Elasticsearch Active Directory Authorization only support


(Himanshu) #1

I wanted to know, is there any way I can configure x-pack with authorization only access. Means I should send the username only, and it will authenticate it according to the roles.


User impersonation does not work with Active directory realm
#2

Something like this will do the trick:

curl -H "es-security-runas-user: borisTheBlade" -u es_admin -XGET 'http://localhost:9200/'

es_admin is a user from the native realm, and borisTheBlade is a user from any realm you have configured.

This will use the native user to authenticate into the cluster, but will run the query as borisTheBlade (in theory). borisTheBlade will need their username configured into a role using the run_as attribute (hint use a wild card).

Unfortunately there are 100 ways to skin this cat, but the ES documentation around this topic is absolute shit house.


(Himanshu) #3

Thanks for the reply.

Actually I want to do it through Active Directory group. The users username should be checked in that Active Directory list and should be able to query accordingly to the roles defined. I cannot pass the users password for the authentication (just authorisation).


#4

I'm waiting on a response on using Active Directory in this way too - Run_as coupled with active directory auth

If it helps, I was able to use the LDAP realm to achieve exactly this, but not the AD realm - ES runs the query as the user I authenticate to Active Directory as, ad_use. e.g.

curl -H "es-security-runas-user: borisTheBlade" -u ad_user -XGET 'http://localhost:9200/'

The ES logs indicate that the groups retrieved from AD are the those in which the ad_user resides in, and not the borisTheBlade user.

And the reason why I need to use the AD realm anyway is because of a deeply nested AD group structure, which the LDAP realm does not support, as per the doc, but AD does.


(Himanshu) #5

No, runas feature is not working with AD group.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.