username as ${user_name}
22 views
Skip to first unread message
martin.l...@gmail.com
Jan 30, 2019, 6:58:50 AM1/30/19
to search...@googlegroups.com
I have the following in my SG config:
role:
sg_ingress_user:
cluster:
- UNLIMITED
indices:
'${user_name}-*':
'*':
- UNLIMITED
mapping:
sg_ingress_user:
backendroles:
- ingress_user
internal user:
martin_test:
readonly: true
hash: <pass hash>
username: martin-test
roles:
- ingress_user
Above I have sanitised the username so the internal users will only have alphanumeric and underscore. So in this case martin-test becomes martin_test. I use the username field so I can allow the user to connect. So far so good.
The issue is the role. I am using "${user_name}-*" this seems to be the SG internal username i.e. the sanitised one, martin_test. However this is not what is expected to be used when sending a document into the ES cluster. e.g. This gets a write permission error:
curl <details> https://<server>/martin-test-2019-01-30/_doc/1 <data>
What I would really like is to allow either index to be written to martin-test or martin_test e.g. update the role to:
sg_ingress_user:
cluster:
- UNLIMITED
indices:
'${user_name}-*':
'*':
- UNLIMITED
'${real_user_name}-*':
'*':
- UNLIMITED
Is there something like "real_user_name"?
SG
Feb 3, 2019, 9:44:03 AM2/3/19
to search...@googlegroups.com
There is nothing like "real_user_name" but why not configure:
martin-test:
- ingress_user
What is the reason for "sanitizing" to martin_test?
> Am 30.01.2019 um 12:58 schrieb martin.l...@gmail.com:
>
> I have the following in my SG config:
>
> role:
>
> sg_ingress_user:
> cluster:
> - UNLIMITED
> indices:
> '${user_name}-*':
> '*':
> - UNLIMITED
>
> mapping:
>
> sg_ingress_user:
> backendroles:
> - ingress_user
>
> internal user:
>
> martin_test:
> readonly: true
> hash: <pass hash>
> username: martin-test
> roles:
> - ingress_user
>
>
> Above I have sanitised the username so the internal users will only have alphanumeric and underscore. So in this case martin-test becomes martin_test. I use the username field so I can allow the user to connect. So far so good.
>
> The issue is the role. I am using "${user_name}-*" this seems to be the SG internal username i.e. the sanitised one, martin_test. However this is not what is expected to be used when sending a document into the ES cluster. e.g. This gets a write permission error:
>
> curl <details> https://<server>/martin-test/_doc/1 <data>
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a68cd809-0e90-4cc0-8d84-311182afa0e3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
martin-test:
readonly: true
hash: <pass hash>
roles:
hash: <pass hash>
- ingress_user
What is the reason for "sanitizing" to martin_test?
> Am 30.01.2019 um 12:58 schrieb martin.l...@gmail.com:
>
> I have the following in my SG config:
>
> role:
>
> sg_ingress_user:
> cluster:
> - UNLIMITED
> indices:
> '${user_name}-*':
> '*':
> - UNLIMITED
>
> mapping:
>
> sg_ingress_user:
> backendroles:
> - ingress_user
>
> internal user:
>
> martin_test:
> readonly: true
> hash: <pass hash>
> username: martin-test
> roles:
> - ingress_user
>
>
> Above I have sanitised the username so the internal users will only have alphanumeric and underscore. So in this case martin-test becomes martin_test. I use the username field so I can allow the user to connect. So far so good.
>
> The issue is the role. I am using "${user_name}-*" this seems to be the SG internal username i.e. the sanitised one, martin_test. However this is not what is expected to be used when sending a document into the ES cluster. e.g. This gets a write permission error:
>
>
> What I would really like is to allow either index to be written to martin-test or martin_test e.g. update the role to:
>
> sg_ingress_user:
> cluster:
> - UNLIMITED
> indices:
> '${user_name}-*':
> '*':
> - UNLIMITED
> '${real_user_name}-*':
> '*':
> - UNLIMITED
>
> Is there something like "real_user_name"?
>
>
> --
> What I would really like is to allow either index to be written to martin-test or martin_test e.g. update the role to:
>
> sg_ingress_user:
> cluster:
> - UNLIMITED
> indices:
> '${user_name}-*':
> '*':
> - UNLIMITED
> '${real_user_name}-*':
> '*':
> - UNLIMITED
>
> Is there something like "real_user_name"?
>
>
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a68cd809-0e90-4cc0-8d84-311182afa0e3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
martin.l...@gmail.com
Feb 4, 2019, 7:05:26 AM2/4/19
to Search Guard Community Forum
Your suggestion would work in this case, but the more common case is when the username is also an email address.
e.g. marti...@email.address
This is an illegal yaml definition (I think only because of the dot but other special characters will cause issues too), hence the reason i need to clean it in the first place and use martin_test_email_address.
I have created a simple RestApi to manipulate the internal users. This allows us to create users dynamically. Potentially we can clean the username at an earlier stage but cleaning the names that get used as the keys in the yaml seemed prudent.
Thanks for any suggestions.
Search Guard
Feb 5, 2019, 12:36:00 PM2/5/19
to Search Guard Community Forum
Did you try
'marti...@email.address':
readonly: true
hash: <pass hash>
hash: <pass hash>
roles:
- ingress_user
- ingress_user
Should be working IMHO (at least with recent SG 6)
If not please file a feature request in github.
martin.l...@gmail.com
Feb 5, 2019, 12:39:02 PM2/5/19
to Search Guard Community Forum
I haven't tried it with quotes. I will give that a try. Thanks.
I am using SG6.4.0
Reply all
Reply to author
Forward
0 new messages