X-forwarded-groups?


(Barry Kaplan) #1

@sscarduzio, you said in an email

you can configure the proxy to inject headers like “x-forwarded-user” and “x-forwarded-groups” so that ReadonlyREST can use that for authentication purposes.

What I thought you meant was that GRP would get populated with x-forwarded-groups in the same way that USR does for x-forwarded-user. But this seems not to be case. Indeed I can find no trace of x-forwarded-groups in the code.

Where you referring to a possible future capability?


(Barry Kaplan) #2

Hmm, ok. I see ProxyAuthSyncRule and ProxyAuthRuleSettings would need to be extended for this. Not sure if I can work around this.


(Barry Kaplan) #3

So looking at ProxyAuthSyncRule to work the way I need, it would have to handle something like

        - name: plant-operators
          proxy_auth: "*"
          groups: [operator]
          indices: ["plant-*"]
          filter: |
            {
              "term": {"plant": "@{x-plant}"}
            }

Even if I extended the rule to support x-forwarded-groups it would have very different behavior than it currently does – ie, the user is not needed. ProxyAuthRuleSettings would not even accept that.

Any ideas?


(Barry Kaplan) #4

I suppose I could put the group in the x-forwarded-user and then also set something like x-user so I get the user in the audit…


(Barry Kaplan) #5

Technically this works, but it shows the pseudo “group” name on the ui instead of the user.

        - name: PLANT-OPERATOR
          headers:
            - x-forwarded-user:*
            - x-user:*
            - x-plant:*
          proxy_auth: operator
          indices: [kibana_sample_data_ecommerce]
          filter: |
            {
              "term": {"customer_gender": "@{x-plant}"}
            }

The user on the bottom left button shows “operator” (the value the proxy had to add to x-forwarded-user) instead of the real user name.


(Simone Scarduzio) #6

Try this:

        - name: PLANT-OPERATOR
          headers:
            - x-forwarded-group:operator  # requiring a header value here, technically counts as authorization 
          proxy_auth: "*" # allow any value for x-forwarded-user, which will be recognised as username (will read on the bottom left button)