Dynamic role mapping of OIDC Realm ID value to Realm ID field value in document

Elastic Stack Elasticsearch
1

Hello,

Looking for some suggestions regarding dynamic role mapping between Realm ID field value returned from OIDC token claim and Realm ID field value in document.

Could not find strong documentation regarding it. Is it possible to implement dynamic role mapping in Elasticsearch for it?
For example, when someone logs into Kibana and returned token claim metadata contains specific Realm ID, that person should be able to see documents containing only corresponding Realm ID value.

I have reached it by creating static role / role mapping where provided specific Realm ID, but is it possible to make it dynamic?

2

Maybe, depending on how closely the two values line up.

There's no easy way to have a translation table, so if your OIDC claim is something like "org-12345" but your docs contain "/ORG/ENG/12345" then it's going to tricky.

However, if they're an exact match then it sound like you want templated DLS queries - I assume when you say "Documents containing only corresponding Realm ID value" that you mean the docs themselves contain the value, and we're not talking about the name of the index, or anything like that.

3

Hello @TimV ,
Thank you for your reply.

What I am trying to reach is: dynamically map realm id value that is available in token claim to realm id value in document. For example, when user logs into Kibana he/she is able to see only data (documents) containing that specific realm id.

Currently I have configured role and role mapping as in examples below. I want to understand how it could be done automatically - more like in one generic role and role mapping. Without need to create many roles and role mappings with static values.

Role

PUT /_security/role/example-user
{
  "indices": [
    {
      "names": ["filebeat-*"],
      "privileges": ["read"],
      "field_security": {
         "grant": ["*"],
         "query": {"term":{"labels.example-realm-id":"1234-abcd-1234-abcd"}}
      }
    }
  ],
  "applications": [
    {
      "application": "kibana-.kibana",
      "privileges": ["feature_discover.read"],
      "resources": ["space:example-space"]
    }
  ],
  "metadata": {
    "description": "Some description"
  }
}

and role mapping

PUT /_security/role_mapping/example-user-mapping
{
  "roles": ["example-user"],
  "enabled": true,
  "rules": {
    "all": [
      {
        "field": {
          "realm.name": "oidc10" 
        }
      },
      {
        "field": {
          "metadata.oidc(example_realm_id)": "1234-abcd-1234-abcd"
        }
      }
    ]
  },
  "metadata": {
    "description": "Some description"
  }
}

Also tried to replace
"query": {"term":{"labels.example-realm-id":"1234-abcd-1234-abcd"}}
with
"query": {"term":{"labels.example-realm-id":"{{_user.metadata.oidc(example_realm_id)}}"}}
but it did not work and not sure why (or what is missing there).

Is there any solution to achieve dynamic mapping between realm_id from token claim to value in document?

4

That's not a valid role - query is not part of field_security.

And I provided the answer above:

it sounds like you want templated DLS queries

Did you put it inside a template as shown in the docs that I linked to?