Questions on clientcert http_authenticator

Hi guys,

I have a question regarding to clientcert.

Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?

Thanks,

Enzo

If you dont use authz then you can assign roles "statically" through sg_roles_mapping.yml:

sg_mycoolrole:
  users:
    - "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"

···

Am 13.12.2016 um 05:31 schrieb Enzo Wang <enzowang.nz@gmail.com>:

Hi guys,

I have a question regarding to clientcert.

Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?

Thanks,
Enzo

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks. But what if I don’t have role defined in that file? Will sg then use a default role? If yes, what role will be used?

···

On Wed, 14 Dec 2016 at 02:39, SG info@search-guard.com wrote:

If you dont use authz then you can assign roles “statically” through sg_roles_mapping.yml:

sg_mycoolrole:

users:

- "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"

Am 13.12.2016 um 05:31 schrieb Enzo Wang enzowang.nz@gmail.com:

Hi guys,

I have a question regarding to clientcert.

Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?

Thanks,

Enzo

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/Zm_8lnNKh60/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E1E3E73E-6C41-4F2B-8F4A-11C83C2CBA32%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

There is no implicit default role and the user is not allowed to do anything

···

Am 13.12.2016 um 20:25 schrieb Enzo Wang <enzowang.nz@gmail.com>:

Thanks. But what if I don't have role defined in that file? Will sg then use a default role? If yes, what role will be used?

On Wed, 14 Dec 2016 at 02:39, SG <info@search-guard.com> wrote:
If you dont use authz then you can assign roles "statically" through sg_roles_mapping.yml:

sg_mycoolrole:
  users:
    - "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"

> Am 13.12.2016 um 05:31 schrieb Enzo Wang <enzowang.nz@gmail.com>:
>
> Hi guys,
>
> I have a question regarding to clientcert.
>
> Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?
>
> Thanks,
> Enzo
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/Zm_8lnNKh60/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E1E3E73E-6C41-4F2B-8F4A-11C83C2CBA32%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAJmhRAykkXf%2BGED4W-VRzZTtbZHr-1Mpf8zKFo_SBJZssVYFyg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Hi,

I wonder might it be possible to add the feature of a default role or roles for all authenticated users?

The context for the requirement is a setup with searchguard kerberos authc and ldap authz. As any user in the enterprise will be authenticated, we’d like to be able to provide some basic access without having to add thousands of enterprise users into an ldap group. (There is not currently any common group for all users).

Thanks for any advice,

Rob Fuller.

···

On Tuesday, December 13, 2016 at 8:27:06 PM UTC, Search Guard wrote:

There is no implicit default role and the user is not allowed to do anything

Am 13.12.2016 um 20:25 schrieb Enzo Wang enzow...@gmail.com:

Thanks. But what if I don’t have role defined in that file? Will sg then use a default role? If yes, what role will be used?

On Wed, 14 Dec 2016 at 02:39, SG in...@search-guard.com wrote:

If you dont use authz then you can assign roles “statically” through sg_roles_mapping.yml:

sg_mycoolrole:

users:

- "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"

Am 13.12.2016 um 05:31 schrieb Enzo Wang enzow...@gmail.com:

Hi guys,

I have a question regarding to clientcert.

Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?

Thanks,

Enzo

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/Zm_8lnNKh60/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E1E3E73E-6C41-4F2B-8F4A-11C83C2CBA32%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAJmhRAykkXf%2BGED4W-VRzZTtbZHr-1Mpf8zKFo_SBJZssVYFyg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Apologies (rtfm) it looks like this should work in sg_roles_mapping:

sg_public:
users:

  • ‘*’
···

On Thursday, May 25, 2017 at 11:05:24 AM UTC+1, Rob Fuller wrote:

Hi,

I wonder might it be possible to add the feature of a default role or roles for all authenticated users?

The context for the requirement is a setup with searchguard kerberos authc and ldap authz. As any user in the enterprise will be authenticated, we’d like to be able to provide some basic access without having to add thousands of enterprise users into an ldap group. (There is not currently any common group for all users).

Thanks for any advice,

Rob Fuller.
On Tuesday, December 13, 2016 at 8:27:06 PM UTC, Search Guard wrote:

There is no implicit default role and the user is not allowed to do anything

Am 13.12.2016 um 20:25 schrieb Enzo Wang enzow...@gmail.com:

Thanks. But what if I don’t have role defined in that file? Will sg then use a default role? If yes, what role will be used?

On Wed, 14 Dec 2016 at 02:39, SG in...@search-guard.com wrote:

If you dont use authz then you can assign roles “statically” through sg_roles_mapping.yml:

sg_mycoolrole:

users:

- "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"

Am 13.12.2016 um 05:31 schrieb Enzo Wang enzow...@gmail.com:

Hi guys,

I have a question regarding to clientcert.

Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?

Thanks,

Enzo

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/Zm_8lnNKh60/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E1E3E73E-6C41-4F2B-8F4A-11C83C2CBA32%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAJmhRAykkXf%2BGED4W-VRzZTtbZHr-1Mpf8zKFo_SBJZssVYFyg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.