PKI realm rolemapping

Hello:

Iam trying to use the PKI realm and derive roles and mappings from the CN as follows. Is it possible to do this? This is with ES 6.8.3.

In the role_mapping.yaml

power_user:

  • "cn=power_*,ou=example,o=com"

And in the roles.yaml specify as follows

power_user:
cluster: [ 'monitor', 'manage_index_templates' ]
indices:
- names: [ 'power_*' ]
privileges: [ 'all' ]

Thanks in Advance
Rajesh

You can't do this with the role mapping file as it doesn't support wildcards, but you can do this with the Role Mapping API which is also the preferred way to manage role mappings.

POST /_security/role_mapping/power_user_mapping
{
  "roles": [ "power_user" ],
  "enabled": true,
  "rules": {
    "field" : { "dn": "cn=power_*,ou=example,o=com" }
  }
}

yes, you can do that, but you could also use the Create Roles API that is the preferred way to manage roles.

Thanks @ikakavas , Will try it out.

@ikakavas
I cant seem to get around this message, what am I doing wrong? This is ES 6.8.3.

"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"ApiKey",
"Basic realm="security" charset="UTF-8""
]
}
}
],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/indices?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"ApiKey",
"Basic realm="security" charset="UTF-8""
]
}
}

My Subject in certificiate is

Subject: O=ApplicationServer, O=TEST, CN=power_testserver

And My roles.yaml file is

power_infra_user:
cluster: [ 'monitor', 'manage_index_templates' ]
indices:
- names: [ 'power_*']
privileges: [ 'all' ]

And Role Mapping invoked through the API is
curl -k -u 'test:iamsuperuser' https://127.0.0.1:9200/_security/role_mapping/power_infra_role_mapping
{"power_infra_role_mapping":{"enabled":true,"roles":["power_infra_user"],"rules":{"field":{"dn":"cn=power_testserver,ou=ApplicationServer,o=TEST"}},"metadata":{}}}

And I have the following xpack config

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/service/server.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/service/server.crt
xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/service/ca.crt" ]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/service/server.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/service/server.crt
xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/service/ca.crt" ]

xpack:
security:
authc:
realms:
pki1:
type: pki
order: 0
file1:
type: file
order: 1

a) PKI Realm is not available in basic, you need a trial license or a gold/platinum one.
b) Please read through our docs https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-pki-realm.html . There are definitely things you have missed, including setting client_authentication for http.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.