Proxy Authorization and user attributes

I would like to use proxy authorization and user attributes at same time. I’ve tried following configuration:

  sg_config.yml: |
    ---
    _sg_meta:
      type: config
      config_version: 2
    sg_config:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: true
            internalProxies: .+
            remoteIpHeader: x-forwarded-for
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          proxy_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: proxy
              challenge: false
              config:
                user_header: x-proxy-user
            authentication_backend:
              type: noop
          clientcert_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 2
            http_authenticator:
              challenge: false
              type: clientcert
              config:
                username_attribute: cn
            authentication_backend:
              type: noop
        authz:
          internal_authz_domain:
            http_enabled: true
            transport_enabled: true
            authorization_backend:
                type: internal
  sg_internal_users.yml: |
    ---
    _sg_meta:
      type: internalusers
      config_version: 2
    mgorniew:
      hash: $2y$12$Q647Sg513AhsQ.57/ZDrfuO59iyiGxOhPiBAXgH5obnPuz2gtqfr.
      backend_roles:
      - namespace_user
      attributes:
        namespace: "test|test2"

Now, on first request (after configuration reload), i see custom attributes defined:

curl -k https://elasticsearch.paas:9200/_searchguard/authinfo -H “x-proxy-user: mgorniew” -H “x-forwarded-for: 127.0.01”
{“user”:“User [name=mgorniew, roles=[namespace_user], requestedTenant=null]”,“user_name”:“mgorniew”,“user_requested_tenant”:null,“remote_address”:“127.0.0.1:60168”,“backend_roles”:[“namespace_user”],“custom_attribute_names”:[“attr.internal.namespace”],“sg_roles”:[“NAMESPACE_INDEX_ALL”],“sg_tenants”:{“mgorniew”:true},“principal”:null,“peer_certificates”:“0”,“sso_logout_url”:null}

On second and subsequent requests, I don’t see attributes anymore:

curl -k https://elasticsearch.paas:9200/_searchguard/authinfo -H “x-proxy-user: mgorniew” -H “x-forwarded-for: 127.0.01”
{“user”:“User [name=mgorniew, roles=[namespace_user], requestedTenant=null]”,“user_name”:“mgorniew”,“user_requested_tenant”:null,“remote_address”:“127.0.0.1:33194”,“backend_roles”:[“namespace_user”],“custom_attribute_names”:,“sg_roles”:[“NAMESPACE_INDEX_ALL”],“sg_tenants”:{“mgorniew”:true},“principal”:null,“peer_certificates”:“0”,“sso_logout_url”:null}

Is there any way to configure this? Maybe put attributes in HTTP headers? I would like to use attributes in variable substitution.

Thanks,
Michal

Proxy auth does not support user attributes in that way.

Can you elaborate a bit more on your use case?

I would like to give user access to certain indexes based on user attributes or roles, like in example provided in documentation:

sg_own_index:
  cluster_permissions:
    - CLUSTER_COMPOSITE_OPS
  index_permissions:
    - index_patterns:  
      - '${attr_internal_department}':
      allowed_actions:
        - SGS_CRUD

Easiest way for me would be to pass those attributes from authentication proxy via header. In such case I would be able to define static configuration for SearchGuard with only one role/role mapping and allow authentication/authorization proxy to decide to which indexes users have permission.

Makes sense, Can you file a feature request for attribute support with proxy authentication here: Issues · floragunncom/search-guard · GitHub

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.