HI
i am still trying to work through our PoC with SG, using JWT.
I have now been able to authenticate through JWT, but although we are passing a role through, and can see it in the ES logs, its not evaluated. If i add the username to the sg_roles_mapping.yml then it works
sg_roles_mapping.yml
00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa:
users:
- 2f55955c816744f4b4d009a1ee774ffa
tail -f /mnt/logs/elasticsearch.log | grep 2f55955c816744f4b4d009a1ee774ffa shows this, you can see that the role is mapped from the sg_roles_mapping file.
[2017-11-13T02:44:06,014][DEBUG][c.f.s.a.BackendRegistry ] User ‘2f55955c816744f4b4d009a1ee774ffa’ is in cache? false (cache size: 2)
[2017-11-13T02:44:06,019][DEBUG][c.f.s.a.BackendRegistry ] 2f55955c816744f4b4d009a1ee774ffa not cached, return from noop backend directly
[2017-11-13T02:44:06,019][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=2f55955c816744f4b4d009a1ee774ffa, roles=[00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa]]’ is authenticated
[2017-11-13T02:44:06,020][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=2f55955c816744f4b4d009a1ee774ffa, roles=[00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa]]
[2017-11-13T02:44:06,020][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for 2f55955c816744f4b4d009a1ee774ffa: [00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa, sg_own_index, sg_public]
[2017-11-13T02:44:06,020][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: 00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa
[2017-11-13T02:44:06,021][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa.?kibana’, evaluate other roles
[2017-11-13T02:44:06,021][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers 00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa=>
[2017-11-13T02:44:06,021][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve and match 2f55955c816744f4b4d009a1ee774ffa
[2017-11-13T02:44:06,021][DEBUG][c.f.s.c.PrivilegesEvaluator] no permittedAliasesIndex ‘2f55955c816744f4b4d009a1ee774ffa’ found for ‘indices:data/read/search’
[2017-11-13T02:44:06,021][DEBUG][c.f.s.c.PrivilegesEvaluator] permittedAliasesIndices ‘{2f55955c816744f4b4d009a1ee774ffa=org.elasticsearch.common.settings.Settings@37b8cba5}’ → ‘{*.0=INDICES_ALL}’
[2017-11-13T02:44:06,022][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved permitted aliases indices for 2f55955c816744f4b4d009a1ee774ffa: [2f55955c816744f4b4d009a1ee774ffa]
[2017-11-13T02:44:06,022][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for 2f55955c816744f4b4d009a1ee774ffa, will check now types [*]
[2017-11-13T02:44:06,022][DEBUG][c.f.s.c.PrivilegesEvaluator] match requested action indices:data/read/search against 2f55955c816744f4b4d009a1ee774ffa/: [indices:]
[2017-11-13T02:44:06,022][DEBUG][c.f.s.c.PrivilegesEvaluator] no match 2f55955c816744f4b4d009a1ee774ffa* in [IndexType [index=.kibana, type=*]]
[2017-11-13T02:44:06,022][DEBUG][c.f.s.c.PrivilegesEvaluator] For index 2f55955c816744f4b4d009a1ee774ffa remaining requested indextype: [IndexType [index=.kibana, type=*]]
If i remove the line from that mapping, although the role is still sent through the JWT token, but its not evaluated.
tail -f /mnt/logs/elasticsearch.log | grep 2f55955c816744f4b4d009a1ee774ffa
[2017-11-13T02:40:38,300][DEBUG][c.f.s.a.BackendRegistry ] User ‘2f55955c816744f4b4d009a1ee774ffa’ is in cache? true (cache size: 4)
[2017-11-13T02:40:38,300][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=2f55955c816744f4b4d009a1ee774ffa, roles=[00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa]]’ is authenticated
[2017-11-13T02:40:38,300][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=2f55955c816744f4b4d009a1ee774ffa, roles=[00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa]]
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for 2f55955c816744f4b4d009a1ee774ffa: [sg_own_index, sg_public]
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve and match 2f55955c816744f4b4d009a1ee774ffa
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] no permittedAliasesIndex ‘2f55955c816744f4b4d009a1ee774ffa’ found for ‘indices:data/read/search’
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] permittedAliasesIndices ‘{2f55955c816744f4b4d009a1ee774ffa=org.elasticsearch.common.settings.Settings@37b8cba5}’ → ‘{*.0=INDICES_ALL}’
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved permitted aliases indices for 2f55955c816744f4b4d009a1ee774ffa: [2f55955c816744f4b4d009a1ee774ffa]
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for 2f55955c816744f4b4d009a1ee774ffa, will check now types [*]
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] match requested action indices:data/read/search against 2f55955c816744f4b4d009a1ee774ffa/: [indices:]
[2017-11-13T02:40:38,301][DEBUG][c.f.s.c.PrivilegesEvaluator] no match 2f55955c816744f4b4d009a1ee774ffa* in [IndexType [index=.kibana, type=*]]
[2017-11-13T02:40:38,302][DEBUG][c.f.s.c.PrivilegesEvaluator] For index 2f55955c816744f4b4d009a1ee774ffa remaining requested indextype: [IndexType [index=.kibana, type=*]]
[2017-11-13T02:40:38,302][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=2f55955c816744f4b4d009a1ee774ffa, roles=[00f679b4eec54b1ba8662c5895a4237a2f55955c816744f4b4d009a1ee774ffa]] [IndexType [index=.kibana, type=*]] [Action [indices:data/read/search]] [RolesChecked [sg_own_index, sg_public]]