [
    {
      "names": ["web-service-*-invocations"],
      "privileges": ["read", "view_index_metadata"],
      "query": {
        "template": {
          "source": {
            "term": {
              "invocation.user": "{{_user.username}}"
            }
          }
        }
      }
    },
    {
      "names": ["web-service-*-results-*"],
      "privileges": ["read", "view_index_metadata"]
    }
  ]
}

This gives the users the ability to see information for their own invocations as well as all result data stored in dedicated indices.

Restricting Web services and profiles

You can restrict which Web services and profiles that a user can see and invoke by configuring saved object ACL rules.

Each Web service and profile has an associated saved object, so you can use ACL configuration to hide them or disable them entirely for certain roles.

image

image

image

Restricting data for use with Web services

You can restrict the Web service groups in which a user can see data by using an index pattern.

The format of a result index is as follows:

web-service-<group>-<webService>-results-<resultType>

For example, to allow a user access to data from only the jsonwhois Web service group, grant them the following permissions:

Search Guard on Elasticsearch 6.x
indices:
  'web-service-jsonwhois-*':
    '*':
      - READ
      - VIEW_INDEX_METADATA
Search Guard on Elasticsearch 7.x
index_permissions:
  - index_patterns:
      - web-service-jsonwhois-*
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
Elastic Stack Security
{
  "indices": [
    {
      "names": ["web-service-jsonwhois-*"],
      "privileges": ["read", "view_index_metadata"]
    }
  ]
}