[role="xpack"] [[configuring-authorization-delegation]] === Configuring authorization delegation In some cases, after the user has been authenticated by a realm, we may want to delegate user lookup and assignment of roles to another realm. Any realm that supports retrieving users (without needing their credentials) can be used as an authorization realm. For example, a user that is authenticated by the Kerberos realm can be looked up in the LDAP realm. The LDAP realm takes on responsibility for searching the user in LDAP and determining the role. In this case, the LDAP realm acts as an _authorization realm_. ==== LDAP realm as an authorization realm Following is an example configuration for the LDAP realm that can be used as an _authorization realm_. This LDAP realm is configured in user search mode with a specified filter. For more information on configuring LDAP realms see <>. [source, yaml] ------------------------------------------------------------ xpack: security: authc: realms: ldap: ldap1: order: 0 authentication.enabled: true <1> user_search: base_dn: "dc=example,dc=org" filter: "(cn={0})" group_search: base_dn: "dc=example,dc=org" files: role_mapping: "ES_PATH_CONF/role_mapping.yml" unmapped_groups_as_roles: false ------------------------------------------------------------ <1> Here, we explicitly allow the LDAP realm to be used for authentication (that is, users can authenticate using their LDAP username and password). If we wanted this LDAP realm to be used for authorization only, then we would set this to `false`. ==== Kerberos realm configured to delegate authorization Following is an example configuration where the Kerberos realm authenticates a user and then delegates authorization to the LDAP realm. The Kerberos realm authenticates the user and extracts user principal name (usually of format `user@REALM`). In this example, we enable the `remove_realm_name` setting to remove the `@REALM` part from the user principal name to get the username. This username is used to do a user lookup by the configured authorization realms (in this case the LDAP realm). For more information on Kerberos realm see <>. [source, yaml] ------------------------------------------------------------ xpack: security: authc: realms: kerberos: kerb1: order: 1 keytab.path: "ES_PATH_CONF/es.keytab" remove_realm_name: true authorization_realms: ldap1 ------------------------------------------------------------ ==== PKI realm configured to delegate authorization We can similarly configure PKI realm to delegate authorization to LDAP realm. The user is authenticated by the PKI realm and the authorization is delegated to the LDAP realm. In this example, the username is the common name (CN) extracted from the DN of the client certificate. The LDAP realm uses this username to lookup user and assign the role. For more information on PKI realms see <>. [source, yaml] ------------------------------------------------------------ xpack: security: authc: realms: pki: pki1: order: 2 authorization_realms: ldap1 ------------------------------------------------------------ Similar to the above examples, we can configure realms to delegate authorization to authorization realms (which have the capability to lookup users by the username and assign roles).