[DOCS] Documentation for Custom Roles Providers
relates elastic/x-pack-elasticsearch#721 Original commit: elastic/x-pack-elasticsearch@67fdba706c
This commit is contained in:
parent
06c4a3223b
commit
7def5ac01d
|
@ -240,7 +240,10 @@ Based on the above definition, users owning the `clicks_admin` role can:
|
||||||
TIP: For a complete list of available <<security-privileges, cluster and indices privileges>>
|
TIP: For a complete list of available <<security-privileges, cluster and indices privileges>>
|
||||||
|
|
||||||
There are two available mechanisms to define roles: using the _Role Management APIs_
|
There are two available mechanisms to define roles: using the _Role Management APIs_
|
||||||
or in local files on the Elasticsearch nodes.
|
or in local files on the Elasticsearch nodes. {security} also supports implementing
|
||||||
|
custom roles providers. If you need to integrate with another system to retrieve
|
||||||
|
user roles, you can build a custom roles provider plugin. For more information,
|
||||||
|
see <<custom-roles-provider, Custom Roles Provider Extension>>.
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
[[roles-management-ui]]
|
[[roles-management-ui]]
|
||||||
|
@ -404,3 +407,6 @@ include::authorization/mapping-roles.asciidoc[]
|
||||||
include::authorization/field-and-document-access-control.asciidoc[]
|
include::authorization/field-and-document-access-control.asciidoc[]
|
||||||
|
|
||||||
include::authorization/run-as-privilege.asciidoc[]
|
include::authorization/run-as-privilege.asciidoc[]
|
||||||
|
|
||||||
|
include::authorization/custom-roles-provider.asciidoc[]
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,97 @@
|
||||||
|
[[custom-roles-provider]]
|
||||||
|
=== Custom Roles Provider Extension
|
||||||
|
|
||||||
|
If you need to retrieve user roles from a system not supported out-of-the-box
|
||||||
|
by {security}, you can create a custom roles provider to retrieve and resolve
|
||||||
|
roles. You implement a custom roles provider as an {xpack} extension.
|
||||||
|
|
||||||
|
[[implementing-custom-roles-provider]]
|
||||||
|
==== Implementing a Custom Roles Provider
|
||||||
|
|
||||||
|
To create a custom roles provider:
|
||||||
|
|
||||||
|
. Implement the interface `BiConsumer<Set<String>, ActionListener<Set<RoleDescriptor>>>`.
|
||||||
|
That is to say, the implementation consists of one method that takes a set of strings,
|
||||||
|
which are the role names to resolve, and an ActionListener, on which the set of resolved
|
||||||
|
role descriptors are passed on as the response.
|
||||||
|
. The custom roles provider implementation must take special care to not block on any I/O
|
||||||
|
operations. It is the responsibility of the implementation to ensure asynchronous behavior
|
||||||
|
and non-blocking calls, which is made easier by the fact that the `ActionListener` is
|
||||||
|
provided on which to send the response when the roles have been resolved and the response
|
||||||
|
is ready.
|
||||||
|
|
||||||
|
To package your custom roles provider as a plugin:
|
||||||
|
|
||||||
|
. Implement an extension class for your roles provider that extends
|
||||||
|
`org.elasticsearch.xpack.extensions.XPackExtension`. There you need to
|
||||||
|
override one or more of the following methods:
|
||||||
|
+
|
||||||
|
[source,java]
|
||||||
|
----------------------------------------------------
|
||||||
|
@Override
|
||||||
|
public List<BiConsumer<Set<String>, ActionListener<Set<RoleDescriptor>>>>
|
||||||
|
getRolesProviders(Settings settings, ResourceWatcherService resourceWatcherService) {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
----------------------------------------------------
|
||||||
|
+
|
||||||
|
The `getRolesProviders` method is used to provide a list of custom roles providers that
|
||||||
|
will be used to resolve role names, if the role names could not be resolved by the reserved
|
||||||
|
roles or native roles stores. The list should be returned in the order that the custom role
|
||||||
|
providers should be invoked to resolve roles. For example, if `getRolesProviders` returns two
|
||||||
|
instances of roles providers, and both of them are able to resolve role `A`, then the resolved
|
||||||
|
role descriptor that will be used for role `A` will be the one resolved by the first roles
|
||||||
|
provider in the list.
|
||||||
|
+
|
||||||
|
[source,java]
|
||||||
|
----------------------------------------------------
|
||||||
|
@Override
|
||||||
|
public List<String> getSettingsFilter() {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
----------------------------------------------------
|
||||||
|
+
|
||||||
|
The `getSettingsFilter` method returns a list of setting names that should be
|
||||||
|
filtered from the settings APIs as they may contain sensitive credentials.
|
||||||
|
|
||||||
|
. Create a build configuration file for the plugin; Gradle is our recommendation.
|
||||||
|
. Create a `x-pack-extension-descriptor.properties` descriptor file for the
|
||||||
|
extension.
|
||||||
|
. Bundle all in a single zip file.
|
||||||
|
|
||||||
|
[[using-custom-roles-provider]]
|
||||||
|
==== Using a Custom Roles Provider to Resolve Roles
|
||||||
|
|
||||||
|
To use a custom roles provider:
|
||||||
|
|
||||||
|
. Install the roles provider extension on each node in the cluster. You run
|
||||||
|
`bin/x-pack/extension` with the `install` sub-command and specify the URL
|
||||||
|
pointing to the zip file that contains the extension. For example:
|
||||||
|
+
|
||||||
|
[source,shell]
|
||||||
|
----------------------------------------
|
||||||
|
bin/x-pack/extension install file:///<path>/my-roles-provider-1.0.zip
|
||||||
|
----------------------------------------
|
||||||
|
|
||||||
|
. Add any configuration parameters for any of the custom roles provider implementations
|
||||||
|
to `elasticsearch.yml`. The settings are not namespaced and you have access to any
|
||||||
|
settings when constructing the custom roles providers, although it is recommended to
|
||||||
|
have a namespacing convention for custom roles providers to keep your `elasticsearch.yml`
|
||||||
|
configuration easy to understand.
|
||||||
|
+
|
||||||
|
For example, if you have a custom roles provider that
|
||||||
|
resolves roles from reading a blob in an S3 bucket on AWS, then you would specify settings
|
||||||
|
in `elasticsearch.yml` such as:
|
||||||
|
+
|
||||||
|
[source,js]
|
||||||
|
----------------------------------------
|
||||||
|
custom_roles_provider.s3_roles_provider.bucket: roles
|
||||||
|
custom_roles_provider.s3_roles_provider.region: us-east-1
|
||||||
|
custom_roles_provider.s3_roles_provider.secret_key: xxx
|
||||||
|
custom_roles_provider.s3_roles_provider.access_key: xxx
|
||||||
|
----------------------------------------
|
||||||
|
+
|
||||||
|
These settings will be available as the first parameter in the `getRolesProviders` method, from
|
||||||
|
where you will create and return the custom roles provider instances.
|
||||||
|
|
||||||
|
. Restart Elasticsearch.
|
Loading…
Reference in New Issue