Hi Everyone,
Active Directory Authentication is enabled in my ELK stack.
Now i want a AD user for eg user= 'John' to see only data for country='US'
how can i achieve that please help.
Regards,
Tausif Khan.
Hi Everyone,
Active Directory Authentication is enabled in my ELK stack.
Now i want a AD user for eg user= 'John' to see only data for country='US'
how can i achieve that please help.
Regards,
Tausif Khan.
You want to read: https://www.elastic.co/guide/en/x-pack/current/field-and-document-access-control.html
I read it but couldn't understand much can i do the same in kibana GUI, under management section ?
I couldn't find in that document related to the query which i asked , could you please help with the query rather then the link.
I don't have a laptop nearby but IIRC the Kibana interface there is this option in user management UI.
May be someone else can give more details
the role query should be very simple:
{"term" : { "country" : "US" }}
And we have two options here:
you have the correct role mapping in the AD realm section:
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
role_mapping.yml:
role_name:
- "CN=johns_group,dc=corp,dc=org"
OR
unmapped_groups_as_roles: true
to your AD config section and make sure the role name is one of the group the user "John" belongs toWhile unmapped_groups_as_roles
can be useful in a small number of cases, it really should be avoided unless you absolutely need to use it.
The role_mapping.yml
approach is the preferred solution in this case.
Any particular reason, why it should be avoided? From my point of view, it's a very cool feature - all groups can be managed in AD directly, and you don't need to manage one additional mapping file (role_mapping.yml). And nested groups are supported!
The only concern I could imaging - a security issue: if you create the "superuser" group and include your user into it, you'll get full access to the cluster.
Any other pitfalls?..
Could you please assist on your way of approach.
There are security, performance and maintainability impacts that are sometimes a necessary price to pay, but we find that a lot of people turn on unmapped_groups_as_roles
as a trivial convenience - a way to avoid editing a file once or twice - and don't appreciate or consider the impacts on their cluster.
Some of the consequences to consider when using unmapped_groups_as_roles
:
superuser
group in AD, then they get the superuser
role in Elasticsearch, and you can't prevent it.unmapped_groups_as_roles
is enabled, then any new group that matches with an Elasticsearch role will unintentionally change the user's Elasticsearch permissions.unmapped_groups_as_roles
has uses, but it's not completely safe in all cases, so if you're just using it to avoid editing role_mapping.yml
then that's often the wrong trade-off.
Thank you very much for the comprehensive reply, I really appreciate that.
authc
trace-logs.Thanks a lot!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.