- Shield Reference for 2.x and 1.x:
- Introduction
- Getting Started with Shield
- How Shield Works
- Installing Shield
- Setting Up User Authentication
- Managing Users in an esusers Realm
- Configuring Role-based Access Control
- Configuring Auditing
- Securing Communications with Encryption and IP Filtering
- Configuring Clients and Integrations
- Managing Shield Licenses
- Example Shield Deployments
- Reference
- Limitations
- Troubleshooting
- Setting Up a Certificate Authority
- Release Notes
Mapping Users and Groups to Roles
editMapping Users and Groups to Roles
editIf you authenticate users with an esusers realm, you can assign roles when you add a user and use the roles command to add or remove roles.
For other types of realms, you configure role mappings for users and groups in a YAML file. By default, role mappings are stored in config/shield/role_mapping.yml. You can specify
the name and location of the mapping file by configuring the appropriate role_mapping setting in elasticsearch.yml:
-
shield.authc.ldap.files.role_mapping - The location of the role mapping file for LDAP realms.
-
shield.authc.active_directory.files.role_mapping - The location of the role mapping file for Active Directory realms.
-
shield.authc.pki.files.role_mapping - The location of the role mapping file for PKI realms.
Within the role mapping file, Elasticsearch roles are keys and groups and users are values. The mapping can have a many-to-many relationship. When you map roles to groups, the roles of a user in that group are the combination of the roles assigned to that group and the roles assigned to that user.
To map users and groups to a role, you create a mapping file and copy it to each node in the cluster. Tools like Puppet or Chef can help with this.
Example LDAP Role Mapping File.
# Example LDAP group mapping configuration: # roleA: # - groupA-DN # - groupB-DN # - user1-DN monitoring: - "cn=admins,dc=example,dc=com" user: - "cn=users,dc=example,dc=com" - "cn=admins,dc=example,dc=com" - "cn=John Doe,cn=contractors,dc=example,dc=com"
|
The name of the Elasticsearch role found in the roles file |
|
|
Example specifying the distinguished name of a LDAP group |
|
|
Example specifying the distinguished name of a LDAP user [1.1.0] Added in 1.1.0. |
Example Active Directory Role Mapping File.
# Example Active Directory group mapping configuration: # roleA: # - groupA-DN # - groupB-DN # - user1-DN monitoring: - "cn=admins,dc=example,dc=com" user: - "cn=users,dc=example,dc=com" - "cn=admins,dc=example,dc=com" - "cn=John Doe,cn=contractors,dc=example,dc=com"
|
The name of a Shield role defined in the roles file |
|
|
Example specifying the distinguished name of a Active Directory group |
|
|
Example specifying the distinguished name of a Active Directory user |
Example PKI Role Mapping File.
# Example user mapping configuration: # roleA: # - user1-DN monitoring: - "cn=Admin,ou=example,o=com" user: - "cn=John Doe,ou=example,o=com"
|
The name of a Shield role defined in the roles file |
|
|
Example specifying the distinguished name of a PKI user |
For PKI realms, only the DN of a user can be mapped as there is no concept of a group in PKI