SSO, query API, index privileges

johnwood · October 13, 2024, 10:54pm

Hi ElasticBrains

I have an ES cloud that I wish to access via the API - my users are defined in Auth0 SSO and I use role mapping to set their index privileges in ES.

I have an app that front ends their ES/QL queries via the ES API - how can I map their role based index privileges to the queries that are sent over the 'shared' API call using a shared API Key to authenticate.

I read that SSO does not support "Run As" - what is the solution to retain their Index privilege restrictions with SSO?

Thanks

TimV · October 14, 2024, 3:39am

There is no solution here.

You users only exist in Auth0, Elasticsearch doesn't know anything about them.

You either need to:

authenticate the user via Auth0
create an API key for each user
determine the users roles yourself, and then create an API key for that set of roles.

johnwood · October 14, 2024, 9:34am

Thanks Tim

Right now I create a role for each user.

I don’t really see how I can use auth0 to authenticate the users for the back end

Creating an API key for each user would work if that key can be constrained by the same role as the user is?

I’ll go do some more reading about api keys and roles

Topic		Replies	Views
Use roles instead of ApiKey for Search Applications Elastic Search elastic-app-search	13	62	November 20, 2024
How to Build a Role with Java API for indices privileges Elasticsearch elastic-stack-security , language-clients	6	538	January 4, 2022
401 after updating API Key role descriptors Elasticsearch elastic-stack-security , language-clients	9	851	April 13, 2023
Elasticsearch put role API Elasticsearch	2	353	August 19, 2020
Config a role in roles.yml but cannot specify some privileges Elasticsearch elastic-stack-security	4	626	August 13, 2019

SSO, query API, index privileges

Related topics