I am trying to implement a Custom Realm without Authentication and only for authorisation against AD. Is this possible?
My use case is, I have a Third party authentication system implemented in a webserver which sits before Kibana. The user should use "only" this authentication system to login. On successful login, the username information needs to be extracted from the header (the header will have no details of Password or Groups) and looked up again the AD for the group details which needs to be mapped against Shield roles. I have a bind user and password for querying the AD.
With ES/Shield 2.0, we now have the ability to "run as" another user, which is what it seems you might want here. If this is what you want, it's great, because it means you don't need a custom realm.
I'm on my mobile, so I cannot post links to the docs, but I expect it to be fairly straightforward.
The idea is, We dont want to have 2 logins pages when a user tries to access the ELK. We want to have a single sign-on with our "thrid party Idp" and the authorisation should be done with AD(without user password) by extracting username from the http response header which we got from the Idp login.
^^ that is the section of the docs that describes how to use the user impersonation feature. I checked, and it doesn't work with the AD realm today, so you will have to configure the LDAP realm to talk to AD to use this feature.
Just to make sure I understood correctly, in this case shields lets every authenticated user to view the data by impersonating an existing user in the realm.
But we have very specific requirement for authorization, where users belonging to certain AD groups should not be allowed to view certain indices.
How can we enforce this? Is this possible with Sheild 2.0?
Shield will still enforce authorization. What happens is:
Search Request (or another request) comes in with authentication and run as information defined in a header
The user making the requested is authenticated
The run as user is "looked up" to see if it can be found by a realm (esusers or LDAP)
The authenticated user undergoes authorization to ensure they are allowed to run as the specified user in the header. This is defined in the roles.yml file. If they are not authorized to run as another user, an authorization exception will occur
The run as user that was looked up undergoes authorization based on their roles to ensure they are allowed to perform request, which in this example is a search request
If the run as user is authorized, the request is executed on their behalf
You will just need to configure roles and role mapping for your users properly so that they only have access to the data they should have access to.
But we are implementing an ELK stack, where the only place the user is allowed to query ElasticSearch is through Kibana.(no head plugin or command-line access)
How can we do the mapping between the "authenticated" user (from a thrid party idP) with the "run as" user in this case?
1.Create a AD custom realm.
2. Get the actual username from the response header of the third party IdP
3. Authenticate the custom AD realm with a bind user/password for every request
4. Do a ldapquery and get all the group names the user belongs
5. Map the user & roles credentials to shield.
Is my approach correct?
Any inputs if this can work? Has anybody already done this before?
That sounds like it will work. Kibana should forward the headers with your request to elasticsearch and your custom realm should be able to lookup the user in the header.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.