Security domains

edit

This feature is in development and not yet available for use. This documentation is provided for informational purposes only.

Security domains are a method of grouping multiple realms under the same domain so that the Elastic Stack can recognize when a single user authenticates with these realms. Users can authenticate with any of the realms in the domain group, and have access to the same set of resources regardless of which realm they authenticated with.

For example, a single user profile is associated with a user, enabling preferences, notifications, and other user data to be shared across realms. The user can view results from an asynchronous search request or a scrolling search across realms. If the user has the necessary privileges, they can also view and manage API keys across realms.

Resource sharing across domains

edit

Some types of resources in Elasticsearch are owned by a single user, such as async search contexts, API keys, and user profiles. When a user creates a resource, Elasticsearch captures the user’s username and realm information as part of the resource’s metadata.

When a user later attempts to access the resource, Elasticsearch compares the captured username and realm information against those from the accessing user. Elasticsearch will deny access unless both the realm and username match. If Elasticsearch detects that a username from two different realms is attempting to access a resource, Elasticsearch assumes that these users are distinct and doesn’t allow resources to be shared between those users.

However, there are cases where the same user can authenticate with multiple realms and needs to share the same set of resources across realms. For example, an LDAP realm and a SAML realm can be backed by the same directory service. Additionally, authorization delegation allows one realm to delegate authorization to another realm. If both realms authenticate users with the same username, it’s reasonable to treat these users as the same user from a resource ownership perspective.

Security domains make resource sharing across realms possible by grouping those realms under the same domain. Elasticsearch always enforces the privileges that are associated with the currently authenticated user, which remains true with security domains. Security domains don’t bypass user authorization when resource sharing requires them. For example, a user requires the manage_own_api_key privilege to manage their own API keys. If that user doesn’t have this privilege when authenticating with one realm, they won’t be able to manage API keys while authenticating with another realm.

Managing roles across realms

edit

Elasticsearch provides multiple ways to consistently apply roles across realms. For example, you can use authorization delegation to ensure that a user is assigned the same roles from multiple realms. You can also manually configure multiple realms that are backed by the same directory service. Though it’s possible to configure different roles for the same user when authenticating with different realms, it is not recommended.

Configure a security domain

edit

You configure realms to be under a domain in elasticsearch.yml. The realms must be defined in elasticsearch.yml but do not need to be enabled.

The file realm and native realm are automatically enabled as default_file and default_native, respectively, without any explicit configuration. You can list these realms under domains even when they are not explicitly defined in elasticsearch.yml.

  1. Add a security domain configuration to elasticsearch.yml under the xpack.security.authc.domains namespace:

    xpack:
      security:
        authc:
          domains:
            my_domain:
              realms: [ 'default_native', 'saml1' ] 

    This configuration defines a security domain called my_domain, which contains two realms named default_native and saml1.

  2. Restart Elasticsearch.

Elasticsearch can fail to start if the domain configuration is invalid, such as:

  • A single realm is configured under multiple domains.
  • Any undefined realm, synthetic realm, or the reserved realm is configured to be under a domain.