Questions on clientcert http_authenticator

39 views
Skip to first unread message

Enzo Wang

unread,
Dec 12, 2016, 11:31:40 PM12/12/16
to Search Guard
Hi guys,

I have a question regarding to clientcert.

Document says the authz is optional, so what roles will be assign to a user who successfully authenticates via client cert? SG will pick up the CN part or some thing similar? 

Thanks,
Enzo

SG

unread,
Dec 13, 2016, 8:39:39 AM12/13/16
to search...@googlegroups.com
If you dont use authz then you can assign roles "statically" through sg_roles_mapping.yml:

sg_mycoolrole:
users:
- "CN=abc,OU=def,O=Company,L=xy,S=xxx, C=US"
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/59e4d3b2-ece8-4128-8e7b-3fe4549992c5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Enzo Wang

unread,
Dec 13, 2016, 2:25:29 PM12/13/16
to search...@googlegroups.com
Thanks. But what if I don't have role defined in that file? Will sg then use a default role? If yes, what role will be used?

You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/Zm_8lnNKh60/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

SG

unread,
Dec 13, 2016, 3:27:06 PM12/13/16
to search...@googlegroups.com
There is no implicit default role and the user is not allowed to do anything
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAJmhRAykkXf%2BGED4W-VRzZTtbZHr-1Mpf8zKFo_SBJZssVYFyg%40mail.gmail.com.

Rob Fuller

unread,
May 25, 2017, 6:05:24 AM5/25/17
to Search Guard
Hi,

I wonder might it be possible to add the feature of a default role or roles for all authenticated users?

The context for the requirement is a setup with searchguard kerberos authc and ldap authz. As any user in the enterprise will be authenticated, we'd like to be able to provide some basic access without having to add thousands of enterprise users into an ldap group. (There is not currently any common group for all users).

Thanks for any advice,
Rob Fuller.

Rob Fuller

unread,
May 25, 2017, 6:20:35 AM5/25/17
to Search Guard
Apologies (rtfm) it looks like this should work in sg_roles_mapping:

sg_public:
users:
- '*'
Reply all
Reply to author
Forward
0 new messages