ABAC Test Scenario - Elastic X-Pack 6.1

abac-test.sh

#!/bin/bash

# NOTE: This script has a dependency on python for parsing

ES_URL=http://localhost:9200
ES_USER=elastic
ES_PASS=changeme

##################

JSON_CONTENT_TYPE="-H Content-Type:application/json"

echo -e "Create index\n"
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test -d '{
    "settings": {
        "index": {
            "number_of_replicas": 0,
            "number_of_shards": 1
        }
    },
    "mappings": {
        "properties": {
            "security_attributes": {
                "properties": {
                    "level": {"type":"short"},
                    "programs": {"type":"keyword"},
                    "min_programs": {"type":"short"}
                }
            },
            "body":{"type":"text"}
        }
    }
}'

echo -e "\n\nIngest documents:\n"
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test/_doc/1 -d '{
    "security_attributes": {
        "level": 2,
        "programs": ["alpha", "beta"],
        "min_programs": 2
    },
    "body": "This document contains information that should only be visible to those at level 2 or higher, with access to both the alpha and beta programs"
}'
echo 
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test/_doc/2 -d '{
    "security_attributes": {
        "level": 2,
        "programs": ["alpha", "beta", "charlie"],
        "min_programs": 3
    },
    "body": "This document contains information that should only be visible to those at level 2 or higher, with access to the alpha, beta, and charlie programs"
}'
echo
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/abac-test/_doc/3 -d '{
    "security_attributes": {
        "level": 3,
        "programs": ["charlie"],
        "min_programs": 1
    },
    "body": "This document contains information that should only be visible to those at level e or higher, with access to the charlie program"
}'

echo -e "\n\nAdd roles and users:\n"
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/role/my_policy -d '{    
    "indices": [
    {
        "names": ["abac-test"],
        "privileges": ["read"],
        "query": {
            "template": {
                "source": "{\"bool\": {\"filter\": [{\"range\": {\"security_attributes.level\": {\"lte\": \"{{_user.metadata.level}}\"}}},{\"terms_set\": {\"security_attributes.programs\": {\"terms\": {{#toJson}}_user.metadata.programs{{/toJson}},\"minimum_should_match_field\": \"security_attributes.min_programs\"}}}, {\"script\": {\"script\": {\"inline\": \"!LocalDateTime.ofInstant(Calendar.getInstance().toInstant(), ZoneId.systemDefault()).isAfter(LocalDateTime.parse('\''{{_user.metadata.certification_date}}'\'').plusYears(1))\"}}}]}}"
            } 
        }
    }]
}'

echo
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/jack_black -d '{
    "username": "jack_black",
    "password": "testtest",
    "roles": ["my_policy"],
    "full_name": "Jack Black",
    "email": "[email protected]",
    "metadata": {
        "programs": ["alpha", "beta"],
        "level": 2,
        "certification_date": "2021-01-02T00:00:00"
    }
}'
echo
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/barry_white -d '{
    "username": "barry_white",
    "password": "testtest",
    "roles": ["my_policy"],
    "full_name": "Barry White",
    "email": "[email protected]",
    "metadata": {
        "programs": ["alpha", "beta", "charlie"],
        "level": 2,
        "certification_date": "2021-01-02T00:00:00"
    }
}'
echo
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/earl_grey -d '{
    "username": "earl_grey",
    "password": "testtest",
    "roles": ["my_policy"],
    "full_name": "Earl Grey",
    "email": "[email protected]",
    "metadata": {
        "programs": ["charlie"],
        "level": 3,
        "certification_date": "2021-01-02T00:00:00"
    }
}'
echo
curl -XPUT -u $ES_USER:$ES_PASS $JSON_CONTENT_TYPE $ES_URL/_xpack/security/user/james_brown -d '{
    "username": "james_brown",
    "password": "testtest",
    "roles": ["my_policy"],
    "full_name": "James Brown",
    "email": "[email protected]",
    "metadata": {
        "programs": ["alpha", "beta", "charlie"],
        "level": 5,
        "certification_date": "2020-01-02T00:00:00"
    }
}'
echo -e "\n\nRun tests:"

echo -e "\nJack Black: expect IDs = [1]"
curl -s $JSON_CONTENT_TYPE -u jack_black:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])"

echo -e "\nBarry White: expect IDs = [1,2]"
curl -s $JSON_CONTENT_TYPE -u barry_white:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])"

echo -e "\nEarl Grey: expect IDs = [3]"
curl -s $JSON_CONTENT_TYPE -u earl_grey:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])"

#we don't expect any results for James Brown because his certification date is over one year old
echo -e "\nJames Brown: expect IDs = []"
curl -s $JSON_CONTENT_TYPE -u james_brown:testtest $ES_URL/abac-test/_search | python -c "import sys,json;print json.dumps([h['_id'] for h in json.load(sys.stdin)['hits']['hits']])"

@Dinakar4323
The example was for v6.x. In 7.x the API changed as types continued their deprecation schedule.

I updated the gist to swap _doc for doc, though haven't tried the rest out in v7.x to see if anything else changed.