96 lines
3.5 KiB
Plaintext
96 lines
3.5 KiB
Plaintext
[role="xpack"]
|
|
[[configuring-authorization-delegation]]
|
|
=== Configuring authorization delegation
|
|
|
|
In some cases, after the user has been authenticated by a realm, we may
|
|
want to delegate user lookup and assignment of roles to another realm.
|
|
Any realm that supports retrieving users (without needing their credentials)
|
|
can be used as an authorization realm.
|
|
|
|
For example, a user that is authenticated by the Kerberos realm can be looked up
|
|
in the LDAP realm. The LDAP realm takes on responsibility for searching the user
|
|
in LDAP and determining the role. In this case, the LDAP realm acts as an
|
|
_authorization realm_.
|
|
|
|
==== LDAP realm as an authorization realm
|
|
Following is an example configuration for the LDAP realm that can be used as
|
|
an _authorization realm_. This LDAP realm is configured in user search mode
|
|
with a specified filter.
|
|
|
|
For more information on configuring LDAP realms see <<ldap-realm>>.
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack:
|
|
security:
|
|
authc:
|
|
realms:
|
|
ldap:
|
|
ldap1:
|
|
order: 0
|
|
authentication.enabled: true <1>
|
|
user_search:
|
|
base_dn: "dc=example,dc=org"
|
|
filter: "(cn={0})"
|
|
group_search:
|
|
base_dn: "dc=example,dc=org"
|
|
files:
|
|
role_mapping: "ES_PATH_CONF/role_mapping.yml"
|
|
unmapped_groups_as_roles: false
|
|
------------------------------------------------------------
|
|
|
|
<1> Here, we explicitly allow the LDAP realm to be used for authentication
|
|
(that is, users can authenticate using their LDAP username and password).
|
|
If we wanted this LDAP realm to be used for authorization only, then we
|
|
would set this to `false`.
|
|
|
|
==== Kerberos realm configured to delegate authorization
|
|
|
|
Following is an example configuration where the Kerberos realm authenticates a
|
|
user and then delegates authorization to the LDAP realm. The
|
|
Kerberos realm authenticates the user and extracts user principal name
|
|
(usually of format `user@REALM`). In this example, we enable the `remove_realm_name`
|
|
setting to remove the `@REALM` part from the user principal name to get the username.
|
|
This username is used to do a user lookup by the configured authorization realms (in this case the LDAP realm).
|
|
|
|
For more information on Kerberos realm see <<kerberos-realm>>.
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack:
|
|
security:
|
|
authc:
|
|
realms:
|
|
kerberos:
|
|
kerb1:
|
|
order: 1
|
|
keytab.path: "ES_PATH_CONF/es.keytab"
|
|
remove_realm_name: true
|
|
authorization_realms: ldap1
|
|
------------------------------------------------------------
|
|
|
|
==== PKI realm configured to delegate authorization
|
|
|
|
We can similarly configure PKI realm to delegate authorization to LDAP realm.
|
|
The user is authenticated by the PKI realm and the authorization is delegated to
|
|
the LDAP realm. In this example, the username is the common name (CN)
|
|
extracted from the DN of the client certificate. The LDAP realm uses this
|
|
username to lookup user and assign the role.
|
|
|
|
For more information on PKI realms see <<pki-realm>>.
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack:
|
|
security:
|
|
authc:
|
|
realms:
|
|
pki:
|
|
pki1:
|
|
order: 2
|
|
authorization_realms: ldap1
|
|
------------------------------------------------------------
|
|
|
|
Similar to the above examples, we can configure realms to delegate authorization to
|
|
authorization realms (which have the capability to lookup users by the username and assign roles).
|