Limit authentification to a couple {user, host} - Is it possible ?

Hello,

simple question: is it possible with Searchguard to limit the authentication of a user from a list of well-defined hosts? Like in MySQL where the authentication can be based on the couple {user, host}.

I see that an authentication based on hosts or users can be performed but AFAIK, the operator between “users-roles” mapping is a OR operator, i.e. not a AND operator.

Thanks.

No, this should be done via a firewall

···

Am 30.01.2019 um 11:31 schrieb S. <sguyomarch86@gmail.com>:

Hello,

simple question: is it possible with Searchguard to limit the authentication of a user from a list of well-defined hosts? Like in MySQL where the authentication can be based on the couple {user, host}.

I see that an authentication based on hosts or users can be performed but AFAIK, the operator between "users-roles" mapping is a OR operator, i.e. not a AND operator.

Thanks.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6af9801f-6425-4a8f-a0ce-1d15e57ed81e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

OK, thanks for your feedback.

FYI, my usecase was to prevent developers to misconfigure their applications in production.

They have :

  • a batch, executed on a machine “host_batch”, that has R/W access to some indexes using login “user_rw”

  • a web application, executed on another machine “host_webapp”, that has RO access to these same indexes using login “user_ro”

Unfortunately, firewall rules cannot prevent from this kind of misconfiguration (e.g. : webapp using “user_rw”). It only prevents developers to use their production credentials from their development machines.

Maybe the couple {login, IP/hostname} could be an evolution in the SearchGuard configuration.

···

Le dimanche 3 février 2019 15:45:23 UTC+1, Search Guard a écrit :

No, this should be done via a firewall

Am 30.01.2019 um 11:31 schrieb S. sguyom...@gmail.com:

Hello,

simple question: is it possible with Searchguard to limit the authentication of a user from a list of well-defined hosts? Like in MySQL where the authentication can be based on the couple {user, host}.

I see that an authentication based on hosts or users can be performed but AFAIK, the operator between “users-roles” mapping is a OR operator, i.e. not a AND operator.

Thanks.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6af9801f-6425-4a8f-a0ce-1d15e57ed81e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Maybe the following approach works:

  1. Configure one role that has RO permissions to the indices. This is the one your webapp will use.

  2. In addition, create a second role that has additional WRITE permissions for the same indices.

In the roles_mapping.yml, map your webapp users to the RO role (only). You can do that by username or by backend role. Then create a second entry in roles_mapping.yml that maps the hostname of your “host_batch” machine to the second role that has WRITE access.

The effect would be that whenever a user logs in from the host_batch machine, the second role with WRITE access is added to the list of the users roles.

Is that the use case you try to implement?

···

On Thursday, February 14, 2019 at 10:18:50 AM UTC+1, S. wrote:

OK, thanks for your feedback.

FYI, my usecase was to prevent developers to misconfigure their applications in production.

They have :

  • a batch, executed on a machine “host_batch”, that has R/W access to some indexes using login “user_rw”
  • a web application, executed on another machine “host_webapp”, that has RO access to these same indexes using login “user_ro”

Unfortunately, firewall rules cannot prevent from this kind of misconfiguration (e.g. : webapp using “user_rw”). It only prevents developers to use their production credentials from their development machines.

Maybe the couple {login, IP/hostname} could be an evolution in the SearchGuard configuration.

Le dimanche 3 février 2019 15:45:23 UTC+1, Search Guard a écrit :

No, this should be done via a firewall

Am 30.01.2019 um 11:31 schrieb S. sguyom...@gmail.com:

Hello,

simple question: is it possible with Searchguard to limit the authentication of a user from a list of well-defined hosts? Like in MySQL where the authentication can be based on the couple {user, host}.

I see that an authentication based on hosts or users can be performed but AFAIK, the operator between “users-roles” mapping is a OR operator, i.e. not a AND operator.

Thanks.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6af9801f-6425-4a8f-a0ce-1d15e57ed81e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.