How do I give a user access to multiple indexes based on multiple ldap groups?

Just a quick question about how group permissions work, I am using LDAP authentication which is all configured and working…

I can give members of a group access to a particular index, or an array of indexes as below…

access_control_rules:
- name: "Give members of UserGroupA access to index1"
  ldap_authentication:
  ldap_authorization:
    name: ldap1
    groups: ['UserGroupA']
  indices: ['index1']
- name:  "Give members of UserGroupB access to index2"
  ldap_authentication:
  ldap_authorization:
    name: ldap1
    groups: ['UserGroupB']
  indices: ['index2']

But what happens if a particular user has UserGroupA and UserGroupB? I would want them to have access to index1 and index2.

According to the config above, would a user with both groups get access to index1 and index2? Or would they only get access to index1 as it’s the first block?
If the latter is true, how would I configure it so that the user has access to both indexes?

(It’s hard for me to test this as I don’t have test users)

Many thanks

Glad you found a solution. Did you?

Hi
Shortly after posting this question I changed the way my authentication worked, I figured out how to pass the X-Forwarded-User from a NGINX proxy to readonlyrest and then use that to query an LDAP server to get the users’ groups.
I’ve now noticed that if I have multiple permission blocks that readonlyrest will apply all of them automatically (i.e. if GroupA gets access to Index1 and GroupB gets access to Index2 then a user that has both groups will have access to both indexes) - so that also solves my initial question.

Do let me know if any of that doesn’t make sense or if I’m doing something wrong, but it seems to be working at the moment.

I would really like to remove the LDAP server component but it’s the only way I can retrieve user groups at the moment. The only way I can think of to get rid of the LDAP component is to define accesses in readonlyrest.yml at the user level so that there is no need to retrieve groups.

Can you think of any better ways of doing this?

I undid my thread delete, just in case you weren’t able to read the original post.

Apologies for the double post.

Just had an idea - as I am passing the X-Forwarded-User from NGINX, I could retrieve the users’ groups via NGINX as well and pass them through to readonlyrest.

So I would pass the user groups from NGINX to readonlyrest via the headers and then in my readonlyrest.yml I can inspect the headers using something like:
headers: ["Group1"]
?

This way I wouldn’t need to retrieve groups via LDAP.

Does this sound correct?

OK one thing at a time:

  1. if you have the configuration you proposed in the first post

Then if you are member of UserGroupA and UserGroupB, you will be able to reach the two indices individually, BUT… If you launch a broad search, you will get results only from index1.

This is subtle, but important. And it has roots on the sequential evaluation of the ACL: once a block matches, the ACL won’t read any further.

To obtain the desired result, you have to add another block BEFORE the existing two:

- name: "Give members of UserGroupA & UserGroupB access to index1 & index2"
  ldap_authentication:
  ldap_authorization:
    name: ldap1
    groups_and: ['UserGroupA', 'UserGroupB']
  indices: ['index1', 'index2']

Now it will work as you intended. I know it’s not ideal, but the RBAC feature is still in backlog.

  1. Not clear why you want to move the LDAP interaction out of ROR, our LDAP connector works well, doesn’t it?

Since you have your hands on Nginx, I guess you can resolve LDAP groups externally, and form a list of allowed indices, and send it as comma-separated-values inside a HTTP header. Then from the ACL, you can use the explode operator:

From the documentation:

# Explode operator will generate an array of strings from a comma-separated string
indices: ["[email protected]{x-indices_csv_string}*", "otherIdx"]  
# HTTP Headers: [{ "x-indices_csv_string": "a,b"}]
# -> indices: ["logstash_a*", "logstash_b*", "otherIdx"]

Thank you very much for that info, that will be very useful.

The LDAP connector works very well, it’s only that I am trying to move away from using my old LDAP server. But for now it works perfectly and I will probably stick with the combination of the X-Forwarded-User from NGINX and the LDAP authorisation (my only reason for using the X-Forwarded-User was to avoid the log in screen).

I do have another related question - is it possible to switch from LDAP authorisation to something scripted? For example if I want to write something in Python that queries a local service to retrieve user groups. Would it be possible to call this script in readonlyrest.yml?

1 Like

Regarding your info on using ‘groups_and’, does it need to be formatted differently if used in conjunction with proxy_auth? I am getting a “malformed settings” error when using the following configuration:

- name: "Give members of UserGroupA & UserGroupB access to index1 & index2"
  proxy_auth:
    proxy_auth_config: '"proxy1"
    users: ["*"]
  ldap_authorization:
    name: ldap1
    groups_and: ['UserGroupA', 'UserGroupB']
  indices: ['index1', 'index2']

The error looks like this:

Malformed settings: ldap_authorization:
  name: "ldap1"
  groups_and:
  - "UserGroupA"
  - "UserGroupB"
indices:
- "index1"
- "index2"

For info my other working blocks look like this:

access_control_rules:
- name: "Give members of UserGroupA access to index1"
  proxy_auth:
    proxy_auth_config: '"proxy1"
    users: ["*"]
  ldap_authorization:
    name: ldap1
    groups: ['UserGroupA']
  indices: ['index1']

…with the following for ‘proxy1’

proxy_auth_configs:
- name: "proxy1"
  user_id_header: "X-Forwarded-User"

Yes! And it’s very easy, one of the most underrated features of ReadonlyREST is the ease of integration with custom authenticator and authorizer scripts via HTTP/JSON.


About your syntax error, you have an extra single quote in proxy_auth_config: '"proxy1"

Thanks for the details on the scripted authentication, I will have a go at that.

About your syntax error, you have an extra single quote in proxy_auth_config: '"proxy1"

Oh, that was a typo as I was typing up the code in the forum post - my code itself doesn’t have that error.

It seems to be ‘groups_and’ which is breaking it. I have tested both of the below and this works:

- name: "Give members of UserGroupA & UserGroupB access to index1 & index2"
  proxy_auth:
    proxy_auth_config: '"proxy1"
    users: ["*"]
  ldap_authorization:
    name: ldap1
    groups: ['UserGroupA', 'UserGroupB']
  indices: ['index1', 'index2']

but this doesn’t…

- name: "Give members of UserGroupA & UserGroupB access to index1 & index2"
  proxy_auth:
    proxy_auth_config: '"proxy1"
    users: ["*"]
  ldap_authorization:
    name: ldap1
    groups_and: ['UserGroupA', 'UserGroupB']
  indices: ['index1', 'index2']

Slightly fuller error looks like this:

...................ROR starting errors:
tech.beshu.ror.exceptions$StartingFailureException: Errors:
ROR starting errors:
Malformed settings: ldap_authorization:
  name: "ldap1"
  groups_and:
  - "UserGroupA"
  - "UserGroupB"
indices:
- "index1"
- "index2"

I’m using ROR 7.16.2.

@coutoPL this was supposed to work, right?

yes it’s supported. We have it tested, so maybe you’d like to see our tests (ROR settings are here)?

I’m using ROR 7.16.2.
7.16.2 is the ES version. Please use the newest ROR. I bet you have old version without groups_and support in LDAP rules.

1 Like

Thanks @coutoPL, I am now running ES version 8.2.2 and ROR version 1.40 and it is working fine.

1 Like