mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-26 23:07:45 +00:00
4f1aaa8882
In the documentation reorgantization for Shield, the type of the active directory realm changed and is not valid. Users are configuring Shield incorrectly and running into issues because of this. This changes the realm type to the correct value. Closes elastic/elasticsearch#291 Original commit: elastic/x-pack-elasticsearch@7f8b65eda7
78 lines
3.2 KiB
Plaintext
78 lines
3.2 KiB
Plaintext
[[mapping-roles]]
|
|
=== Mapping Users and Groups to Roles
|
|
|
|
If you authenticate users with an `esusers` realm, you can assign roles when you <<esusers-add,add a user>> and use the <<esusers-roles,`roles`>> command to add or remove roles.
|
|
|
|
For other types of realms, you configure role mappings for users and groups in a YAML file. By default, role mappings are stored in `config/shield/role_mapping.yml`. You can specify
|
|
the name and location of the mapping file by configuring the appropriate `role_mapping` setting in `elasticsearch.yml`:
|
|
|
|
`shield.authc.ldap.files.role_mapping` :: The location of the role mapping file for LDAP realms.
|
|
`shield.authc.active_directory.files.role_mapping` :: The location of the role mapping file for Active Directory realms.
|
|
`shield.authc.pki.files.role_mapping` :: The location of the role mapping file for PKI realms.
|
|
|
|
Within the role mapping file, Elasticsearch roles are keys and groups
|
|
and users are values. The mapping can have a many-to-many relationship.
|
|
When you map roles to groups, the roles of a user in that group are the combination of the
|
|
roles assigned to that group and the roles assigned to that user.
|
|
|
|
To map users and groups to a role, you create a mapping file and copy it to each node in the cluster. Tools like Puppet or Chef can help with this.
|
|
|
|
[[ldap-role-mapping]]
|
|
.Example LDAP Role Mapping File
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
# Example LDAP group mapping configuration:
|
|
# roleA: <1>
|
|
# - groupA-DN <2>
|
|
# - groupB-DN
|
|
# - user1-DN <3>
|
|
monitoring:
|
|
- "cn=admins,dc=example,dc=com"
|
|
user:
|
|
- "cn=users,dc=example,dc=com"
|
|
- "cn=admins,dc=example,dc=com"
|
|
- "cn=John Doe,cn=contractors,dc=example,dc=com"
|
|
------------------------------------------------------------
|
|
<1> The name of the Elasticsearch role found in the <<defining-roles, roles file>>
|
|
<2> Example specifying the distinguished name of a LDAP group
|
|
<3> Example specifying the distinguished name of a LDAP user added[1.1.0]
|
|
|
|
|
|
[[ad-role-mapping]]
|
|
.Example Active Directory Role Mapping File
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
# Example Active Directory group mapping configuration:
|
|
# roleA: <1>
|
|
# - groupA-DN <2>
|
|
# - groupB-DN
|
|
# - user1-DN <3>
|
|
monitoring:
|
|
- "cn=admins,dc=example,dc=com"
|
|
user:
|
|
- "cn=users,dc=example,dc=com"
|
|
- "cn=admins,dc=example,dc=com"
|
|
- "cn=John Doe,cn=contractors,dc=example,dc=com"
|
|
------------------------------------------------------------
|
|
<1> The name of a Shield role defined in the <<defining-roles, roles file>>
|
|
<2> Example specifying the distinguished name of a Active Directory group
|
|
<3> Example specifying the distinguished name of a Active Directory user
|
|
|
|
[[pki-role-mapping]]
|
|
.Example PKI Role Mapping File
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
# Example user mapping configuration:
|
|
# roleA: <1>
|
|
# - user1-DN <2>
|
|
monitoring:
|
|
- "cn=Admin,ou=example,o=com"
|
|
user:
|
|
- "cn=John Doe,ou=example,o=com"
|
|
------------------------------------------------------------
|
|
<1> The name of a Shield role defined in the <<defining-roles, roles file>>
|
|
<2> Example specifying the distinguished name of a PKI user
|
|
|
|
NOTE: For PKI realms, only the DN of a user can be mapped as there is no concept of a group in PKI
|
|
|