Hi again,
Given the following configuration:
- name: testrule
type: allow
auth_key: user:passwd
indices: ["@{user}__*"]
I can access the index named user__testindex
. For example the command:
curl -XGET -u user 'https://localhost:9200/user__testindex/_mapping?pretty'
is permitted:
[2017-05-22T14:02:29,632][INFO ][o.e.p.r.a.ACL ] request: { ID:1018362977-680753494, TYP:GetIndexRequest, USR:user, BRS:true, ACT:indices:admin/get, OA:172.17.0.1, IDX:user__testindex, MET:GET, PTH:/user__testindex/_mapping, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[testrule->[indices->true, auth_key->true]] } matched block: testrule match: true}
However, if I use external_authentication
instead of auth_key
, the user variable doesn’t seem to be substituted in the indices
rule. If I change the configuration to:
- name: testrule
type: allow
external_authentication: "testauth"
indices: ["@{user}__*"]
external_authentication_service_configs:
- name: "testauth"
[external authentication configuration, which accepts user:passwd]
then the same command fails because there are no matching indices:
[2017-05-22T14:09:35,405][INFO ][o.e.p.r.e.IndexLevelActionFilter] [WA3PECj] forbidden request: { ID:1466340573-244481894, TYP:GetIndexRequest, USR:user(?), BRS:true, ACT:indices:admin/get, OA:172.17.0.1, IDX:user__testindex, MET:GET, PTH:/user__testindex/_mapping, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[testrule->[indices->false]] } Reason: null (null)
If I comment out the indices
line, the operation is permitted again (but that doesn’t check the index name of course).
Is this supposed to work, i.e. ${user}
variable substitution when using external_authentication
?