I’m trying to use a proxy auth, using my already existent google auth config… so i setup my nginx to pass the google username in the x-forwarded-user and use a nginx map to find the correct group for that user. In RoR i setup this:
The idea is to get the username and group dynamically … and looks good in paper… but fails to work!
RoR returns this:
[2018-05-11T16:09:51,341][INFO ][t.b.r.e.SettingsObservableImpl] Loaded good settings from /etc/elasticsearch/readonlyrest.yml
mai 11 16:09:52 kafka-live-a01 sh[25329]: [6935361.682974] elasticsearch[6]: tech.beshu.ror.commons.settings.SettingsMalformedException: Could not find required attribute 'readonlyrest'
Removing the username part, it works fine. Replacing the @{variables} with hardcoded ones, RoR works fine. So I would say that the user do not accept dynamic user/group config.
How can i create a config where the users are dynamic? Right now i have a few users manually configured, but i want to expand that to all users and of course, i do not want to manage user list in readonlyrest and right now i still do not have a external group service
But this do not work yet, i can tcpdump the elasticsearch request and i see the x-forwarded-user and x-user-group headers with valid info (x-forwarded-user: my_username and x-user-group: sysadmin group), yet the log fails:
Here is my config (removed only other users and actions). I have a users: , with the dynamic user-group association. Are you saying i need to put users before the access_control_rules? … nope, also do not work