OpenId multi-value roles not working as expected

Elasticsearch - 7.2.1
Kibana - 7.2.1

I am trying to use the OpenId Connect authentication and have the set the ‘roles_key: profile’ in the sg_config.yml
When i try to login with user 123456 who is part of 2 backed roles role_appA and role_appB, the user role is received through the access_token scope. But I still get an error while accessing Kibana
{“message”:“no permissions for [indices:data/read/search] and User [name=123456, backend_roles=[role_appA], [role_appB], requestedTenant=]: [security_exception] no permissions for [indices:data/read/search] and User [name=123456, backend_roles=[role_appA], [role_appB], requestedTenant=]”,“statusCode”:403,“error”:“Forbidden”}

The backend_roles should be an array according to me and hence should look something like User [name=123456, backend_roles=[role_appA, role_appB], requestedTenant=]

I have also the correct role_mapping done in the searchguard configuration for role_appA.

Need help with this scenario.

Please attach your configuration files (strip out sensitive data before posting):

  • elasticsearch.yml
  • kibana.yml
  • sg_config.yml
  • sg_roles_mapping.yml
  • sg_internal_users.yml
  • sg_roles.yml

kibana.yml (1.2 KB)
sg_config.yml (11.3 KB)
sg_internal_users.yml (1.4 KB)
sg_roles.yml (1.5 KB)
sg_roles_mapping.yml (1000 Bytes)
elasticsearch.yml (1.6 KB)

Hello @hsaly,
I have attached the requested files for review.
In this particular scenario, the user with one role still works(tested). Only users have multiple roles are having trouble.


There is no mapping for user “123456” in sg_roles_mapping.yml.

Can you “download” the configuration out of your cluster with “ -r …” and attach the files?
See Configuration Migration | Security for Elasticsearch | Search Guard

I have modified the data before posting. Below are additional custom role and role_mapping added through the rest API.

sg_roles_custom.yml (645 Bytes)
sg_roles_mapping_custom.yml (273 Bytes)

The user is not mapped directly but the backend roles of the user is added in the following config.

It looks like the value of the “profile” claim is somehow strange.
Search Guard expect a comma separated list of roles like: rolea, roleb, rolec
Do you see any log entry on WARN level starting with “Expected type String or Collection for roles in the JWT” in your logs?

Can you pls check what the raw value of “profile” is or provide the JWT token?

I checked the raw value of “profile” and it is comma separated string. But the error message i get the profiles as 2 separate array.
I checked the logs and could find any warning message.

Can you provide the full jwt token? (you can also mail it if you do not want to post them here, see Contact the Search Guard team - get in touch with us)

{“sub”:“123456”,“profile”:“[role_appA, role_appB]”,“display_name”:“kumaravel”,“login”:“123456”,“email”:""}

This is the decode content of the userinfo data. Will this help?

This is wrong i guess. It should be either

{“sub”:“123456”,“profile”:[role_appA, role_appB],“display_name”:“kumaravel”,“login”:“123456”,“email”:""}

Note the missing quotas for profile value array


{“sub”:“123456”,“profile”:“role_appA, role_appB”,“display_name”:“kumaravel”,“login”:“123456”,“email”:""}

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.