I would like to restrict access to a specific indexed field. Here's my scenario:
just to be clear now in the raw events in slunk web , we can see 2 fields user and user_hash with the actual value and the secure hash computed value?
And you want to hide / unhide the actual user value depending upon the user log in?
Not quite. Only the username is displayed in the raw event. I use INGEST_EVAL at index time to:
Step 1: extract the user field (transforms.conf):
[getusername] INGEST_EVAL = user = replace(_raw,"^(.*username:)(.*?)(\s.*)$","\2")
Step 2: create a field called user_hash which is the md5 hash of the username from step 1 (transforms.conf):
[userhash] INGEST_EVAL = user_hash = md5(user)
Step 3: replace the occurrence of the username in raw with the value of userhash created from step 2 (transforms.conf):
[replaceuserinraw] INGEST_EVAL = _raw = replace(_raw,user,user_hash)
What I'm left with:
What I need to figure out:
- user_hash field should be available to all users
- user field should only be available to special users with this privileged
Just doing something from my experience
1. The only proper way to restrict permissions is by giving ROLE access to specific INDEX. So create a role and assign specific index which it can access and capabilities accordingly.
2. Then redirect all your raw data to a "secured index" with ROLES which are very secure. (eg
3. Redirect all your userhash events with another sourcetype to a more generic index which users can access (eg `index=notsosecureindex sourcetype=another_sourcetype`)
Unfortunately, this means double the indexing & data. Other ways, is to summary index specific data you want the "less secure" users to see. You can just provide them with some key fields only