Hello!
I'm currently evaluating Elastic Stack and I have problems related to REST API authorization. I'm not sure if I'm doing something wrong or if there's a bug is Elasticsearch.
I have setup OIDC SSO successfully (using our custom OIDC standards compliant IdP) and I'm able to get access token from Elasticsearch _security/oidc/authenticate endpoint. When I try to use it to invoke kibana_sample_data_ecommerce/_search endpoint, I get following error
The remote server returned an error: (403) Forbidden.. Call: Status code 403 from: POST /kibana_sample_data_ecommerce/_search?typed_keys=true. ServerError: Type: security_exception Reason: "action [indices:data/read/search] is unauthorized for user [admin]"
So it seems that I can authenticate, but authorization fails.
Authenticated user is "admin" like the error message says.
User has access to kibana_sample_data_ecommerce index because I can log in to Kibana as that user and successfully query data using Kibana dev tools.
NEST library is used for search query.
Access token is provided in Authorization header as a Bearer token.
Data is from Kibana eCommerce sample data.
Our IdP returns a profile claim which value I use to assign roles to the authenticated user. Role mapping looks like this
PUT /_security/role_mapping/testrole
{
"roles": [ "kibana_user", "testrole" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "oidc1" } },
{ "field": { "groups": "testrole" } }
] }
}
Elasticsearch.yml has following configuration
xpack.security.authc.realms.oidc.oidc1:
order: 2
...
rp.requested_scopes: "openid profile email"
...
claims.principal: preferred_username
claims.mail: email
claims.groups: profile
And the actual "testrole" role has kibana_sample_data_ecommerce index with "read" and "view_index_metadata" privileges.
Code part using NEST (C#)
var settings = new ConnectionSettings(new Uri("http://localhost:9200"))
.GlobalHeaders(new NameValueCollection
{
{ "Authorization", $"Bearer {elasticOidcAuthenticateResponse.AccessToken}" }
})
.DefaultIndex("kibana_sample_data_ecommerce");
var elasticClient = new ElasticClient(settings);
// BUG: This fails because of the following error.
// The remote server returned an error: (403) Forbidden...
var elasticSearchResponse = elasticClient.Search<dynamic>();
Any ideas what could be wrong?