Questions on clientcert http_authenticator
36 views
Skip to first unread message
Enzo Wang
Dec 12, 2016, 11:31:40 PM12/12/16
to Search Guard
Hi guys,
Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?
I have a question regarding to clientcert.
Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar?
Thanks,
Enzo
SG
Dec 13, 2016, 8:39:39 AM12/13/16
to search...@googlegroups.com
If you dont use authz then you can assign roles "statically" through sg_roles_mapping.yml:
sg_mycoolrole:
users:
- "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
sg_mycoolrole:
users:
- "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Enzo Wang
Dec 13, 2016, 2:25:29 PM12/13/16
to search...@googlegroups.com
Thanks. But what if I don't have role defined in that file? Will sg then use a default role? If yes, what role will be used?
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/Zm_8lnNKh60/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E1E3E73E-6C41-4F2B-8F4A-11C83C2CBA32%40search-guard.com.
SG
Dec 13, 2016, 3:27:06 PM12/13/16
to search...@googlegroups.com
There is no implicit default role and the user is not allowed to do anything
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAJmhRAykkXf%2BGED4W-VRzZTtbZHr-1Mpf8zKFo_SBJZssVYFyg%40mail.gmail.com.
Rob Fuller
May 25, 2017, 6:05:24 AM5/25/17
to Search Guard
Hi,
The context for the requirement is a setup with searchguard kerberos authc and ldap authz. As any user in the enterprise will be authenticated, we'd like to be able to provide some basic access without having to add thousands of enterprise users into an ldap group. (There is not currently any common group for all users).
Thanks for any advice,
Thanks for any advice,
Rob Fuller.
Rob Fuller
May 25, 2017, 6:20:35 AM5/25/17
to Search Guard
Apologies (rtfm) it looks like this should work in sg_roles_mapping:
| sg_public: | |
| users: | |
| - '*' |
Reply all
Reply to author
Forward
0 new messages