As I understand it the role mapping API allows me to create mappings that (currently?) only the LDAP and AD authentication realms use.
AD, LDAP, PKI and soon SAML use the RoleMappingStore.
If I want to implement my own custom authentication realm I have to do the role mapping during the authentication step correct?
Role mapping is an indirection that you do not need.
The 'authentication step' is responsible for building the
User entity. The
User entity contains the
metadata and some other misc fields. The custom realm should build this
User entity to contain the
roleNames. In this case the 'authentication step' is complete. See: https://github.com/elastic/shield-custom-realm-example/blob/201ab9bef6e45a3ae23f3c113f988555f47846e2/src/main/java/org/elasticsearch/example/realm/CustomRealm.java#L129
RoleMapping service translates
roleNames. This is because, in this case, the system doing authentication (LDAP/AD server) or issuing the certificates, can not possibly hold the notion of roles for each third party Service requiring authentication. Instead the 'authenticating party' releases a set of claims (eg groups) that are copied to the
metadata field and subsequently translated to role names by the
I found a NativeRoleMappingStore but where do I get that from when creating initializing my custom realm?
Even if you fancy using
RoleMapping in your setup with a Custom Realm, this is not currently possible.
Make sure you check the Custom Realm Example