Custom Realm only for Authorization

Hello Experts,

I am trying to implement a Custom Realm without Authentication and only for authorisation against AD. Is this possible?

My use case is, I have a Third party authentication system implemented in a webserver which sits before Kibana. The user should use "only" this authentication system to login. On successful login, the username information needs to be extracted from the header (the header will have no details of Password or Groups) and looked up again the AD for the group details which needs to be mapped against Shield roles. I have a bind user and password for querying the AD.

I am using this example : https://github.com/elastic/shield-custom-realm-example

But I am stuck at extracting the token with no password.

Any pointers how to approach this will be very helpful.

Cheers!

Vinoth

With ES/Shield 2.0, we now have the ability to "run as" another user, which is what it seems you might want here. If this is what you want, it's great, because it means you don't need a custom realm.

I'm on my mobile, so I cannot post links to the docs, but I expect it to be fairly straightforward.

Will be great if you can share some links.

The idea is, We dont want to have 2 logins pages when a user tries to access the ELK. We want to have a single sign-on with our "thrid party Idp" and the authorisation should be done with AD(without user password) by extracting username from the http response header which we got from the Idp login.

https://www.elastic.co/guide/en/shield/current/submitting-requests-for-other-users.html

^^ that is the section of the docs that describes how to use the user impersonation feature. I checked, and it doesn't work with the AD realm today, so you will have to configure the LDAP realm to talk to AD to use this feature.

Thanks for the link.

Just to make sure I understood correctly, in this case shields lets every authenticated user to view the data by impersonating an existing user in the realm.

But we have very specific requirement for authorization, where users belonging to certain AD groups should not be allowed to view certain indices.

How can we enforce this? Is this possible with Sheild 2.0?

Shield will still enforce authorization. What happens is:

  1. Search Request (or another request) comes in with authentication and run as information defined in a header
  2. The user making the requested is authenticated
  3. The run as user is "looked up" to see if it can be found by a realm (esusers or LDAP)
  4. The authenticated user undergoes authorization to ensure they are allowed to run as the specified user in the header. This is defined in the roles.yml file. If they are not authorized to run as another user, an authorization exception will occur
  5. The run as user that was looked up undergoes authorization based on their roles to ensure they are allowed to perform request, which in this example is a search request
  6. If the run as user is authorized, the request is executed on their behalf

You will just need to configure roles and role mapping for your users properly so that they only have access to the data they should have access to.

Thanks Jay,

But we are implementing an ELK stack, where the only place the user is allowed to query ElasticSearch is through Kibana.(no head plugin or command-line access)

How can we do the mapping between the "authenticated" user (from a thrid party idP) with the "run as" user in this case?

My understanding for this problem is to

1.Create a AD custom realm.
2. Get the actual username from the response header of the third party IdP
3. Authenticate the custom AD realm with a bind user/password for every request
4. Do a ldapquery and get all the group names the user belongs
5. Map the user & roles credentials to shield.

Is my approach correct?

Any inputs if this can work? Has anybody already done this before?

That sounds like it will work. Kibana should forward the headers with your request to elasticsearch and your custom realm should be able to lookup the user in the header.

Can any one let me know how we can build the custom plugin which skip the authentication part from LDAP.

You could get this effect today, if you use PKI to authenticate your request, and grant the PKI user the appropriate run-as capabilities.

This way, you're making the request from an authorized user, but running the request as a different user.

HI Vinoth,

Were you able to implement this successfully? How did you configure the elasticsearch.url for Kibana in this case?

Hi Chandan,

Yes, I was able to implement this successfully. There is no Special configuration regquired for kibana. I followed this github example https://github.com/elastic/shield-custom-realm-example

Hi Vinoth,

I do not have an AD so can i still go ahead and use ldap for custom realm to interact with?

Is der any way you can share the code here? it will be really helpful.