hi All,
I'm wondering if it is somehow possible to protect the internal (native) ES roles from being compromised by a "bad" AD admin, who could create an external (AD, LDAP) group "superuser" and add its own account to that group. As the result - full access to the ES cluster.
Again: supposed that an active_directory realm is configured with:
unmapped_groups_as_roles: true
Thanks!
I think that if you want to protect against this scenario, you should not use unmapped_groups_as_roles.
sigh... it'd be so cool to use an AD to manage ES groups as well, e.g. by implementing a group_blacklist parameter (with regex support ;))
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.