Cannot modify roles mapping

JorisV · April 20, 2022, 9:55am

Hello,

I’m using docker-compose and trying to modify “roles_mapping.yml” file but it has no effects.
I created a role using APIs and now i’m trying to map an LDAP user to this role, I restarted my docker containers and saw “roles_mapping.yml” was modified in containers but when i go on OpenSearch Dashboards i can see that my user does not have the role i wanted to set.
As a test, I tried to modify the “config.yml” file (for security plugin), I commented everything in this file but it also had no effect on my OS instance, I don’t know why but it really looks like my changes are not taken into account.
The only .yml file that I can modify and see effects is “opensearch.yml” but it looks like I cannot modify security plugin .yml files…

Do you have any ideas ? Maybe restarting the containers is not enough ?
Thank you very much

pablo · April 20, 2022, 10:08am

@JorisV Could you share your docker-compose.yml and roles_mapping.yml files?

JorisV · April 20, 2022, 10:27am

docker-compose.yml :

version: '3'
services:

  opensearch-ldap-lac:
    image: opensearchproject/opensearch:1.3.1
    container_name: opensearch-ldap-lac
    environment:
      - cluster.name=opensearch-ldap-cluster
      - node.name=opensearch-ldap-lac
      - discovery.seed_hosts=opensearch-ldap-lac
      - cluster.initial_master_nodes=opensearch-ldap-lac
      - bootstrap.memory_lock=false
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-ldap-lac_data:/usr/share/opensearch/data
      - ./config.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
      - ./audit.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/audit.yml
      - ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
      - ./internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
      - ./roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
      - ./certs/cert.pem:/usr/share/opensearch/config/cert.pem
      - ./certs/cert-cert.pem:/usr/share/opensearch/config/cert-cert.pem
      - ./certs/cert-key-pkcs8.pem:/usr/share/opensearch/config/cert-key.pem
    ports:
      - 9209:9200
      - 9609:9600 # required for Performance Analyzer
    dns:
      - 10.38.34.3
      - 10.38.34.4
    dns_search:
      - my.dns
    networks:
      - opensearch-ldap-lac_net
  opensearch-ldap-dashboards:
    image: opensearchproject/opensearch-dashboards:1.3.1
    container_name: opensearch-ldap-dashboards
    depends_on:
      - opensearch-ldap-lac
    volumes:
      - ./dashboards-config/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
      - ./dashboards-config/node.options:/usr/share/opensearch-dashboards/config/node.options
      - ./certs/cert.pem:/usr/share/opensearch-dashboards/config/cert.pem
      - ./certs/cert-cert.pem:/usr/share/opensearch-dashboards/config/cert-cert.pem
      - ./certs/cert-key-pkcs8.pem:/usr/share/opensearch-dashboards/config/cert-key.pem
    ports:
      - 5609:5601
    dns:
      - 10.38.34.3
      - 10.38.34.4
    expose:
      - "5609"
    environment:
      OPENSEARCH_HOSTS: '["https://my.dns:9209"]'
    networks:
      - opensearch-ldap-lac_net


volumes:
  opensearch-ldap-lac_data:

networks:
  opensearch-ldap-lac_net:

and roles_mapping.yml :

---

_meta:
  type: "rolesmapping"
  config_version: 3

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "Administrator"
  - "User_group_admin"
  - "User_group_1"
  - "testuser"
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  - "Developers"
  - "User_group_1"
  - "User_group_2"
  description: "Maps kibanauser to kibana_user"

readall:
  reserved: false
  backend_roles:
  - "readall"
  - "Developers"
  - "User_group_admin"
  - "User_group_1"
  - "User_group_2"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"
  - "Developers"
  - "User_group_1"
  - "User_group_2"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"
  - "User_group_admin"
  - "User_group_1"
  - "User_group_2"

test-arango-index:
  reserved: false
  backend_roles:
  - "User_group_1"
  - "User_group_2"

own_star_index:
  reserved: false
  backend_roles:
  - "User_group_1"
  - "User_group_2"

The role I’m trying to add is “own_star_index” and my user is in “User_group_1”

pablo · April 20, 2022, 12:00pm

@JorisV Do you see mapped files in the container?

JorisV · April 20, 2022, 12:11pm

@pablo yes i see those files and i see changes in the container when i write something

pablo · April 20, 2022, 12:12pm

@JorisV So, the issue is in the lack of assigned roles to LDAP users?
Could you share your config.yml file?

JorisV · April 20, 2022, 12:24pm

Yes that’s it but it’s really weird
Here is my config.yml file :

_meta:
  type: "config"
  config_version: 3

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      #anonymous_auth_enabled: true
      xff:
        enabled: true
        internalProxies: '10.38.44.10'
        remoteIpHeader: 'x-forwarded-for'
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          #challenge: false
          challenge: true
        authentication_backend:
          type: internal
      ldap_auth:
        order: 1
        description: "Authenticate using LDAP"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          #challenge: false
          challenge: true
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - 10.38.34.5:389
              - my.dns:389
            bind_dn: [...]
            password: [...]
            userbase: [...]
            usersearch: [...]
            username_attribute: [...]

    authz:
      ldap_users_roles:
        description: "Authorize using LDAP"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - 10.38.34.5:389
              - my.dns:389
            bind_dn: [...]
            password: [...]
            userbase: [...]
            usersearch: [...]
            username_attribute: [...]
            skip_users:
              - admin
              - kibanaserver
            rolebase: [...]
            rolesearch: '(Member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: false

[…] are confindential info
Thanks for taking the time to answer me

pablo · April 20, 2022, 1:10pm

@JorisV Can you also take the screenshot of roles assigned to the LDAP user from OpenSearch Dashboards?

JorisV · April 20, 2022, 1:21pm

Some roles are working well but not “own_star_index” that I added after and, for example, if I comment everything in “roles_mapping.yml” I do not notice any change in this OpenSearch Dashboards section

pablo · April 20, 2022, 7:57pm

@JorisV Just want to be clear in terms of the workflow.
Have you added this role mapping after executing docker-compose or before?

JorisV · April 21, 2022, 10:40am

I added this after but then I just did a docker-compose down → docker-compose up to be sure

pablo · April 21, 2022, 1:52pm

@JorisV When you make changes in the plugin .yml files then you must use securityadmin.sh to update the configuration in the cluster.

Please be aware that if you made any changes in the cluster using OpenSearch Dashboards or OpenSearch APIs then securityadmin.sh will overwrite those changes.

The best approach is to take the backup of the running configuration first, make changes in the .yml files and upload the updated configuration back to the cluster.
Backup and update are done by securityadmin. sh script. Please refer to OpenSearch documentation for more details.

JorisV · April 27, 2022, 8:28am

Yes it solved my problem, I had missed this point, thank you very much !

Topic		Replies	Views
Unable to create role mapping Security	1	220	February 26, 2024
Some Permission related queries Security discuss , troubleshoot	7	1063	December 19, 2022
Troubles getting LDAP working Security configure	3	283	April 24, 2024
User only gets mapped to a subset of their roles Security troubleshoot	2	264	August 14, 2023
Problem with assigning a role for domain users OpenSearch troubleshoot , security-issue	7	484	May 1, 2024

Cannot modify roles mapping

Related topics