Comments (4)
Working Setup with AD
Assumption: You have ES Cluster(Non-Opendistro) and non-ssl enabled.
ES Version: 6.6.2
OpenDistro: 0.8.0
Files to modify(/usr/share/elasticsearch/plugins/security/opendistro_security/)
config.yml
roles.yml
roles_mapping.yml
Note: Any change to above files, you need to re-run security_admin.sh script
Steps:
- Enable SSL for elasticsearch using security_demo.sh script [ Strictly for development only ]
- Install OpenDistro for Kibana
- If you have installed elasticsearch via RPM then add "
xpack.security.enabled: false
to elasticsearch.yml & kibana.yml - Modify roles.yml & roles_mapping.yml to include AD Group(Read Only Access)
readall:
readonly: true
backendroles:
- readall
- '<Your AD Group>'
roles.yml
# Read all, but no write permissions
readall:
readonly: true
cluster:
- CLUSTER_ALL
indices:
'*':
'*':
- indices:admin/get
- Update Security Index(Please replace paths and ESMASTER_IP)
/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" -icl -key "/etc/elasticsearch/kirk-key.pem" -cert "/etc/elasticsearch/kirk.pem" -cacert "/etc/elasticsearch/root-ca.pem" -nhnv -h <ES_MASTER_IP> -p 9300 -f /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml -t roles
/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" -icl -key "/etc/elasticsearch/kirk-key.pem" -cert "/etc/elasticsearch/kirk.pem" -cacert "/etc/elasticsearch/root-ca.pem" -nhnv -h <ES_MASTER_IP> -p 9300 -f /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml -t rolesmapping
/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" -icl -key "/etc/elasticsearch/kirk-key.pem" -cert "/etc/elasticsearch/kirk.pem" -cacert "/etc/elasticsearch/root-ca.pem" -nhnv -h <ES_MASTER_IP>-p 9300 -f /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml -t config
- Restart Elastic Search & Kibana
Bonus:
Config.yml for AD
ldap:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- <AD_HOSTNAME>:389
bind_dn: serviceaccount
password: 'xxxxxx'
userbase: 'OU=USERS,OU=CORPORATE,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: sAMAccountName
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- <AD_HOSTNAME>:389
bind_dn: serviceaccount
password: 'xxxxxx'
rolebase: 'OU=GROUPS,DC=com'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: memberOf
rolename: cn
resolve_nested_roles: false
userbase: 'OU=USERS,OU=CORPORATE,DC=com'
usersearch: '(sAMAccountName={0})'
from for-elasticsearch-docs.
Hi @jirisafar, can you clarify the request here? I'm not super familiar with AD, but my understanding is that we have content on pulling roles: https://opendistro.github.io/for-elasticsearch-docs/docs/security/ldap/#use-active-directory-and-ldap-for-authorization
from for-elasticsearch-docs.
Hi I have figure out that: I would like to add there a new section with document how to map AD groups. I have tried to pull this changes but with no luck.
There is a content:
layout: default
title: Permissions for AD/LDAP groups
nav_order: 98
has_children: true
has_toc: false
How to manage permissions for specific AD group
To edit LDAP/AD authentication and authorization, for specific security group /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
:
all_access:
readonly: false
backendroles:
- admin
- your_AD_group_that_should_have_R/W_permissions
logstash:
backendroles:
- logstash
kibana_server:
readonly: true
users:
- kibanaserver
kibana_user:
backendroles:
- kibanauser
readall:
readonly: false
backendroles:
- readall
- your_AD_group_that_should_have_R_permissions
manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
own_index:
users:
- '*'
LDAP/AD TEST:
readonly: false
backendroles:
- test
- your_ad_group
...
If you use CN in config.yml you always has to use CN for adding another group.
from for-elasticsearch-docs.
Hi,
the problem was in wrong set rolebase, userbase. We modify that according our domain and that fixed our problem.
Now we are able map user or groups under specific CN.
from for-elasticsearch-docs.
Related Issues (20)
- 403 - Acess denied error while installing elasticsearch alerting plugin
- Should be POST request when searching with body?
- ODBC Driver 1.9.00
- Forward to OpenSearch? HOT 1
- Access rights to management page HOT 1
- PPL Command Doc Type
- Opensearch crashing on Macbook Pro M1 Max (Docker) HOT 3
- No handler for type [knn_vector]
- Update docs to reflect 1.13.3 HOT 4
- opendistro-for-elasticsearch-kibana version 1.13.3 HOT 1
- opendistroforelasticsearch yum repo not updated with 1.13.3 HOT 1
- mitigate vulnerability log4j
- Failing to use fetch_size parameter with query
- openid not working with opendistro kibana. As per steps which are provided by openditsro. kindly help us
- [Urgent] I can't make notebooks with recently created visualizations.
- mapped users option is missing
- alerting index permission
- Unable to use window functions in version 1.13.0
- OpenDistro Index Management
- opendistro-alerting-alert-history alerts disable HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from for-elasticsearch-docs.