Cannot modify roles mapping

Hello,

I’m using docker-compose and trying to modify “roles_mapping.yml” file but it has no effects.
I created a role using APIs and now i’m trying to map an LDAP user to this role, I restarted my docker containers and saw “roles_mapping.yml” was modified in containers but when i go on OpenSearch Dashboards i can see that my user does not have the role i wanted to set.
As a test, I tried to modify the “config.yml” file (for security plugin), I commented everything in this file but it also had no effect on my OS instance, I don’t know why but it really looks like my changes are not taken into account.
The only .yml file that I can modify and see effects is “opensearch.yml” but it looks like I cannot modify security plugin .yml files…

Do you have any ideas ? Maybe restarting the containers is not enough ?
Thank you very much

@JorisV Could you share your docker-compose.yml and roles_mapping.yml files?

docker-compose.yml :

version: '3'
services:

  opensearch-ldap-lac:
    image: opensearchproject/opensearch:1.3.1
    container_name: opensearch-ldap-lac
    environment:
      - cluster.name=opensearch-ldap-cluster
      - node.name=opensearch-ldap-lac
      - discovery.seed_hosts=opensearch-ldap-lac
      - cluster.initial_master_nodes=opensearch-ldap-lac
      - bootstrap.memory_lock=false
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-ldap-lac_data:/usr/share/opensearch/data
      - ./config.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
      - ./audit.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/audit.yml
      - ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
      - ./internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
      - ./roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
      - ./certs/cert.pem:/usr/share/opensearch/config/cert.pem
      - ./certs/cert-cert.pem:/usr/share/opensearch/config/cert-cert.pem
      - ./certs/cert-key-pkcs8.pem:/usr/share/opensearch/config/cert-key.pem
    ports:
      - 9209:9200
      - 9609:9600 # required for Performance Analyzer
    dns:
      - 10.38.34.3
      - 10.38.34.4
    dns_search:
      - my.dns
    networks:
      - opensearch-ldap-lac_net
  opensearch-ldap-dashboards:
    image: opensearchproject/opensearch-dashboards:1.3.1
    container_name: opensearch-ldap-dashboards
    depends_on:
      - opensearch-ldap-lac
    volumes:
      - ./dashboards-config/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
      - ./dashboards-config/node.options:/usr/share/opensearch-dashboards/config/node.options
      - ./certs/cert.pem:/usr/share/opensearch-dashboards/config/cert.pem
      - ./certs/cert-cert.pem:/usr/share/opensearch-dashboards/config/cert-cert.pem
      - ./certs/cert-key-pkcs8.pem:/usr/share/opensearch-dashboards/config/cert-key.pem
    ports:
      - 5609:5601
    dns:
      - 10.38.34.3
      - 10.38.34.4
    expose:
      - "5609"
    environment:
      OPENSEARCH_HOSTS: '["https://my.dns:9209"]'
    networks:
      - opensearch-ldap-lac_net


volumes:
  opensearch-ldap-lac_data:

networks:
  opensearch-ldap-lac_net:

and roles_mapping.yml :

---

_meta:
  type: "rolesmapping"
  config_version: 3

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "Administrator"
  - "User_group_admin"
  - "User_group_1"
  - "testuser"
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  - "Developers"
  - "User_group_1"
  - "User_group_2"
  description: "Maps kibanauser to kibana_user"

readall:
  reserved: false
  backend_roles:
  - "readall"
  - "Developers"
  - "User_group_admin"
  - "User_group_1"
  - "User_group_2"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"
  - "Developers"
  - "User_group_1"
  - "User_group_2"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"
  - "User_group_admin"
  - "User_group_1"
  - "User_group_2"

test-arango-index:
  reserved: false
  backend_roles:
  - "User_group_1"
  - "User_group_2"

own_star_index:
  reserved: false
  backend_roles:
  - "User_group_1"
  - "User_group_2"

The role I’m trying to add is “own_star_index” and my user is in “User_group_1”

@JorisV Do you see mapped files in the container?

@pablo yes i see those files and i see changes in the container when i write something

@JorisV So, the issue is in the lack of assigned roles to LDAP users?
Could you share your config.yml file?

Yes that’s it but it’s really weird
Here is my config.yml file :

_meta:
  type: "config"
  config_version: 3

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      #anonymous_auth_enabled: true
      xff:
        enabled: true
        internalProxies: '10.38.44.10'
        remoteIpHeader: 'x-forwarded-for'
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          #challenge: false
          challenge: true
        authentication_backend:
          type: internal
      ldap_auth:
        order: 1
        description: "Authenticate using LDAP"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          #challenge: false
          challenge: true
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - 10.38.34.5:389
              - my.dns:389
            bind_dn: [...]
            password: [...]
            userbase: [...]
            usersearch: [...]
            username_attribute: [...]

    authz:
      ldap_users_roles:
        description: "Authorize using LDAP"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - 10.38.34.5:389
              - my.dns:389
            bind_dn: [...]
            password: [...]
            userbase: [...]
            usersearch: [...]
            username_attribute: [...]
            skip_users:
              - admin
              - kibanaserver
            rolebase: [...]
            rolesearch: '(Member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: false

[…] are confindential info
Thanks for taking the time to answer me

@JorisV Can you also take the screenshot of roles assigned to the LDAP user from OpenSearch Dashboards?

Some roles are working well but not “own_star_index” that I added after and, for example, if I comment everything in “roles_mapping.yml” I do not notice any change in this OpenSearch Dashboards section

@JorisV Just want to be clear in terms of the workflow.
Have you added this role mapping after executing docker-compose or before?

I added this after but then I just did a docker-compose down → docker-compose up to be sure

@JorisV When you make changes in the plugin .yml files then you must use securityadmin.sh to update the configuration in the cluster.

Please be aware that if you made any changes in the cluster using OpenSearch Dashboards or OpenSearch APIs then securityadmin.sh will overwrite those changes.

The best approach is to take the backup of the running configuration first, make changes in the .yml files and upload the updated configuration back to the cluster.
Backup and update are done by securityadmin. sh script. Please refer to OpenSearch documentation for more details.

Yes it solved my problem, I had missed this point, thank you very much !