How to create a JWT to match the users in search guard

On printing roles form the REST api, I have:

“kibanaro” : {
“hash” : “<SOME_HASH>”,
“roles” : [
“kibanauser”,
“readall”
]
}

``

On the JWT side, I am using jwt.io to generate a payload, and in the payload section of the jwt.io I am using:

{
“name”: “kibanaro”,
“iat”: 1516239022,
“exp”: 1656723873,
“sub”: “kibanaro”,
“roles”: “kibanauser, readall”
}

``

However, I get an error saying:

[2018-05-04T14:53:35,323][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from jwt http authenticator
[2018-05-04T14:53:35,324][DEBUG][c.f.s.a.BackendRegistry ] kibanaro not cached, return from noop backend directly
[2018-05-04T14:53:35,325][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaro, roles=, requestedTenant=null]’ is authenticated
[2018-05-04T14:53:35,325][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-05-04T14:53:35,326][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaro, roles=, requestedTenant=null] on elasticsearch
[2018-05-04T14:53:35,326][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/main from *************
[2018-05-04T14:53:35,326][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.main.MainRequest is not an IndicesRequest
[2018-05-04T14:53:35,327][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=]]
[2018-05-04T14:53:35,327][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaro: [sg_own_index]
[2018-05-04T14:53:35,328][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-05-04T14:53:35,328][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-05-04T14:53:35,329][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index
[2018-05-04T14:53:35,329][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/write/reindex, indices:admin/aliases/exists, indices:admin/aliases*, indices:data/read/msearch, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2018-05-04T14:53:35,329][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for ‘sg_own_index’ and cluster:monitor/main, check next role
[2018-05-04T14:53:35,330][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=kibanaro, roles=, requestedTenant=null] [IndexType [index=_all, type=*]] [Action [[cluster:monitor/main]]] [RolesChecked [sg_own_index]]
[2018-05-04T14:53:35,330][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
[2018-05-04T14:53:35,330][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for [cluster:monitor/main]
[2018-05-04T14:53:35,331][DEBUG][r.suppressed ] path: /, params: {}
org.elasticsearch.ElasticsearchSecurityException: no permissions for [cluster:monitor/main] and User [name=kibanaro, roles=, requestedTenant=null]

``

its not yet possible to combine jwt and the internal authorization backend.
we are working on this here https://github.com/floragunncom/search-guard/pull/475

so currently you need to add your roles to the jwt token or use ldap to assign roles

So, how do I properly add my roles to the JWT token? I have not been able to do this successfully either.

If this is your JWT token:

{
“name”: “kibanaro”,
“iat”: 1516239022,
“exp”: 1656723873,
“sub”: “kibanaro”,
“roles”: “kibanauser, readall”
}

Then you already have two roles in it. You just need to tell Search Guard under which key they can be found. So for the JWT above you would need to configure:

jwt_auth_domain:

enabled: true

order: 1

http_authenticator:

type: jwt

challenge: false

config:

signing_key: “…”

jwt_header: “Authorization”

roles_key: roles

subject_key: sub

authentication_backend:

type: noop

``

Thank you, the docs had an example of using null fields and that confused me. It works now with your directions