Role mapping on user's metadata

stack-security

(Miso Mijatovic) #1

Hi all,
I am on 6.5.4 and I am using AD for authentication.
Authentication works correctly, now I am trying to create some role_mapping.
Following this guide I understand that it should be possible to create mappings using user's metadata (AD attributes) in rules:
https://www.elastic.co/guide/en/elasticsearch/reference/6.5/role-mapping-resources.html#_user_fields

`metadata`

(object) Additional metadata for the user. For example,  `"metadata": { "cn": "John Smith" }` .

This is what I am trying:

POST _xpack/security/role_mapping/mapping_test_user
{
  "enabled": true,
  "roles": [
    "read_only_logs",
    "kibana_dashboard_only_user"
  ],
  "rules": {
    "any": [
      {
        "field": {
          "metadata":{"cn": "testuser"}
        }
      }
    ]
  },
  "metadata": {}
}

But I get this error:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "[11:22] [role-mapping] failed to parse field [rules]",
        "line": 11,
        "col": 22
      }
    ],
    "type": "parsing_exception",
    "reason": "[11:22] [role-mapping] failed to parse field [rules]",
    "line": 11,
    "col": 22,
    "caused_by": {
      "type": "x_content_parse_exception",
      "reason": "[11:22] [role-mapping] failed to parse field [rules]",
      "caused_by": {
        "type": "parse_exception",
        "reason": "failed to parse rules expression. expected a field value but found [START_OBJECT] instead"
      }
    }
  },
  "status": 400
}

What am I doing wrong? Thanks in advance.


(Ioannis Kakavas) #2

In order for cn LDAP Attribute to end up in the authenticated user's metadata, you need to explicitly configure your AD realm ( see here ) by setting the metadata realm configuration property.

The

(object) Additional metadata for the user. For example,  `"metadata": { "cn": "John Smith" }` .

is an example of how the metadata can look like, not how to use it in the role mapping rule. You'd need to change this to

POST _xpack/security/role_mapping/mapping_test_user
{
  "enabled": true,
  "roles": [
    "read_only_logs",
    "kibana_dashboard_only_user"
  ],
  "rules": {
    "any": [
      {
        "field": { "metadata.cn": "testuser" }
      }
    ]
  },
  "metadata": {}
}

(Miso Mijatovic) #3

Thank you for the clarification :slight_smile:


(system) closed #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.