Issue using role mapping API for AD Group

ElasticUser4 · February 13, 2020, 2:38pm

Hello,
First, I apologize if this is the wrong section to post in. I was not sure if it should be in stack-security, Elasticsearch, etc. I figured being it was around trying to get this to work on ECE that this would be the correct section.

I have successfully implemented Active Directory logins for ECE using the Web GUI/Authentication providers. That was straight forward and worked with out issue. I am now trying to lock down Elasticsearch and Kibana in one of my deployments to use AD as well.

I used the User setting overrides for my Elasticsearch instance in my deployment with the X-Pack settings. That seems to work as I am able to use an AD login at the Kibana login screen. But I am getting a "Forbidden" message, which is to be expected as no roles have been assigned to my AD group. So I attempted to use the examples found on the "Create or update role mappings API" document, but no matter what I have tried I keep getting a ""ok":false,"message":"Unknown deployment."" error. I imagine I have to specify the deployment name somehow to tell the API which deployment this role assignment is for?

Thank you in advance for any assistance anyone can provide!

Alex_Piggott · February 13, 2020, 4:40pm

Hi @ElasticUser4

I believe based on the error that ECE is the right forum for this question.

The { ok: false, "unknown deployment" } error means that the ECE proxy doesn't know which cluster to send the request to - how are you creating the failing request?

The cluster id needs to be specified in either:

The URL (Eg curl '$cluster_id.host.ece.com:9200' with whatever DNS you have setup, or eg $cluster_id.ip.es.io if using the out of the box DNS config)
If using nginx or haproxy in front to provide human readable URLs for clusters then either preserve the cluster_id version in the Host: header
or set a header called X-Found-Cluster: with the cluster Id

ElasticUser4 · February 14, 2020, 3:02pm

Hello @Alex_Piggott

Thank you for the reply. That definitely set me on the right path. I am using cURL to pass to the API from the command line. I was getting a permission issue, but figured out that I had to pass in the elastic user. Here is my cURL syntax:

curl -X POST -u elastic:vBs2VB9AK3viQTveMOJog3nkU "440f982323fa43Eeadef1d26dd0a3228.localhost:9200/_security/role_mapping/mapping1?pretty" -H 'Content-Type: application/json' -d'
{
"roles" : [ "superuser" ],
"rules" : { "field" : {
"groups" : "OU=Test Team,OU=Users,DC=My,DC=Domain,DC=com"
} },
"enabled": true
}
'

I am getting the following returned:
{
"role_mapping" : {
"created" : false
}
}

But if I perform a GET from the API Console in the Web GUI, I see the mapping:

GET _security/role_mapping/mapping1

{
"mapping1": {
"enabled": true,
"roles": [
"superuser"
],
"rules": {
"field": {
"groups": "OU=Test Team,OU=Users,DC=My,DC=Domain,DC=com"
}
},
"metadata": {}
}
}

I am still getting a Forbidden when I try to log in to Kibana or Elasticsearch with a AD account, so still confused if the role assignment actually worked or not?

Alex_Piggott · February 14, 2020, 4:40pm

This all looks like it worked (created: false just means that the mapping already existed I believe?)

You can use _authenticate to see what mappings the user has achieved: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-authenticate.html

There should be some logging information in the Logging and Monitoring cluster you can use to identify what the problem might be (eg field mismatch)

ElasticUser4 · February 14, 2020, 6:13pm

Thank you, @Alex_Piggott you have been very helpful!

Got everything working now and have a better understanding how to use the API. Have a great weekend!

system · February 28, 2020, 6:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.