Hi Elasticsearch team!
any news regarding the subject?
so, basically, this does not work with active directory realm (with LDAP realm works fine, but no nested groups support):
curl -H "es-security-runas-user: an_ad_user" -u iis -XGET 'http://localhost:9200/'
iis is an internal user, with
P.S.: there is a couple of topics with the similar question:
I wanted to know, is there any way I can configure x-pack with authorization only access. Means I should send the username only, and it will authenticate it according to the roles.
I can't seem to get the impersonated user's ad groups reflected in xpack to acheive document label security, but instead just the user I'm authenticating to AD with. It just seems to ignore my run_as user.
Can someone please show me a snippet of config?
No, the behaviour you describe has not changed in the latest releases of X-Pack and we have no announcements about any such changes.
As of right now, the AD realm requires the user's password in order to determine their groups (and consequently their roles) and the LDAP realm does not support nested groups.
Thank you for getting back to me.
So, it's not a bug it's a limitation. Sadly, that is not mentioned on the documentation, more over, there is a blog article, which is optimistically hinting at possibility of impersonation with AD... That's why I spent a whole day trying to configure the thing, which does not work by design.
Do you think, it could change in the future and the impersonation feature would work with AD as well?
I'm the product manager for X-Pack Security. I've added this feedback to my product feature data. I can't promise anything at this point, but I'll see what I can do.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.