Role Mapping API not working

sukeshss · July 10, 2018, 8:36am

I have configured X-Pack with LDAP in my ES Cluster. I am able to create the roles and role mappings using APIs. But role mapping is not taking effect in ES Cluster.

It is working only If I update the role_mapping,yml file.

create role mapping command

curl -X POST "localhost:9200/_xpack/security/role_mapping/ES_Readonly_mapping" -H 'Content-Type: application/json' -d' '{"roles":["ES_Readonly"],"enabled":true,"rules":{"field":{"dn":"cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=t-example,dc=com"}}}'

curl -XGET -u elastic
localhost:9200/_xpack/security/role_mapping/ES_Readonly_mapping

{"ES_Readonly_mapping":{"enabled":true,"roles":["ES_Readonly"],"rules":{"field":{"dn":"cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com"}}

ikakavas · July 10, 2018, 8:57am

The snippets above show that you have created a Role Mapping that would give the role ES_Readonly to the user with the DN : cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com

You don't share any information on how you attempt to verify if this works or not, and what is the behavior you are seeing that makes you think it's not working. Please

Make sure that the DN of the user you attempt to login as, is indeed cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com
Enable DEBUG level logging in Elasticsearch with
```
curl -H "Content-Type: application/json" -XPUT -uelastic 'http://10.65.45.22:9200/_cluster/settings' -d' 
{
 "transient" : {
     "logger.org.elasticsearch.xpack.security.authc.ldap" : "DEBUG"
  }
 }'
```
and then attempt to authenticate with your LDAP user, for example:
```
curl -u user1 -XGET "http://10.65.45.22:9200/_xpack/security/_authenticate"
```
The response will contain the roles that have been mapped to this user. The logs will also contain information on the role mapping that was attempted and indications of what can be going wrong.

sukeshss · July 10, 2018, 1:42pm

curl -u user1 -XGET "http://10.65.45.22:9200/_xpack/security/_authenticate"

{"username":"user1","roles":,"full_name":null,"email":null,"metadata":{"ldap_dn":"CN=user1,OU=Production,OU=Users,OU=Accounts,DC=my,DC=example,DC=com","ldap_groups":["testusers"]}}

please find the permission I have given while creating the role

{"cluster":["monitor","monitor_ml","monitor_watcher"],"indices":[{"names":["*"],"privileges":["monitor","view_index_metadata","read","indices:admin/get"]}]}

ikakavas · July 10, 2018, 2:03pm

Which version are you using? The role mapping API was case sensitive and whitespace sensitive until 6.2 . So you would have to update your mapping as following:

curl -X POST "localhost:9200/_xpack/security/role_mapping/ES_Readonly_mapping" -H 'Content-Type: application/json' -d' '{"roles":["ES_Readonly"],"enabled":true,"rules":{"field":{"dn":"CN=user1,OU=Production,OU=Users,OU=Accounts,DC=my,DC=example,DC=com"}}}'

Note

CN=user1,OU=Production,OU=Users,OU=Accounts,DC=my,DC=example,DC=com

which is how your LDAP server returns the user's DN,instead of

cn=user1,ou=Production,ou=Users,ou=Accounts,dc=my,dc=example,dc=com

File based role mapping is not case sensitive so that would explain why this works when the role mapping is defined in role_mapping.yml

system · August 7, 2018, 2:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.