It is seen from the configuration for JWT is that we can only extract the user and roles from the token. Use of dynamic variables can allow us to map a single role definition to appropriate access_control_rules:
#Example configuration
jwt:
- name: vimana_jwt_provider
signature_algo: HS256
signature_key: ""
user_claim: sub
roles_claim: prm
header_name: Authorization
access_control_rules:
- name: Valid JWT token with a writer role
indices: ["@{user}-*"]
jwt_auth:
name: "custom_jwt_provider"
roles: ["kibana_access_role"]
The auth service can provide a JWT token with a special key called tenant or tnt to mark which tenant that user belongs to. So, if the JWT provider were to expose more properties for the access_control_rules configuration, we can achieve a ACL configuration that looks like the following:
- name: Valid JWT token with a writer role
indices: ["@{tnt}-*"]
jwt_auth:
name: "custom_jwt_provider"
roles: ["kibana_access"]
One workaround that we can think of is to use tenant name as username and create RO/RW access_control_roles mapped to appropriate JWT roles. However, this workaround will limit auditing capabilities.
How can we achieve the same? Are there any more workarounds that we can utilise? Should there be a feature request that can pick various values from a JWT token and make it available to access_control_roles? Have I missed certain parts of configuration?