Problem adding AD users to roles

I'm trying to a new Shield installation going on our ES (2.2.1) cluster, and am running into a problem with Active Directory users that has me stumped. I have successfully added a single AD group to a Shield role with the following role_mapping.yml file:


  • "cn=Domain Admins,cn=Builtin,dc=example,dc=com"

That's the entire file, and anyone in the Domain Admins group is authorized with admin access. So far, so good.

But the problem comes when I add an additional user to the admin role:


  • "cn=Domain Admins,cn=Builtin,dc=example,dc=com"
  • "cn=Smith, John Q.,cn=Users,dc=example,dc=com"

Not only is the new user not authorized, but none of the Domain Admins are authorized any more either:

curl -u admin -XGET 'localhost:9200/_cluster/health?pretty'

"error" : {
"root_cause" : [ {
"type" : "security_exception",
"reason" : "action [cluster:monitor/health] is unauthorized for user [admin]"

So what's wrong with the additional line, and why is it breaking authorization for other users?


Hi Dave,

That is really odd. The escaping looks correct to me. Do you see any log messages in your log file like the ones below?

failed to parse role mappings file [/path/to/role_mapping.yml]. skipping/removing all mappings...

invalid DN [...] found in [active_directory] role mappings [/path/to/role_mapping.yml] for realm [...]. skipping... 


I figured it out. The log file contained the following:

failed to parse role mappings file [/etc/elasticsearch/shield/role_mapping.yml]. skipping/removing all mappings...
SettingsException[Failed to load settings from [/etc/elasticsearch/shield/role_mapping.yml]]; nested: ScannerException[while scanning a double-quoted scalar
in 'reader', line 17, column 5:
- "cn=Smith, John Q.,cn=Users, ...

found unknown escape character ,(44)
in 'reader', line 17, column 17:
- "cn=Smith, John Q.,cn=Users,dc=example ...

I had wondered if the escaped comma might have been causing problems, but I hadn't considered that it might only occur in a double-quoted string. So I converted them to single-quoted strings:


  • 'cn=Domain Admins,cn=Builtin,dc=example,dc=com'
  • 'cn=Smith, John Q.,cn=Users,dc=example,dc=com'

And now everything is working as expected. So it seems that the "" escape character is interpreted in a single-quoted string, but not in a double-quoted string. I would have expected it to be the other way around.