Authorizing users from third party application in Elasticsearch via custom realm


(Sumit Monga) #1

I have a usecase where we are using spring-security-oauth as the authentication and authorization mechanism. This same application need to be used for same authentication and authorization in Elasticsearch. To achieve this, custom realm is created and installed as an x-pack extension which works fine. However for every user in my spring-security app, I am creating that user in ES and assigning some roles and these roles are stores in the database used for storing the users.Then while accessing ES using that user, I am authenticating the user via AccessToken and username and returning the user with its proper roles. However the third party app can contain huge number of users and don't want to create a corresponding user in ES for it. Is there any mechanism via which say a group of users in third party app can run as a specific user in ES via some role assignment ?


Authentication + Authorization for Elasticsearch without user creation in Elasticsearch
(Sumit Monga) #2

I have solved this problem in the following way :
Suppose you have 4 users : user1,user2,user3,user_es and these all are stored in the database used for third party authentication. Now these users are same in the sense that all of them should be given similar access in ES (some indexes only and more granular etc). Now instead of creating a user for each of them in ES, only one user can be created in ES and other user will impersonate it. lets say we store user_es in ES only. Then when I want to hit ES with user1 which is authenticated and contains its own access token, the request will contain another header lets say runas-user which is the user it wants to impersonate. Then in custom realm, we can check whether user1 can impersonate the user it wants to impersonate. If it can, then we can generate access token for that user and fetch its roles and return that corresponding user for querying ES.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.