Problem with assigning a role for domain users

OpenSearch
,
1

Hello! I can’t figure it out, please help. set up ldap, but don’t understand how to map a user to a role? I need to issue verification to domain users with the administrator role. all others are present to go under the default role of readall.
I need to do this not at the level of domain roles, but for the opensearch server.
im use last version os
need to show some of the yml?

2

@maxim You need to map the LDAP group assigned to the LDAP user as a backend role in roles_mapping.yml.

3

Thanks for the answer. This is not entirely true. I don’t want to give admin rights to the entire Active Directory user group. i want to select multiple users by their cn. it is desirable to do it on the side of opensearch

4

I understand! there is no “users: ” parameter in the default configuration of the roles_mapping.yml file. added, now it’s working, thanks

5

@maxim There is a users parameter. You can map individual users to the OpenSearch role. Take a look at the example I’ve shared with my last answer.

1 Like
6

Hello,

I know the solution was found almost 1 year ago but I found the same answer a few times in the forum and I can’t understand.

If I have in my ldap the user “user1” into the group “group1” do I need to configure the roles_mapping.yml as bellow ?

mytest:
reserved: false
users:

  • “group1”
    description: “xxxxxxx”

This is not working, the same if I put user1 instead of group1.

Thank you for the help !!!

7

Hi @Mercurochrome7,

You will need to assign a user or user’s back-end role (see below how to check back-end roles) to the internal roles in your OpenSearch cluster (roles can be configured in roles.yml, UI or API), to map roles you can use roles_mapping.yml (or UI, or API…).

It would look something like:

user1 (backend_role=[role1,role2])

roles.yml

opensearch_role_one:
  reserved: false
  hidden: false
  cluster_permissions:
    - "*"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "read"

roles_mapping.yml

opensearch_role_one:
  reserved: false
  backend_roles:
  - "role1"
   description: "maps ldap users` group to the opensearch_role_one"

or

opensearch_role_one:
  reserved: false
  users:
  - "user1"
  description: "maps a user to the opensearch_role_one"

To check back-end roles you can use:

curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

let me know if that’s clear enough and if that answers your question.

Best.
mj

1 Like
8

Hi @Mantas and thanks again for the reply !

I tried and when I do the curl command, the result says thant I have the good “role” and the differents tenant I want but not the “backend_role”. Anyway I think it can work like that for what I want to do. I’ll give it a try and let you know if it’s enough :slight_smile:

Have a great day !

2 Likes