Hi,
I am evaluating search guard on my local machine with bundle elasticsearch-5.1.1-10-8BCFA2D1-34F6-4A0F-BEA8-9F3ACA113B38.
when accessing:
https://localhost:9200/_searchguard/api/user/worf I get
{“worf” : {“hash” : “$2a$12$A41IxPXV1/Dx46C6i1ufGubv.p3qYX7xVcY46q33sylYbIqQVwTMu” }}
and with https://localhost:9200/_searchguard/api/rolesmapping/sg_role_starfleet":
{ “sg_role_starfleet” : {“backendroles” : [“starfleet”,“captains”,“defectors”,“cn=ldaprole,ou=groups,dc=example,dc=com” ],“hosts” : [ “*.starfleetintranet.com”],“users” : [“worf”]}}
The first api call show no roles for user worf, while the second claims he has sg_role_starfleet , is that a bug or by intention, or is it possible that I have somehow misconfigured my system.
We are not yet sure which approach for rights management to choose.
We want to avoid building a frontend for user and rights management and chose something where changes can be managed by other tools.
One idea would be to use ldap. Is it possible to access the roles of a given user via searchguard management api when using ldap backend for authorization?
The alternative idea is to handle everything with client certificates. If we do that, is it enough to define which field shall be used as user name or must this user name then be configured in the internal user database? Same question for roles and rights. We would want to map the Organizational Unit Name to a role to avoid reconfiguring of searchguard for each change in userbase. Is that possible?
This leads to the next question: must one restart searchguard/elasticsearch when replacing/changing truststore.jks?
best,
Meike