Limit authentification to a couple {user, host} - Is it possible ?
23 views
Skip to first unread message
S.
Jan 30, 2019, 5:31:07 AM1/30/19
to Search Guard Community Forum
Hello,
simple question: is it possible with Searchguard to limit the authentication of a user from a list of well-defined hosts? Like in MySQL where the authentication can be based on the couple {user, host}.
I see that an authentication based on hosts or users can be performed but AFAIK, the operator between "users-roles" mapping is a OR operator, i.e. not a AND operator.
Thanks.
SG
Feb 3, 2019, 9:45:23 AM2/3/19
to search...@googlegroups.com
No, this should be done via a firewall
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6af9801f-6425-4a8f-a0ce-1d15e57ed81e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6af9801f-6425-4a8f-a0ce-1d15e57ed81e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
S.
Feb 14, 2019, 4:18:50 AM2/14/19
to Search Guard Community Forum
OK, thanks for your feedback.
FYI, my usecase was to prevent developers to misconfigure their applications in production.
They have :
- a batch, executed on a machine "host_batch", that has R/W access to some indexes using login "user_rw"
- a web application, executed on another machine "host_webapp", that has RO access to these same indexes using login "user_ro"
Unfortunately, firewall rules cannot prevent from this kind of misconfiguration (e.g. : webapp using "user_rw"). It only prevents developers to use their production credentials from their development machines.
Maybe the couple {login, IP/hostname} could be an evolution in the SearchGuard configuration.
Jochen Kressin
Feb 18, 2019, 5:20:40 AM2/18/19
to Search Guard Community Forum
Maybe the following approach works:
1. Configure one role that has RO permissions to the indices. This is the one your webapp will use.
2. In addition, create a second role that has additional WRITE permissions for the same indices.
In the roles_mapping.yml, map your webapp users to the RO role (only). You can do that by username or by backend role. Then create a second entry in roles_mapping.yml that maps the hostname of your "host_batch" machine to the second role that has WRITE access.
In the roles_mapping.yml, map your webapp users to the RO role (only). You can do that by username or by backend role. Then create a second entry in roles_mapping.yml that maps the hostname of your "host_batch" machine to the second role that has WRITE access.
The effect would be that whenever a user logs in from the host_batch machine, the second role with WRITE access is added to the list of the users roles.
Is that the use case you try to implement?
Reply all
Reply to author
Forward
0 new messages