Difference between opendistro_security_roles and backend_roles

Security
1

Please, explain the differences between “opendistro_security_roles” and “backend_roles” in internal_users.yml
And is there documentation explaining all the parameters in internal_users.yml ?

2

@DmitryP When you look at the Roles list in OpenSearch Dashboards UI, you’ll find columns Role and Backend roles

As per documentation, the opendistro_security_roles must contain an array of existing role names defined in the Role column.

The backend_roles must contain a list of backend role names defined in the Backend roles column.

image
image1184×640 60.6 KB

i.e.

  opendistro_security_roles: 
  - "kibana_user"
  backend_roles:
  - "kibanauser"
3

@pablo Unfortunately I still don’t understand the meaning of the “opendistro_security_roles”.
As I understand there are roles in OpenSearch. They are mapped to the users based on 3 things (API - OpenSearch Documentation):

GET _plugins/_security/api/rolesmapping
{
  "role_starfleet" : {
    "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
    "hosts" : [ "*.starfleetintranet.com" ],
    "users" : [ "worf" ]
  }
}

So the user “wolf”, if he comes from “*.starfleetintranet.com” and has backend_role “defectors” gets the role “role_starfleet”

What do “opendistro_security_roles” mean in internal_users.yml and how are they different from just “roles”? And what are “attributes” and where are they used?

# Define your internal users here
new-user:
  hash: "$2y$12$88IFVl6IfIwCFh5aQYfOmuXVL9j2hz/GusQb35o.4sdTDAEMTOD.K"
  reserved: false
  hidden: false
  opendistro_security_roles:
  - "specify-some-security-role-here"
  backend_roles:
  - "specify-some-backend-role-here"
  attributes:
    attribute1: "value1"
  static: false
4

@DmitryP According to the documentation, opendistro_security_roles maps only existing internal roles using their names. You can map any built-in or custom role. It is equivalent to mapping the user in the role.

The backend roles are the roles which were sent from IdP during the authorization process (LDAP, SAML, OIDC). You can also define built-in roles using their backend role names i.e., kibanauser, admin, logstash etc.

1 Like
5

Unfortunately official documentation is very unclear for me in this case.
But as I can understand user’s ‘opendistro_security_roles’ property directly set specified roles for that user without any rolemappings.
And setting ‘backend_role’ demand rolemapping.
So if I create user:

PUT _plugins/_security/api/internalusers/testtest
{
  "password": "aabbccddeeff",
  "opendistro_security_roles": ["security_analytics_ack_alerts"],
  "backend_roles": ["snapshotrestore"],
  "attributes": {
    "attribute1": "value1"
  }
}'

and I have rolemapping :

GET /_plugins/_security/api/rolesmapping/manage_snapshots
{
  "manage_snapshots": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "snapshotrestore"
    ],
    "and_backend_roles": []
  }
}

As a result, the user testtest will have 2 roles: “security_analytics_ack_alerts” and “manage_snapshots”
right?

6

@DmitryP That is correct. This user will have both roles assigned and backend_role requires rolemapping.