Role Mapping API not working


(Sukesh) #1

I have configured X-Pack with LDAP in my ES Cluster. I am able to create the roles and role mappings using APIs. But role mapping is not taking effect in ES Cluster.

It is working only If I update the role_mapping,yml file.

create role mapping command

curl -X POST "localhost:9200/_xpack/security/role_mapping/ES_Readonly_mapping" -H 'Content-Type: application/json' -d' '{"roles":["ES_Readonly"],"enabled":true,"rules":{"field":{"dn":"cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=t-example,dc=com"}}}'

curl -XGET -u elastic
localhost:9200/_xpack/security/role_mapping/ES_Readonly_mapping

{"ES_Readonly_mapping":{"enabled":true,"roles":["ES_Readonly"],"rules":{"field":{"dn":"cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com"}}


(Ioannis Kakavas) #2

The snippets above show that you have created a Role Mapping that would give the role ES_Readonly to the user with the DN : cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com

You don't share any information on how you attempt to verify if this works or not, and what is the behavior you are seeing that makes you think it's not working. Please

  1. Make sure that the DN of the user you attempt to login as, is indeed cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com

  2. Enable DEBUG level logging in Elasticsearch with

    curl -H "Content-Type: application/json" -XPUT -uelastic 'http://10.65.45.22:9200/_cluster/settings' -d' 
    {
     "transient" : {
         "logger.org.elasticsearch.xpack.security.authc.ldap" : "DEBUG"
      }
     }'
    

    and then attempt to authenticate with your LDAP user, for example:

    curl -u user1 -XGET "http://10.65.45.22:9200/_xpack/security/_authenticate"
    

    The response will contain the roles that have been mapped to this user. The logs will also contain information on the role mapping that was attempted and indications of what can be going wrong.


(Sukesh) #3

curl -u user1 -XGET "http://10.65.45.22:9200/_xpack/security/_authenticate"

{"username":"user1","roles":[],"full_name":null,"email":null,"metadata":{"ldap_dn":"CN=user1,OU=Production,OU=Users,OU=Accounts,DC=my,DC=example,DC=com","ldap_groups":["testusers"]}}

please find the permission I have given while creating the role

{"cluster":["monitor","monitor_ml","monitor_watcher"],"indices":[{"names":["*"],"privileges":["monitor","view_index_metadata","read","indices:admin/get"]}]}


(Ioannis Kakavas) #4

Which version are you using? The role mapping API was case sensitive and whitespace sensitive until 6.2 . So you would have to update your mapping as following:

curl -X POST "localhost:9200/_xpack/security/role_mapping/ES_Readonly_mapping" -H 'Content-Type: application/json' -d' '{"roles":["ES_Readonly"],"enabled":true,"rules":{"field":{"dn":"CN=user1,OU=Production,OU=Users,OU=Accounts,DC=my,DC=example,DC=com"}}}'

Note

CN=user1,OU=Production,OU=Users,OU=Accounts,DC=my,DC=example,DC=com

which is how your LDAP server returns the user's DN,instead of

cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com

File based role mapping is not case sensitive so that would explain why this works when the role mapping is defined in role_mapping.yml


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.