Do Alias Permissions Automatically Grant User Index Permissions

Security
1

I am trying to create “view” like concept on top of an index using aliases. As a part of that approach I want to grant users access to one or more aliases but not the index itself.

possibly something like:
index “aaaa” containing a document:
{ val1: “a”, val2: “b”, val3: “c”}
has three aliases “bbbb”, “cccc” and “dddd”
where bbbb returns a view of the document
{ val2: “b”}

Although I don’t think the above is possible in ODFE unless I resort to complex user level dls and fls rules, from a brief experiment of ODFEs security features in regards to aliases, if I create an alias called “bbbb” on top of an index called “aaaa” and grant user access to only “bbbb” alias - the user appears gain full direct access to “aaaa” index - is this the expected behavior?

2

@im.bob.loucans I’m not sure I understand your use case.
Assuming you have 3 documents in index aaaa, you can create an alias bbbb with filter like so:

POST /_aliases
{
    "actions" : [
        {
            "add" : {
                 "index" : "bbbb",
                 "alias" : "a",
                 "filter" : { "term" : { "val2" : "b" } }
            }
        }
    ]
}

If you then create a user/role that gives only indices:data/read/search permission to index bbbb, user is able to query that alias with simple “GET bbbb/_search” and only get back the one document.

Tested with ODFE 1.13.2

Let me know if I misunderstood your use case.