Hello,
I am back with another question! 
I am trying to create an internal user in Kibana with FGAC, through OpenDistro API.
I was able to create a user! Great!
But I got two concerns with that -
- The users that Iāve created are visible in the
internal-users section, but not able to filter by them in the Roles section.
- I am wondering if above point-1 is happening because, I did not map the Roles properly to the user Iāve created using this api call -
PUT _opendistro/_security/api/internalusers/<username>
The documentation says you can pass the Roles using the parameter/attribute ārolesā
https://opendistro.github.io/for-elasticsearch-docs/old/0.9.0/docs/security/api/#create-user
But when I do that, I get a 400 error, the ādocā prefix roles are not pre-defined ones -
Request:
PUT _opendistro/_security/api/internalusers/new-user-1
{
"password": "some1@pass",
"roles": ["readall_and_monitor", "doc_alerting_access", "doc_tenants"]
}
Response:
{
"status_code": 400,
"response": {
"status": "error",
"reason": "Invalid configuration",
"invalid_keys": {
"keys": "roles"
}
}
}
Can someone please help me understand what am I doing wrong, and help me fix this.
Update:
If I try to login with the newly created user -
Best
Prashanth Sripathi
@psripathi
which version of odfe are you using?
Can you change the ārolesā to āopendistro_security_rolesā and make sure the roles listed already exist in the security configuration.
Hope this helps
1 Like
@Anthony Our Kibana sits on top of AWS Elasticsearch service. I am not exactly sure on the ODFE version. But running Kibana 7.10
But I followed your suggestion, and was able to create a user with āopendistro_security_rolesā (Should the API document reflect this change?) -
{
"status_code": 201,
"response": {
"status": "CREATED",
"message": "'new-user-1' created."
}
And, the weird part is that, I couldnāt see the user in the Roles section under āInternal usersā column.
But interestingly was able to login with the created test user and has all the access I assigned while making the api call.
Is that a bug in the UI?
Because, from the front-end I wont be able to check what roles the user is assigned with during an audit or something.
Best
Prashanth Sripathi
@psripathi glad you got it working, regarding a bug, yes, it would appear to be a bug, however I can confirm that UI reflects the new user using odfe, therefore the issue is with AWS ES service offering and I would recommend raising a AWS support ticket as this forum is for odfe and opensearch.
Regarding the documentation, I think its already updated, see docs here
Hope this helps
@Anthony Yep, thank you for checking this for me, looking back at the documentation link I referenced, it seems to be an old version of ODFE.
JFYI, this issue I am seeing with user mapping in UI is only for users created through api call, if I create a user from the front-end directly, this doesnāt seem to occur.
I am assuming we are on the same page here. So I will check with AWS support why this issue is occurring. I will try and update this post when I receive an update.
Thank you again!
