About adding users to a role mapping using the API

faxmodem · December 9, 2022, 10:19am

Hi,

I’m trying to add a user to a role mapping using the API.
I’m probably mis-understanding the PATCH method, so maybe someone can explain what’s going on here:

☠ ES GET _searchguard/api/rolesmapping/sg_role_test
HTTP/1.1 200 OK
content-length: 134
content-type: application/json; charset=UTF-8

{
    "sg_role_test": {
        "and_backend_roles": [],
        "backend_roles": [],
        "description": "Migrated from v6",
        "hosts": [],
        "users": [
            "one",
            "two",
            "three"
        ]
    }
}

☠ ES PATCH _searchguard/api/rolesmapping/sg_role_test <<< '[{"op":"add","path":"/users","value":["four"]}]'
HTTP/1.1 200 OK
content-length: 51
content-type: application/json; charset=UTF-8

{
    "message": "'sg_role_test' updated.",
    "status": "OK"
}

☠ ES GET _searchguard/api/rolesmapping/sg_role_test
HTTP/1.1 200 OK
content-length: 121
content-type: application/json; charset=UTF-8

{
    "sg_role_test": {
        "and_backend_roles": [],
        "backend_roles": [],
        "description": "Migrated from v6",
        "hosts": [],
        "users": [
            "four"
        ]
    }
}

I was expecting that the user four be appended to the existing array, hence producing the users list ["one", "two", "three", "four"].

This is on a test cluster using search-guard-flx 1.0.0-beta-2-es-7.10.2.

nils · December 9, 2022, 10:31am

JSON Patch with arrays is tricky to say the least. I think you have to specify an array index or - for the last element. So:

[{"op":"add","path":"/users/-","value": "four"}]

faxmodem · December 9, 2022, 11:34am

Thanks, I tried that

{
    "reason": "Wrong datatype",
    "status": "error",
    "users": "Array expected"
}

faxmodem · December 9, 2022, 11:36am

BTW, the remove operation on one element removes all elements

nils · December 9, 2022, 4:31pm

Hm, weird. I need some more time to take a look at this, will update you asap.

nils · December 16, 2022, 9:02am

I just tested this with SG FLX 1.1.0:

sg@teal:~/tmp/n4$ curl -u admin:admin --insecure https://localhost:9200/_searchguard/api/rolesmapping/test
{"test":{"users":["a"]}}

sg@teal:~/tmp/n4$ curl -u admin:admin --insecure -X PATCH https://localhost:9200/_searchguard/api/rolesmapping/test --data '[{"op":"add","path":"/users/-","value": "four"}]'  -H "Content-Type: application/json" 
{"status":"OK","message":"'test' updated."}

sg@teal:~/tmp/n4$ curl -u admin:admin --insecure https://localhost:9200/_searchguard/api/rolesmapping/test
{"test":{"users":["a","four"]}}

So, it seems to work for me.

What version of SG are you using and what tooling?

faxmodem · December 16, 2022, 3:15pm

Oh ! What’s that dash in /users/- ?

nils · December 16, 2022, 3:49pm

That refers to the last element of the array. In order to add to an array, you have to reference an element inside the array. Using 0 would insert after the first, using - inserts after the last.

faxmodem · December 19, 2022, 9:16am

Ah !
I might be wrong but this - isn’t documented neither on the rfc nor on the sg documentation.
In any case, I think it would be a good idea to add it to your doc.

Thanks for your repeated help Nils !

Fabien

nils · December 19, 2022, 10:03am

That’s true. Filed an issue for this: Better docs for JSON patch (#105) · Issues · search-guard / docs · GitLab

Topic		Replies	Views
management api user/ rolesmapping Search Guard	1	448	March 9, 2017
Documentation bug: Bulk add, delete and change roles mappings Search Guard	1	484	March 22, 2019
Understanding permissions for a request Search Guard	6	802	April 2, 2019
PUT request for add... several things Search Guard	2	416	August 7, 2018
REST API: creation of user with role does not update rolesmapping Search Guard	6	1081	June 6, 2019

About adding users to a role mapping using the API

Related topics