Is an issue with AD

set Elasticsearch 7.15 using Windows AD to verify account, and mapping AD group into xinc_user role, and it is working,
but now I met problem, not sure if it is issue.

  1. login with AD account by kibana
  2. check account privileges, found this account beyond two roles,
GET /_security/_authenticate
{
  "username" : "elastic-test",
  "roles" : [
    "xinc_user",
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "ldap_dn" : "CN=elastic-test,CN=Users,DC=xinc,DC=lan",
    "ldap_groups" : [
      "CN=Domain Users,CN=Users,DC=xinc,DC=lan",
      "CN=Users,CN=Builtin,DC=xinc,DC=lan",
      "CN=sod,CN=Users,DC=xinc,DC=lan"
    ]
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "my_ad",
    "type" : "active_directory"
  },
  "lookup_realm" : {
    "name" : "my_ad",
    "type" : "active_directory"
  },
  "authentication_type" : "realm"
}

I wounder why this account has two role xinc_user and superuser.

my question:

  1. how to remove superuser role from this account, I search many documents, no any help.
  2. before I set xinc_user role have all Cluster privileges, but later I removed all privilleges from this role, seemed no working, elasticseach did not frefresh this account role after move out all form cluser privileges.

That depends on why this use has the superuser role.

  1. What do your role mappings look like?
  2. Are you using anonymous access?
  1. check role mapping in 'dev tool' with kibana
    get /_security/role_mapping
{
  "basic_users" : {
    "enabled" : true,
    "roles" : [
      "xinc_user"
    ],
    "rules" : {
      "any" : [
        {
          "field" : {
            "groups" : "CN=sod,CN=Users,DC=xinc,DC=lan"
          }
        }
      ]
    },
    "metadata" : { }
  }
}
  1. I don't know what your meaning

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.