There is nothing like "real_user_name" but why not configure:
martin-test:
readonly: true
hash: <pass hash>
roles:
- ingress_user
What is the reason for "sanitizing" to martin_test?
> Am 30.01.2019 um 12:58 schrieb
martin.l...@gmail.com:
>
> I have the following in my SG config:
>
> role:
>
> sg_ingress_user:
> cluster:
> - UNLIMITED
> indices:
> '${user_name}-*':
> '*':
> - UNLIMITED
>
> mapping:
>
> sg_ingress_user:
> backendroles:
> - ingress_user
>
> internal user:
>
> martin_test:
> readonly: true
> hash: <pass hash>
> username: martin-test
> roles:
> - ingress_user
>
>
> Above I have sanitised the username so the internal users will only have alphanumeric and underscore. So in this case martin-test becomes martin_test. I use the username field so I can allow the user to connect. So far so good.
>
> The issue is the role. I am using "${user_name}-*" this seems to be the SG internal username i.e. the sanitised one, martin_test. However this is not what is expected to be used when sending a document into the ES cluster. e.g. This gets a write permission error:
>
> curl <details> https://<server>/martin-test/_doc/1 <data>
>
> What I would really like is to allow either index to be written to martin-test or martin_test e.g. update the role to:
>
> sg_ingress_user:
> cluster:
> - UNLIMITED
> indices:
> '${user_name}-*':
> '*':
> - UNLIMITED
> '${real_user_name}-*':
> '*':
> - UNLIMITED
>
> Is there something like "real_user_name"?
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
search-guard...@googlegroups.com.
> To post to this group, send email to
search...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/search-guard/a68cd809-0e90-4cc0-8d84-311182afa0e3%40googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.