Configure Investigate for uploads
The upload center requires Federate version 38.2 or greater. Previous versions of Federate don’t have the required |
Import user
Uploads need a proxy user to perform index read and write operations on behalf of unprivileged users.
The import proxy user defaults to the Investigate backend user defined by the elasticsearch.username
configuration parameter.
If you audit requests to your Elasticsearch cluster, change the proxy user to more effectively observe data import activity. You can do so with the following configuration parameters:
data_projects:
username: 'data-import-user'
password: 'long-unique-password'
Granting read and write permissions
Adding records in standard Elasticsearch indices requires explicit index-level permissions to read and write records.
The following is an example of an investigate_system
role definition for Elastic Stack Security that gives the backend user the required permissions on the article
index:
{
"cluster": [
"cluster:internal/federate/*",
"cluster:admin/federate/*",
"cluster:monitor/*",
"manage_index_templates"
],
"indices": [
{
"names": [
"/\\.siren.*/",
"/siren-.*/",
"/watcher.*/",
"/web-service-.*/"
],
"privileges": [
"all"
]
},
{
"names": [
"article"
],
"privileges": [
"read",
"write"
]
}
]
}
The following is an analogous investigate_system
role definition for Search Guard Classic:
investigate_system:
cluster_permissions:
- CLUSTER_COMPOSITE_OPS
- CLUSTER_MANAGE
- CLUSTER_MONITOR
index_permissions:
- index_patterns:
- 'siren-*'
- '?siren*'
- '?map__*'
- 'watcher*'
- web-service-*
allowed_actions:
- INDICES_ALL
# Grant the backend user permission to read and write records on every standard ES index for which you want to enable data imports.
- index_patterns:
- 'article'
allowed_actions:
- READ
- WRITE
Set up the required DLS rules
Follow the steps in
Configuring security for shared indices
to configure a sic_user
role with the appropriate DLS rules for data projects segregation on the siren-*
index pattern.
In the sic_user
role definition, you must extend indices.names
to include the index patterns of all Entity Tables that need to support uploads.
For example, to add uploads support for an Entity Table with a my-table-*
index pattern, apply the following role definition for Elastic Stack security:
{
"cluster": [
"cluster:internal/federate/*"
],
"indices": [
{
"names": [
"/siren-.*/",
"/my-table-.*"
],
"privileges": [
"indices:data/read*",
"indices:admin/aliases/get",
"indices:admin/aliases/exists",
"indices:admin/get",
"indices:admin/exists",
"indices:admin/mappings/fields/get*",
"indices:admin/mappings/get*",
"indices:admin/types/exists",
"indices:admin/validate/query"
],
"query": {
"siren_dls": {
"dataspace": {
"segregation": true,
"field": "_siren.sic.namespace"
},
"project": {
"segregation": true,
"field": "_siren.projectId"
},
"import": {
"segregation": true,
"field": "_siren.projectImportId"
}
}
}
}
]
}
The following is an example of a Search Guard Classic role with uploads support for my-table-*
:
# Permissions on shared index component indices for all users
sic_user:
cluster_permissions:
- CLUSTER_COMPOSITE_OPS_RO
- CLUSTER_INTERNAL_FEDERATE
index_permissions:
- index_patterns:
- 'siren-import-*'
- 'my-table-*'
allowed_actions:
- READ
- VIEW_INDEX_METADATA
dls: '{
"siren_dls": {
"dataspace": {
"segregation": true,
"field": "_siren.sic.namespace"
},
"project": {
"segregation": true,
"field": "_siren.projectId"
},
"import": {
"segregation": true,
"field": "_siren.projectImportId"
}
}
}'
Investigate access control
Data projects and uploads are global objects in Investigate, and they should be made accessible to normal users.
Open the Access control app, then click on the ACL tab at the top. Open ACL role everyone
or a suitable role for unprivileged users, and add the following to the Saved object rules:
Action | Permission | Object Type |
---|---|---|
Allow |
View |
Data project |
Allow |
Create private |
Data project |
Allow |
View |
Data import |
Allow |
Create private |
Data import |