Authentication + Authorization for Elasticsearch without user creation in Elasticsearch

(Sumit Monga) #1

Hello everyone,
There is this usecase where there is a banking application and we are storing some transaction records in ES as a secondary store. We would like to use the same application (OAuth based application with spring-security) which we are using for user authentication and authorization in the main application for similar purpose in ES and Kibana. For this ,a custom realm is implemented and installed as an extension in X-Pack. I asked a question here Single Application Authentication + Authorization . I answered it myself and approach I took was to do user impersonation . Some users are created in both the database used for security application and ES while others are stored only in the security application. The other users then impersonate the users which are stored in both places. However this is not acceptable by the banking team side as they want to configure users at one place only and not configure users in ES as well. Is there any approach for achieving this without configuring users in ES but by just using roles assignment or something like that ?

(Jay Modi) #2

Hi @sumit_monga,

Since you are using a custom realm, do you have a subscription with us (elastic) or are you still in a trial? I think this type of question is something you could raise through support and get help with.

If you have a custom realm, there is no need to configure users in ES. You can pass the information about the user in a header and construct the user in your realm with the appropriate role names.

(Sumit Monga) #3

I am evaluating X-Pack for its security and watch features. Once the comparison is done, then maybe we will purchase a license for the same.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.