Hello:
Iam trying to use the PKI realm and derive roles and mappings from the CN as follows. Is it possible to do this? This is with ES 6.8.3.
In the role_mapping.yaml
power_user:
And in the roles.yaml specify as follows
power_user:
cluster: [ 'monitor', 'manage_index_templates' ]
indices:
- names: [ 'power_*' ]
privileges: [ 'all' ]
Thanks in Advance
Rajesh
You can't do this with the role mapping file as it doesn't support wildcards, but you can do this with the Role Mapping API which is also the preferred way to manage role mappings.
POST /_security/role_mapping/power_user_mapping
{
"roles": [ "power_user" ],
"enabled": true,
"rules": {
"field" : { "dn": "cn=power_*,ou=example,o=com" }
}
}
yes, you can do that, but you could also use the Create Roles API that is the preferred way to manage roles.
Thanks @ikakavas , Will try it out.
@ikakavas
I cant seem to get around this message, what am I doing wrong? This is ES 6.8.3.
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"ApiKey",
"Basic realm="security" charset="UTF-8""
]
}
}
],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"ApiKey",
"Basic realm="security" charset="UTF-8""
]
}
}
My Subject in certificiate is
Subject: O=ApplicationServer, O=TEST, CN=power_testserver
And My roles.yaml file is
power_infra_user:
cluster: [ 'monitor', 'manage_index_templates' ]
indices:
- names: [ 'power_*']
privileges: [ 'all' ]
And Role Mapping invoked through the API is
curl -k -u 'test:iamsuperuser' https://127.0.0.1:9200/_security/role_mapping/power_infra_role_mapping
{"power_infra_role_mapping":{"enabled":true,"roles":["power_infra_user"],"rules":{"field":{"dn":"cn=power_testserver,ou=ApplicationServer,o=TEST"}},"metadata":{}}}
And I have the following xpack config
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/service/server.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/service/server.crt
xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/service/ca.crt" ]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/service/server.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/service/server.crt
xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/service/ca.crt" ]
xpack:
security:
authc:
realms:
pki1:
type: pki
order: 0
file1:
type: file
order: 1
a) PKI Realm is not available in basic, you need a trial license or a gold/platinum one.
b) Please read through our docs https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-pki-realm.html . There are definitely things you have missed, including setting client_authentication for http.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.