Templated Roles with Open ID Realm

stongia · October 25, 2019, 6:24am

I am trying to create the templated role, where I want to use the user metadata info to provide user with role access. I am using the document available at
https://www.elastic.co/blog/attribute-based-access-control-with-xpack

I am creating role as

PUT _security/role/d_client_policy
{ 
    "indices": [{
        "names": ["unified_incident_processed"],
        "privileges": ["read"],
        "query": {
            "template": {
                "source": "{\"bool\": {\"filter\": [{\"terms\": {\"CLIENT_ID\": {{#toJson}}_user.metadata.CLIENT_ID{{/toJson}}}}]}}"
            }
        }
    }]
}

As I am using OIDC as the IDP for the application I am trying to add the metadata info the role mapping of for the username as

PUT _security/role_mapping/oidc-kibana_29
{
  "roles": [ "my_policy"],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "oidc1" } },
        { "field": { "username": "useremail@emailid.com" } }
  ] },
  "metadata": {
        "Client_ID": [2181, 3245, 2134]
  }
}

As all this configuration is done at the level of role mapping, in _user this reference is not visible.

My Question is: how we can use the templated roles in with OpenID Realm kind of scenario?

ikakavas · October 25, 2019, 6:36am

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

ikakavas · October 25, 2019, 6:41am

You cannot put metadata in the user object in role mapping. When authenticating via OpenID Connect realm though, the user object will get all the OpenID Connect ID Token claims as metadata as we describe here.

So, if your OP can provide this metadata values as an ID Token claim , i.e. named XXXX , then you would be able to use _user.metadata.oidc(XXXX) in your templated roles.

system · November 22, 2019, 6:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Role Template with reference to metadata property from Open ID Realm Elasticsearch elastic-stack-security	2	323	June 16, 2023
Dynamic role mapping of OIDC Realm ID value to Realm ID field value in document Elasticsearch	3	97	July 5, 2024
OIDC role mapping not working Elasticsearch elastic-stack-security	3	284	February 19, 2024
Can i assign a kibana role to an openid realm based user through API Kibana elastic-stack-security	2	368	November 13, 2019
Role mapping on user's metadata Elasticsearch elastic-stack-security	3	976	March 14, 2019

Templated Roles with Open ID Realm

Related topics