AD user admin role

Security
1

Hi,

I am running odfe version 1.0.1, I was running 0.9.0 and I was able to map a AD group and give them all admin permissions.
When I did the upgrade and since my cluster was not that big, I decided to rebuild the cluster from the grounds up using Docker containers.
The issue I am having is; I have a AD group “ES_Admins” and I want to give members of the group the same access level as user “admin” but to no avail, here is my current config for the role:

   {
      "description": "Allow full admin access ",
      "index_permissions": [
        {
          "index_patterns": [
            "*"
          ],
          "fls": [],
          "masked_fields": [],
          "allowed_actions": [
            "cluster_all",
            "indices_all",
            "crud"
          ]
        }
      ],
      "tenant_permissions": [
        {
          "tenant_patterns": [
            "*"
          ],
          "allowed_actions": [
            "kibana_all_write",
            "kibana_all_read"
          ]
        }
      ],
      "cluster_permissions": [
        "indices_all",
        "cluster_all",
        "crud",
        "kibana_all_read",
        "kibana_all_write",
        "manage",
        "indices:admin/*",
        "cluster:admin/*"
      ]
    }

Am I missing something? and could you please point me where can I find documentation about the permissions needed for each type of user.

Thank you,

2

Anyone able to help with this?

3

Using Kibana…

Create a New role. Give this role UNLIMITED Cluster permissions. Under “Select Index and Document Type”:
Index = * and Document type = *
Permissions = unlimited
Save new Role

Now go to Role Mappings:
Create a new mapping. From the Dropdown select the role you just created. Add ES_Admins to Backend Roles

Save. ES_Admins members now have access to everything but the Security API

Then, if you want your ES_Admins to have access to the Security API, create a role called security_rest_api_access, (This is a reserved role). Leave Cluster and Index permissions blank. Save. Now go to Role Mappings again and create a new mapping. Choose “security_rest_api_access” from the drop down and add ES_Admins to Backend Roles. Save.

Now ES_admins have the same access and permissions as the built in admin user.

There is probably a better way to accomplish this task but this works for me for now.

2 Likes
4

@rlk5546, thank you! that actually worked worked for me. I would have never found out about this reserved role, do you know where can I find this documented (if it is)?