LDAP user based permissions


(Victor Renan Covalski Junes) #1

Hi, I have a shared elastic search cluster with 1 node and 2 shards per node.
My LDAP user database is not classified in groups, so I’d like to know if there’s a way to give permissions to users instead of groups using LDAP authentication.

Any feedback will be appreciated,
Victor


(Simone Scarduzio) #3

Have you seen this? Look for “Advanced: authentication and authorization in separate rules”


(Victor Renan Covalski Junes) #4

Hi, I gave up LDAP and decided to go with proxy_auth to solve my problem. My university has an Identity provider (Shibboleth). I’m using it now combined with Apache(reverse proxy) to pass the auth variables(username) to kibana which forwards them to ReadOnlyRest, where I choose which users have permissions to certain indices or not. It’s really neat :slight_smile:


(Simone Scarduzio) #5

Yes! Shibboleth is not directly supported.
The way to go is exactly what you did and what CERN did: Apache as reverse proxy to handle the authentication and set a header. Then in ROR you use proxy_auth rule and headers variables like @{username} as values for the indices rule, et al.

:thumbsup:


#6

For anyone else looking for a solution to setting access controls based for individual LDAP users, please see: https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/issues/237


(shubham) #7

@sscarduzio

- name: "TESTING"
  groups: ["cool_kids"]
  kibana_access: admin
  verbosity: info
  
users:
- username: shubham
  groups: ["cool_kids"]
  ldap_authentication: 
     name: "ldap1"

This Config is not working for just a given userid in ldap … it autheticates and authorises all users not “shubham” as mentioned in username??