External "superuser" role with enabled unmapped_groups_as_roles

hi All,

I'm wondering if it is somehow possible to protect the internal (native) ES roles from being compromised by a "bad" AD admin, who could create an external (AD, LDAP) group "superuser" and add its own account to that group. As the result - full access to the ES cluster.

Again: supposed that an active_directory realm is configured with:

unmapped_groups_as_roles: true


I think that if you want to protect against this scenario, you should not use unmapped_groups_as_roles.

sigh... it'd be so cool to use an AD to manage ES groups as well, e.g. by implementing a group_blacklist parameter (with regex support ;))

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.