Configuring security for Web services

Prerequisites

When security is enabled in Investigate, the following permissions must be added to the investigate_system role:

Search Guard Classic
index_permissions:
  - index_patterns:
      - web-service-*
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
      - MANAGE
      - WRITE
Elastic Stack Security
{
  "indices": [
    {
      "names": ["web-service-*"],
      "privileges": ["read", "view_index_metadata", "manager", "write"]
    }
  ]
}

Allowing users to view Web service data

A role should be created with the following permissions so users can see data produced by Web service invocations:

Search Guard Classic
index_permissions:
  - index_patterns:
      - web-service-*-invocations
    dls: '{"term" : {"invocation.user" : "${user.name}"}}'
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
  - index_patterns:
      - web-service-*
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
Elastic Stack Security
{
  "indices": [
    {
      "names": ["web-service-*-invocations"],
      "privileges": ["read", "view_index_metadata"],
      "query": {
        "template": {
          "source": {
            "term": {
              "invocation.user": "{{_user.username}}"
            }
          }
        }
      }
    },
    {
      "names": ["web-service-*-results-*"],
      "privileges": ["read", "view_index_metadata"]
    }
  ]
}

This gives the users the ability to see information for their own invocations as well as all result data stored in dedicated indices.

Restricting Web services and profiles

You can restrict which Web services and profiles that a user can see and invoke by configuring saved object ACL rules.

Each Web service and profile has an associated saved object, so you can use ACL configuration to hide them or disable them entirely for certain roles.

image

image

image

Restricting data for use with Web services

You can restrict the Web service groups in which a user can see data by using an index pattern.

The format of a result index is as follows:

web-service-<group>-<webService>-results-<resultType>

For example, to allow a user access to data from only the jsonwhois Web service group, grant them the following permissions:

Search Guard Classic
index_permissions:
  - index_patterns:
      - web-service-jsonwhois-*
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
Elastic Stack Security
{
  "indices": [
    {
      "names": ["web-service-jsonwhois-*"],
      "privileges": ["read", "view_index_metadata"]
    }
  ]
}