How to authorize a user using ldap groups dinamically

Hi!

I am trying to configure ldap authentication and authorization with searchguard (version: 6.6, currently on trial) on my elastic cluster (6.6) for our application.

Each document in our cluster contains a field called “authorization”: a list with user/group names authorized to view the document.

our sg_roles_mapping.yml contains the following rule:

sg_client_read_only:
users:

  • ‘*’

``

how the role is currently configured in sg_roles.yml:

sg_client_read_only:
readonly: true
cluster:
- UNLIMITED
indices:
‘my_index’:
':
- '

dls: ‘{“terms”: {“authorized”: [“${user.name}”]}}’

``

This configuration allows us to get access to all documents if the current user is in the authorized list.

Is it possible to add group support from our ldap using dls query? (In case I have a group with my user as a member in the authorized list I would like to be able to view it although the username won’t be explicitly given)

Thanks!!

Group support is also possible, see Search Guard document-level security basics | Security for Elasticsearch | Search Guard :

management:
  indices:
    'humanresources':
'employees':
        - '*'
_dls_: '{"terms" : { "role" : [${user.roles}]}}'

Before the DLS query is applied to the result set, ${user.roles} is replaced with a comma-delimited list of the backend roles (=ldap roles/groups) of the current user.

···

On Wednesday, 13 March 2019 14:26:44 UTC+1, vostrodello15@gmail.com wrote:

Hi!

I am trying to configure ldap authentication and authorization with searchguard (version: 6.6, currently on trial) on my elastic cluster (6.6) for our application.

Each document in our cluster contains a field called “authorization”: a list with user/group names authorized to view the document.

our sg_roles_mapping.yml contains the following rule:

sg_client_read_only:
users:

  • ‘*’

``

how the role is currently configured in sg_roles.yml:

sg_client_read_only:
readonly: true
cluster:
- UNLIMITED
indices:
‘my_index’:
':
- '

dls: ‘{“terms”: {“authorized”: [“${user.name}”]}}’

``

This configuration allows us to get access to all documents if the current user is in the authorized list.

Is it possible to add group support from our ldap using dls query? (In case I have a group with my user as a member in the authorized list I would like to be able to view it although the username won’t be explicitly given)

Thanks!!

Is there a way for me to actually see the dls query as sent to the elastic?, as I can’t seem to configure everything right using user.roles.

בתאריך יום ראשון, 17 במרץ 2019 בשעה 21:12:19 UTC+2, מאת Search Guard:

···

Group support is also possible, see https://docs.search-guard.com/latest/document-level-security#user-roles :

management:
  indices:
    'humanresources':
'employees':
        - '*'
_dls_: '{"terms" : { "role" : [${user.roles}]}}'

Before the DLS query is applied to the result set, ${user.roles} is replaced with a comma-delimited list of the backend roles (=ldap roles/groups) of the current user.

On Wednesday, 13 March 2019 14:26:44 UTC+1, vostro...@gmail.com wrote:

Hi!

I am trying to configure ldap authentication and authorization with searchguard (version: 6.6, currently on trial) on my elastic cluster (6.6) for our application.

Each document in our cluster contains a field called “authorization”: a list with user/group names authorized to view the document.

our sg_roles_mapping.yml contains the following rule:

sg_client_read_only:
users:

  • ‘*’

``

how the role is currently configured in sg_roles.yml:

sg_client_read_only:
readonly: true
cluster:
- UNLIMITED
indices:
‘my_index’:
':
- '

dls: ‘{“terms”: {“authorized”: [“${user.name}”]}}’

``

This configuration allows us to get access to all documents if the current user is in the authorized list.

Is it possible to add group support from our ldap using dls query? (In case I have a group with my user as a member in the authorized list I would like to be able to view it although the username won’t be explicitly given)

Thanks!!

On debug loglevel you might see the statement:

Can you post your sg_roles.yml? Maybe its a syntax problem?

···

Am 20.03.2019 um 10:59 schrieb vostrodello15@gmail.com:

Is there a way for me to actually see the _dls_ query as sent to the elastic?, as I can't seem to configure everything right using user.roles.

בתאריך יום ראשון, 17 במרץ 2019 בשעה 21:12:19 UTC+2, מאת Search Guard:
Group support is also possible, see Search Guard document-level security basics | Security for Elasticsearch | Search Guard :

management:

indices:

    'humanresources':
      'employees':

-
'*'
      
_dls_: '{"terms" : { "role" : [${user.roles}]}}'

Before the DLS query is applied to the result set, ${user.roles} is replaced with a comma-delimited list of the backend roles (=ldap roles/groups) of the current user.
On Wednesday, 13 March 2019 14:26:44 UTC+1, vostro...@gmail.com wrote:
Hi!

I am trying to configure ldap authentication and authorization with searchguard (version: 6.6, currently on trial) on my elastic cluster (6.6) for our application.

Each document in our cluster contains a field called "authorization": a list with user/group names authorized to view the document.

our sg_roles_mapping.yml contains the following rule:

sg_client_read_only:
  users:
   - '*'

how the role is currently configured in sg_roles.yml:

sg_client_read_only:
  readonly: true
  cluster:
    - UNLIMITED
  indices:
    'my_index':
      '*':
        - '*'
      _dls_: '{"terms": {"authorized": ["${user.name}"]}}'

This configuration allows us to get access to all documents if the current user is in the authorized list.

Is it possible to add group support from our ldap using _dls_ query? (In case I have a group with my user as a member in the authorized list I would like to be able to view it although the username won't be explicitly given)

Thanks!!

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5b65efdd-558e-4d9b-b033-97982a6ff2b3%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.