Configuring role mappings

edit

When a user authenticates using OpenID Connect, they are identified to the Elastic Stack, but this does not automatically grant them access to perform any actions or access any data.

Your OpenID Connect users cannot do anything until they are assigned roles. This can be done through either the add role mapping API or with authorization realms.

You cannot use role mapping files to grant roles to users authenticating via OpenID Connect.

This is an example of a simple role mapping that grants the example_role role to any user who authenticates against the oidc1 OpenID Connect realm:

PUT /_security/role_mapping/oidc-example
{
  "roles": [ "example_role" ], 
  "enabled": true,
  "rules": {
    "field": { "realm.name": "oidc1" }
  }
}

The example_role role is not a builtin Elasticsearch role. This example assumes that you have created a custom role of your own, with appropriate access to your data streams, indices, and Kibana features.

The user properties that are mapped via the realm configuration are used to process role mapping rules, and these rules determine which roles a user is granted.

The user fields that are provided to the role mapping are derived from the OpenID Connect claims as follows:

  • username: The principal user property
  • dn: The dn user property
  • groups: The groups user property
  • metadata: See User metadata

For more information, see Mapping users and groups to roles and role mapping APIs.

If your OP has the ability to provide groups or roles to RPs via tha use of an OpenID Claim, then you should map this claim to the claims.groups setting in the Elasticsearch realm (see Mapping claims to user properties), and then make use of it in a role mapping as per the example below.

This mapping grants the Elasticsearch finance_data role, to any users who authenticate via the oidc1 realm with the finance-team group membership.

PUT /_security/role_mapping/oidc-finance
{
  "roles": [ "finance_data" ],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "oidc1" } },
        { "field": { "groups": "finance-team" } }
  ] }
}

If your users also exist in a repository that can be directly accessed by Elasticsearch (such as an LDAP directory) then you can use authorization realms instead of role mappings.

In this case, you perform the following steps:

  1. In your OpenID Connect realm, assign a claim to act as the lookup userid, by configuring the claims.principal setting.
  2. Create a new realm that can look up users from your local repository (e.g. an ldap realm)
  3. In your OpenID Connect realm, set authorization_realms to the name of the realm you created in step 2.