Configure permissions to AD groups in Elasticsearch

Elastic Stack Elasticsearch
,
1

Hey, I would like to ask about a few things that I couldn't find in the documentation (or maybe I missed it?).
Some background on my system, I'm currently running Elasticsearch Cluster on Docker containers with trial mode on.
In the future we are looking at the gold subscription (or maybe the platinum if we'll need replication) for the AD authentication but for now we are experimenting with the trial.
I'm using Active Directory Realm configured as such (redacted sensitive information):

cluster.name: "elastic-cluster"

network.host: 0.0.0.0

xpack:

  security:

    enabled: true

    authc:

      realms:

        active_directory:

          my_ad:

            order: 0

            domain_name: <domainname>

            url: ldap://<domainname>:389

Questions:

  1. How can I add a new AD group and assign a role to it through the Kibana UI? is it possible? or it must be done through the role_mapping.yml file?
  2. Can I create a new role and export it to .yml format? let's say I created a role in the Kibana UI which has the needed permissions for a group, can I export this role to the .yml file format for automation purposes (so I can just add it to the file when I'm creating a new Elasticsearch cluster).
  3. How can I see which AD groups gets which role? i.e. I gave 4 groups the role of 'kibana_user' through the role_mapping file. can I see in the UI which groups have that role?

Thanks a lot,
Yehonatan.

2

This isn't a UI for this in current Kibana releases, but there is work in progress to add one.

We strongly recommend the Role Mapping API rather than files. It has more features and ensure consistency across your whole cluster.

No, there is builtin function to move a role from the API into files.

You can use the API to extract the role in YAML format by passing the Accept: application/yaml header, but you may need to make minor tweaks to the format in order to add it to the file.

I understand the motivation of finding it easier to automate file copies, but we do not recommend this. The file format is intended as a safetly mechanism for events like having a node that is disconnected from the cluster - it is not intended to support every piece of functionality that the Roles API has.
Even with automation, we recommend using the APIs to create roles.

You cannot. If you are using the role mapping file, then it is simple to determine that for yourself - it's just a list than you can read.
If using the API, then the rule syntax is risk enough (and may depend on metadata other than groups) that it is only possible to test which roles a specific user has (by applying the role to their user data).

3

Hey Tim,
thank you for your answer.
as a follow up questions:
I couldn't find in the wiki the list of what privileges I can give on a specific resource (such as an index). i.e. what does the write/read privileges allow someone to do?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.