78 lines
3.2 KiB
Plaintext
78 lines
3.2 KiB
Plaintext
[[mapping-roles]]
|
|
=== Mapping Users and Groups to Roles
|
|
|
|
If you authenticate users with an `esusers` realm, you can assign roles when you <<esusers-add,add a user>> and use the <<esusers-roles,`roles`>> command to add or remove roles.
|
|
|
|
For other types of realms, you configure role mappings for users and groups in a YAML file. By default, role mappings are stored in `config/shield/role_mapping.yml`. You can specify
|
|
the name and location of the mapping file by configuring the appropriate `role_mapping` setting in `elasticsearch.yml`:
|
|
|
|
`shield.authc.ldap.files.role_mapping` :: The location of the role mapping file for LDAP realms.
|
|
`shield.authc.active_directory.files.role_mapping` :: The location of the role mapping file for Active Directory realms.
|
|
`shield.authc.pki.files.role_mapping` :: The location of the role mapping file for PKI realms.
|
|
|
|
Within the role mapping file, Elasticsearch roles are keys and groups
|
|
and users are values. The mapping can have a many-to-many relationship.
|
|
When you map roles to groups, the roles of a user in that group are the combination of the
|
|
roles assigned to that group and the roles assigned to that user.
|
|
|
|
To map users and groups to a role, you create a mapping file and copy it to each node in the cluster. Tools like Puppet or Chef can help with this.
|
|
|
|
[[ldap-role-mapping]]
|
|
.Example LDAP Role Mapping File
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
# Example LDAP group mapping configuration:
|
|
# roleA: <1>
|
|
# - groupA-DN <2>
|
|
# - groupB-DN
|
|
# - user1-DN <3>
|
|
monitoring:
|
|
- "cn=admins,dc=example,dc=com"
|
|
user:
|
|
- "cn=users,dc=example,dc=com"
|
|
- "cn=admins,dc=example,dc=com"
|
|
- "cn=John Doe,cn=contractors,dc=example,dc=com"
|
|
------------------------------------------------------------
|
|
<1> The name of the Elasticsearch role found in the <<defining-roles, roles file>>
|
|
<2> Example specifying the distinguished name of a LDAP group
|
|
<3> Example specifying the distinguished name of a LDAP user added[1.1.0]
|
|
|
|
|
|
[[ad-role-mapping]]
|
|
.Example Active Directory Role Mapping File
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
# Example Active Directory group mapping configuration:
|
|
# roleA: <1>
|
|
# - groupA-DN <2>
|
|
# - groupB-DN
|
|
# - user1-DN <3>
|
|
monitoring:
|
|
- "cn=admins,dc=example,dc=com"
|
|
user:
|
|
- "cn=users,dc=example,dc=com"
|
|
- "cn=admins,dc=example,dc=com"
|
|
- "cn=John Doe,cn=contractors,dc=example,dc=com"
|
|
------------------------------------------------------------
|
|
<1> The name of a Shield role defined in the <<defining-roles, roles file>>
|
|
<2> Example specifying the distinguished name of a Active Directory group
|
|
<3> Example specifying the distinguished name of a Active Directory user
|
|
|
|
[[pki-role-mapping]]
|
|
.Example PKI Role Mapping File
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
# Example user mapping configuration:
|
|
# roleA: <1>
|
|
# - user1-DN <2>
|
|
monitoring:
|
|
- "cn=Admin,ou=example,o=com"
|
|
user:
|
|
- "cn=John Doe,ou=example,o=com"
|
|
------------------------------------------------------------
|
|
<1> The name of a Shield role defined in the <<defining-roles, roles file>>
|
|
<2> Example specifying the distinguished name of a PKI user
|
|
|
|
NOTE: For PKI realms, only the DN of a user can be mapped as there is no concept of a group in PKI
|
|
|