Skip to content

ACL Examples

Jump to bottom
egaumer edited this page Mar 13, 2013 · 2 revisions

Back to Security Architecture

Example READ Access

This example demonstrates how OAuth and ACL support coincide in order to provide secure API access. In this example, user2 is a valid system user but initially has no READ access to the twitter index. The user is able to generate an OAuth token but is not granted access to read any data from the twitter index.

The admin user (via OAuth) grants READ access to user2 for the twitter index, allowing user2 to retry their request which ultimately succeeds.

Step 1 - Generate Access Token

In this step, user2 uses their credentials to generate a valid OAuth token.

# Request
curl -u user2:456 'http://localhost:2600/oauth/token' -d grant_type=client_credentials

# Response
{
  "access_token":"7ad593a1-cc63-4c3b-a47c-64c5ccb6775e",
  "token_type":"bearer",
  "expires_in":43199,
  "scope":"read write"
}

Step 2 - Attempt to Access twitter Index

Using the access token from step 1, user2 now tries to retrieve a document from the twitter index. Access is denied because they don't have READ access to this index.

# Request
curl -H 'Authorization: bearer 7ad593a1-cc63-4c3b-a47c-64c5ccb6775e' http://localhost:2600/v1/twitter/tweet/1

# Response
{
  "error":"access_denied",
  "error_description":"Access is denied"
}

Step 3 - Generate Access Token

The admin user generates an OAuth token.


# Request
curl -u admin:admin 'http://localhost:2600/oauth/token' -d grant_type=client_credentials

# Response
{
  "access_token":"ea52b9b2-db8c-4295-a32f-2ac066148f90",
  "token_type":"bearer",
  "expires_in":43200,
  "scope":"read write"
}

Step 4 - Grant Access

Using the token from step 3, the admin user grants user2 READ access to twitter.

curl -H 'content-type: application/json' 
     -H 'Authorization: bearer ea52b9b2-db8c-4295-a32f-2ac066148f90' 
     -XPUT http://localhost:2600/v1/twitter/_grant -d '{
  "user":"user2", 
  "perm":"READ"
}'

Step 5 - Reattempt to Access twitter Index

With proper access granted, user2 is now able to view documents from the twitter index.


# Request
curl -H 'Authorization: bearer 7ad593a1-cc63-4c3b-a47c-64c5ccb6775e' http://localhost:2600/v1/twitter/tweet/1

# Response
{
  "_index":"twitter",
  "_type":"tweet",
  "_id":"1",
  "_version":1,
  "exists":true, 
  "_source" : {
    "tags": [], 
    "text": "RT @AnthonyDurante: Why First Round Capital funded a lawsuit http://t.co/qOesRjnk", 
    "user": "LVTech", 
    "date": "2012-12-06T04:52:14", 
    "mentions": ["AnthonyDurante"]
  }
}

Clone this wiki locally