Configure Investigate for uploads

The upload center requires Federate version 38.2 or greater. Previous versions of Federate don’t have the required siren_dls rule support.

Import user

Uploads need a proxy user to perform index read and write operations on behalf of unprivileged users.

The import proxy user defaults to the Investigate backend user defined by the elasticsearch.username configuration parameter.

If you audit requests to your Elasticsearch cluster, change the proxy user to more effectively observe data import activity. You can do so with the following configuration parameters:

data_projects:
  username: 'data-import-user'
  password: 'long-unique-password'

Granting read and write permissions

Adding records in standard Elasticsearch indices requires explicit index-level permissions to read and write records.

The following is an example of an investigate_system role definition for Elastic Stack Security that gives the backend user the required permissions on the article index:

{
  "cluster": [
    "cluster:internal/federate/*",
    "cluster:admin/federate/*",
    "cluster:monitor/*",
    "manage_index_templates"
  ],
  "indices": [
    {
      "names": [
        "/\\.siren.*/",
        "/siren-.*/",
        "/watcher.*/",
        "/web-service-.*/"
      ],
      "privileges": [
        "all"
      ]
    },
    {
      "names": [
        "article"
      ],
      "privileges": [
        "read",
        "write"
      ]
    }
  ]
}

The following is an analogous investigate_system role definition for Search Guard Classic:

investigate_system:
  cluster_permissions:
  - CLUSTER_COMPOSITE_OPS
  - CLUSTER_MANAGE
  - CLUSTER_MONITOR
  index_permissions:
  - index_patterns:
    - 'siren-*'
    - '?siren*'
    - '?map__*'
    - 'watcher*'
    - web-service-*
    allowed_actions:
    - INDICES_ALL
  # Grant the backend user permission to read and write records on every standard ES index for which you want to enable data imports.
  - index_patterns:
    - 'article'
    allowed_actions:
    - READ
    - WRITE

Set up the required DLS rules

Follow the steps in Configuring security for shared indices to configure a sic_user role with the appropriate DLS rules for data projects segregation on the siren-* index pattern.

In the sic_user role definition, you must extend indices.names to include the index patterns of all Entity Tables that need to support uploads.

For example, to add uploads support for an Entity Table with a my-table-* index pattern, apply the following role definition for Elastic Stack security:

{
  "cluster": [
    "cluster:internal/federate/*"
  ],
  "indices": [
    {
      "names": [
        "/siren-.*/",
        "/my-table-.*"
      ],
      "privileges": [
        "indices:data/read*",
        "indices:admin/aliases/get",
        "indices:admin/aliases/exists",
        "indices:admin/get",
        "indices:admin/exists",
        "indices:admin/mappings/fields/get*",
        "indices:admin/mappings/get*",
        "indices:admin/types/exists",
        "indices:admin/validate/query"
      ],
      "query": {
        "siren_dls": {
          "dataspace": {
            "segregation": true,
            "field": "_siren.sic.namespace"
          },
          "project": {
            "segregation": true,
            "field": "_siren.projectId"
          },
          "import": {
            "segregation": true,
            "field": "_siren.projectImportId"
          }
        }
      }
    }
  ]
}

The following is an example of a Search Guard Classic role with uploads support for my-table-*:

# Permissions on shared index component indices for all users
sic_user:
  cluster_permissions:
  - CLUSTER_COMPOSITE_OPS_RO
  - CLUSTER_INTERNAL_FEDERATE
  index_permissions:
  - index_patterns:
    - 'siren-import-*'
    - 'my-table-*'
    allowed_actions:
    - READ
    - VIEW_INDEX_METADATA
    dls: '{
      "siren_dls": {
        "dataspace": {
          "segregation": true,
          "field": "_siren.sic.namespace"
        },
        "project": {
          "segregation": true,
          "field": "_siren.projectId"
        },
        "import": {
          "segregation": true,
          "field": "_siren.projectImportId"
        }
      }
    }'

Investigate access control

Data projects and uploads are global objects in Investigate, and they should be made accessible to normal users.

Open the Access control app, then click on the ACL tab at the top. Open ACL role everyone or a suitable role for unprivileged users, and add the following to the Saved object rules:

Table 1. Saved object rules for unprivileged users
Action Permission Object Type

Allow

View

Data project

Allow

Create private

Data project

Allow

View

Data import

Allow

Create private

Data import