SSO, query API, index privileges

johnwood · October 13, 2024, 10:54pm

Hi ElasticBrains

I have an ES cloud that I wish to access via the API - my users are defined in Auth0 SSO and I use role mapping to set their index privileges in ES.

I have an app that front ends their ES/QL queries via the ES API - how can I map their role based index privileges to the queries that are sent over the 'shared' API call using a shared API Key to authenticate.

I read that SSO does not support "Run As" - what is the solution to retain their Index privilege restrictions with SSO?

Thanks

TimV · October 14, 2024, 3:39am

There is no solution here.

You users only exist in Auth0, Elasticsearch doesn't know anything about them.

You either need to:

authenticate the user via Auth0
create an API key for each user
determine the users roles yourself, and then create an API key for that set of roles.

johnwood · October 14, 2024, 9:34am

Thanks Tim

Right now I create a role for each user.

I don’t really see how I can use auth0 to authenticate the users for the back end

Creating an API key for each user would work if that key can be constrained by the same role as the user is?

I’ll go do some more reading about api keys and roles