Just a quick question about how group permissions work, I am using LDAP authentication which is all configured and working…
I can give members of a group access to a particular index, or an array of indexes as below…
access_control_rules:
- name: "Give members of UserGroupA access to index1"
ldap_authentication:
ldap_authorization:
name: ldap1
groups: ['UserGroupA']
indices: ['index1']
- name: "Give members of UserGroupB access to index2"
ldap_authentication:
ldap_authorization:
name: ldap1
groups: ['UserGroupB']
indices: ['index2']
But what happens if a particular user has UserGroupA and UserGroupB? I would want them to have access to index1 and index2.
According to the config above, would a user with both groups get access to index1 and index2? Or would they only get access to index1 as it’s the first block?
If the latter is true, how would I configure it so that the user has access to both indexes?
(It’s hard for me to test this as I don’t have test users)
Hi
Shortly after posting this question I changed the way my authentication worked, I figured out how to pass the X-Forwarded-User from a NGINX proxy to readonlyrest and then use that to query an LDAP server to get the users’ groups.
I’ve now noticed that if I have multiple permission blocks that readonlyrest will apply all of them automatically (i.e. if GroupA gets access to Index1 and GroupB gets access to Index2 then a user that has both groups will have access to both indexes) - so that also solves my initial question.
Do let me know if any of that doesn’t make sense or if I’m doing something wrong, but it seems to be working at the moment.
I would really like to remove the LDAP server component but it’s the only way I can retrieve user groups at the moment. The only way I can think of to get rid of the LDAP component is to define accesses in readonlyrest.yml at the user level so that there is no need to retrieve groups.
Can you think of any better ways of doing this?
I undid my thread delete, just in case you weren’t able to read the original post.
Just had an idea - as I am passing the X-Forwarded-User from NGINX, I could retrieve the users’ groups via NGINX as well and pass them through to readonlyrest.
So I would pass the user groups from NGINX to readonlyrest via the headers and then in my readonlyrest.yml I can inspect the headers using something like: headers: ["Group1"]
?
This way I wouldn’t need to retrieve groups via LDAP.
if you have the configuration you proposed in the first post
Then if you are member of UserGroupA and UserGroupB, you will be able to reach the two indices individually, BUT… If you launch a broad search, you will get results only from index1.
This is subtle, but important. And it has roots on the sequential evaluation of the ACL: once a block matches, the ACL won’t read any further.
To obtain the desired result, you have to add another block BEFORE the existing two:
- name: "Give members of UserGroupA & UserGroupB access to index1 & index2"
ldap_authentication:
ldap_authorization:
name: ldap1
groups_and: ['UserGroupA', 'UserGroupB']
indices: ['index1', 'index2']
Now it will work as you intended. I know it’s not ideal, but the RBAC feature is still in backlog.
Not clear why you want to move the LDAP interaction out of ROR, our LDAP connector works well, doesn’t it?
Since you have your hands on Nginx, I guess you can resolve LDAP groups externally, and form a list of allowed indices, and send it as comma-separated-values inside a HTTP header. Then from the ACL, you can use the explode operator:
Thank you very much for that info, that will be very useful.
The LDAP connector works very well, it’s only that I am trying to move away from using my old LDAP server. But for now it works perfectly and I will probably stick with the combination of the X-Forwarded-User from NGINX and the LDAP authorisation (my only reason for using the X-Forwarded-User was to avoid the log in screen).
I do have another related question - is it possible to switch from LDAP authorisation to something scripted? For example if I want to write something in Python that queries a local service to retrieve user groups. Would it be possible to call this script in readonlyrest.yml?
Regarding your info on using ‘groups_and’, does it need to be formatted differently if used in conjunction with proxy_auth? I am getting a “malformed settings” error when using the following configuration:
- name: "Give members of UserGroupA & UserGroupB access to index1 & index2"
proxy_auth:
proxy_auth_config: '"proxy1"
users: ["*"]
ldap_authorization:
name: ldap1
groups_and: ['UserGroupA', 'UserGroupB']
indices: ['index1', 'index2']
Yes! And it’s very easy, one of the most underrated features of ReadonlyREST is the ease of integration with custom authenticator and authorizer scripts via HTTP/JSON.
About your syntax error, you have an extra single quote in proxy_auth_config: '"proxy1"