Problem adding AD users to roles

Elastic Stack Elasticsearch
1

I'm trying to a new Shield installation going on our ES (2.2.1) cluster, and am running into a problem with Active Directory users that has me stumped. I have successfully added a single AD group to a Shield role with the following role_mapping.yml file:

admin:

  • "cn=Domain Admins,cn=Builtin,dc=example,dc=com"

That's the entire file, and anyone in the Domain Admins group is authorized with admin access. So far, so good.

But the problem comes when I add an additional user to the admin role:

admin:

  • "cn=Domain Admins,cn=Builtin,dc=example,dc=com"
  • "cn=Smith, John Q.,cn=Users,dc=example,dc=com"

Not only is the new user not authorized, but none of the Domain Admins are authorized any more either:

curl -u admin -XGET 'localhost:9200/_cluster/health?pretty'

"error" : {
"root_cause" : [ {
"type" : "security_exception",
"reason" : "action [cluster:monitor/health] is unauthorized for user [admin]"

So what's wrong with the additional line, and why is it breaking authorization for other users?

Dave

2

Hi Dave,

That is really odd. The escaping looks correct to me. Do you see any log messages in your log file like the ones below?

failed to parse role mappings file [/path/to/role_mapping.yml]. skipping/removing all mappings...

invalid DN [...] found in [active_directory] role mappings [/path/to/role_mapping.yml] for realm [...]. skipping...

Jay

3

I figured it out. The log file contained the following:

failed to parse role mappings file [/etc/elasticsearch/shield/role_mapping.yml]. skipping/removing all mappings...
SettingsException[Failed to load settings from [/etc/elasticsearch/shield/role_mapping.yml]]; nested: ScannerException[while scanning a double-quoted scalar
in 'reader', line 17, column 5:
- "cn=Smith, John Q.,cn=Users, ...

found unknown escape character ,(44)
in 'reader', line 17, column 17:
- "cn=Smith, John Q.,cn=Users,dc=example ...

I had wondered if the escaped comma might have been causing problems, but I hadn't considered that it might only occur in a double-quoted string. So I converted them to single-quoted strings:

admin:

  • 'cn=Domain Admins,cn=Builtin,dc=example,dc=com'
  • 'cn=Smith, John Q.,cn=Users,dc=example,dc=com'

And now everything is working as expected. So it seems that the "" escape character is interpreted in a single-quoted string, but not in a double-quoted string. I would have expected it to be the other way around.

Dave