Mapping Users and Groups to Roles "other" realms


(Niklas Bergström) #1

For native or file it is possible to map users to roles via the API or Kibana.
But role mappings for Active Directory realms e.g. you need to create a role_mapping.yml file.
I suppose I can just can create it in /mnt/data/elastic/[ip]/services/allocator/containers/elasticsearch/[id]/instance-0000000001/config/x-pack/ but then it will be lost when I am doing changes/upgrades and a new container is created
How do I solve that in Cloud Enterprise?


(Alex Piggott) #2

Hi @Niklas

AD is definitely not well supported in ECE at the moment, it is on our "todo" list. The main issue is the additional files like role_mapping.yaml, as you already deduced.

While it's likely that it could be gotten to work reliably via user bundles together with a custom location for the role mapping file, we are not treating it as officially supported at the moment.

It is something that will be coming soon with official support though!

Alex


(Niklas Bergström) #3

Thanks. I'll try that.. might also come in handy for other files.
I have solved it by setting the unmapped_groups_as_roles to yes and created roles that have the same name as the AD-groups and the same privileges as the predefined ones.
I just think it is neater to use the predefined roles and map them to AD-groups but this will do.

I also noticed that you are not allowed to add xpack security realms to the elasticsearch.yml for logging-and-metrics in the 1.0 version.. it worked in the beta.


(Johnny BARRAY) #4

Hi @Alex,

FYI,
I'm interesting for AD support and role_mapping.yaml management by ECE as well since we are using this in our actuel clusters.

Best,
Johnny


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.