Configuring role mappings
editConfiguring role mappings
editWhen a user authenticates using OpenID Connect, they are identified to the Elastic Stack, but this does not automatically grant them access to perform any actions or access any data.
Your OpenID Connect users cannot do anything until they are assigned roles. This can be done through either the add role mapping API or with authorization realms.
You cannot use role mapping files to grant roles to users authenticating via OpenID Connect.
This is an example of a simple role mapping that grants the example_role
role
to any user who authenticates against the oidc1
OpenID Connect realm:
PUT /_security/role_mapping/oidc-example { "roles": [ "example_role" ], "enabled": true, "rules": { "field": { "realm.name": "oidc1" } } }
The |
The user properties that are mapped via the realm configuration are used to process role mapping rules, and these rules determine which roles a user is granted.
The user fields that are provided to the role mapping are derived from the OpenID Connect claims as follows:
-
username
: Theprincipal
user property -
dn
: Thedn
user property -
groups
: Thegroups
user property -
metadata
: See User metadata
For more information, see Mapping users and groups to roles and role mapping APIs.
If your OP has the ability to provide groups or roles to RPs via tha use of
an OpenID Claim, then you should map this claim to the claims.groups
setting in
the Elasticsearch realm (see Mapping claims to user properties), and then make use of it in a role mapping
as per the example below.
This mapping grants the Elasticsearch finance_data
role, to any users who authenticate
via the oidc1
realm with the finance-team
group membership.
PUT /_security/role_mapping/oidc-finance { "roles": [ "finance_data" ], "enabled": true, "rules": { "all": [ { "field": { "realm.name": "oidc1" } }, { "field": { "groups": "finance-team" } } ] } }
If your users also exist in a repository that can be directly accessed by Elasticsearch (such as an LDAP directory) then you can use authorization realms instead of role mappings.
In this case, you perform the following steps:
-
In your OpenID Connect realm, assign a claim to act as the lookup userid,
by configuring the
claims.principal
setting. -
Create a new realm that can look up users from your local repository (e.g. an
ldap
realm) -
In your OpenID Connect realm, set
authorization_realms
to the name of the realm you created in step 2.