I would like to use proxy authorization and user attributes at same time. I’ve tried following configuration:
sg_config.yml: |
---
_sg_meta:
type: config
config_version: 2
sg_config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: .+
remoteIpHeader: x-forwarded-for
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
proxy_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: x-proxy-user
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
challenge: false
type: clientcert
config:
username_attribute: cn
authentication_backend:
type: noop
authz:
internal_authz_domain:
http_enabled: true
transport_enabled: true
authorization_backend:
type: internal
sg_internal_users.yml: |
---
_sg_meta:
type: internalusers
config_version: 2
mgorniew:
hash: $2y$12$Q647Sg513AhsQ.57/ZDrfuO59iyiGxOhPiBAXgH5obnPuz2gtqfr.
backend_roles:
- namespace_user
attributes:
namespace: "test|test2"
Now, on first request (after configuration reload), i see custom attributes defined:
curl -k https://elasticsearch.paas:9200/_searchguard/authinfo -H “x-proxy-user: mgorniew” -H “x-forwarded-for: 127.0.01”
{“user”:“User [name=mgorniew, roles=[namespace_user], requestedTenant=null]”,“user_name”:“mgorniew”,“user_requested_tenant”:null,“remote_address”:“127.0.0.1:60168”,“backend_roles”:[“namespace_user”],“custom_attribute_names”:[“attr.internal.namespace”],“sg_roles”:[“NAMESPACE_INDEX_ALL”],“sg_tenants”:{“mgorniew”:true},“principal”:null,“peer_certificates”:“0”,“sso_logout_url”:null}
On second and subsequent requests, I don’t see attributes anymore:
curl -k https://elasticsearch.paas:9200/_searchguard/authinfo -H “x-proxy-user: mgorniew” -H “x-forwarded-for: 127.0.01”
{“user”:“User [name=mgorniew, roles=[namespace_user], requestedTenant=null]”,“user_name”:“mgorniew”,“user_requested_tenant”:null,“remote_address”:“127.0.0.1:33194”,“backend_roles”:[“namespace_user”],“custom_attribute_names”:,“sg_roles”:[“NAMESPACE_INDEX_ALL”],“sg_tenants”:{“mgorniew”:true},“principal”:null,“peer_certificates”:“0”,“sso_logout_url”:null}
Is there any way to configure this? Maybe put attributes in HTTP headers? I would like to use attributes in variable substitution.
Thanks,
Michal