I would like to restrict access to a specific indexed field. Here's my scenario:
Just doing something from my experience
1. The only proper way to restrict permissions is by giving ROLE access to specific INDEX. So create a role and assign specific index which it can access and capabilities accordingly.
2. Then redirect all your raw data to a "secured index" with ROLES which are very secure. (eg index=secure_index sourcetype=secure_sourcetype
)
3. Redirect all your user_hash events with another sourcetype to a more generic index which users can access (eg index=not_so_secure_index sourcetype=another_sourcetype
)
Unfortunately, this means double the indexing & data. Other ways, is to summary index specific data you want the "less secure" users to see. You can just provide them with some key fields only
IMO, the ONLY true way to restrict access is at "INDEX" level. So the role can access only specific indexes
just to be clear now in the raw events in slunk web , we can see 2 fields user and user_hash with the actual value and the secure hash computed value?
And you want to hide / unhide the actual user value depending upon the user log in?
Not quite. Only the username is displayed in the raw event. I use INGEST_EVAL at index time to:
Step 1: extract the user field (transforms.conf):
[getusername]
INGEST_EVAL = user = replace(_raw,"^(.*username:)(.*?)(\s.*)$","\2")
Step 2: create a field called user_hash which is the md5 hash of the username from step 1 (transforms.conf):
[userhash]
INGEST_EVAL = user_hash = md5(user)
Step 3: replace the occurrence of the username in _raw with the value of user_hash created from step 2 (transforms.conf):
[replaceuserinraw]
INGEST_EVAL = _raw = replace(_raw,user,user_hash)
What I'm left with:
What I need to figure out:
- user_hash field should be available to all users
- user field should only be available to special users with this privileged
But seems there is no way to restrict a special users to access this user field.