Role Base Mapping for Groups is not Working

[Saddique Khan]

Hello Team,

      I want to restrict my ldap groups to the specific wazuh agents groups. I followed https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html document. However, my approach was bit different.

 Here are the steps, I followed for external users.

1. created a new role in role.yml file in indexer. 

Team_A:
  reserved: false
  hidden: false
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "read"
  cluster_permissions:
    - 'cluster_composite_ops_ro'
  index_permissions:

  - index_patterns:
    - "wazuh-*"
    dls: ""
    fls: []
    allowed_actions:
    - "*"

2. mapped this in role_mapping:

 Team_A:

  reserved: false
  hidden: false
  backend_roles:
    - "readall"
    - "My_ldap_group"

3. redeployed index pods.

4. run security script. everything looks fine.

5. restarted dashboard.

6. the security roles got created with the given permission

7. then i edited it for the assigning the groups label docs in the role.

8. went to the dashboard security. created the policy with id.agents:groups-label and crteated a role.

9. mapped the role to the policy. for assigning backend policy, use filter like back_roles Find and my Team_A.

10. saved everything and restarted the pods

Now when I login with ldap users, I don't see any indices in my ldap user indice management. I see error like You have no permissions. Contact to an administrator: no permissions for [indices:data/read/search] and User.

I also gave cluster access to the role but still the same issue. I also deleted the old wazuh-alerts- but no improvment. what am i doing wrong?

Regards,

Saddique

`

[Antonio Kim (Wazuh)]

Hi Saddique.

Let me do some research about your use-case.
I will be back ASAP I have an answer for you.

Antonio

[Antonio Kim (Wazuh)]

Dear Saddique

I have been reviewing the documentation that you have associated with your action list as well as reviewing documentation about the option to restrict ldap groups.
What I have not found is information on the steps you have taken in any official instructions. I wanted to ask you if the solution you are trying to apply is based on any document you have found.

Stay tuned to reply

Antonio

[Saddique Khan]

Hello Antonio,

         I have shared the documents i followed for the steps. I already know how create the new roles and map them from openseearch. They are working perfectly fine. My ldap is active and I am able to login as I didn't create any internal user to login. I have created a role in roles. yaml in indexer and mapping it with role_mapp.yml indexer. I have done this long back. I am creating new new role for this becz I will only use that ldap groups in it for which I wanted to give wazuh agent groups access. Currently, I am receiving this error:

AxiosError: Wazuh API error: ERR_BAD_REQUEST - Permission denied: Resource type: *:*

In the policy, i gave agent:group:mygroupname and agent:id:* access. then in custom, i used backend_roles Find My-backend-rolename.

[Antonio Kim (Wazuh)]

Thank you for your quick response, I will continue the search and return with more specific information.

Antonio

[Antonio Kim (Wazuh)]

Hi Saddique

After reanalyzing your use case and reviewing the parameters you have sent, I can inform you of the following:

Changes made to the yaml file are not automatically applied unless you run securityadmin.sh again and this can cause problems related to file overwriting (reference)

On the other hand, checking your configuration there is an error in the role you create in the first step, the allowed_actions appears 2 times with different values

The recommendation is to do it again from scratch but from the UI since this way it will not be necessary to restart the system to apply changes and you will be able to find errors more quickly.

To undo the changes, you must delete the yaml file and run securityadmin.sh again

For the new attempt you can duplicate the manage_wazuh_index role or create a similar one.

Also add the action_group search since the error indicates that it lacks permissions.

Hope this information is useful for you.

Please let me know if you have any other questions regarding this issue.

Antonio

[Saddique Khan]

Hello Antonio,

           Thanks for reply with haste.  

         I have fixed the issue. I put allowed_action, one for tenant and other for indexing. I believe both are fine. However, my issue with the the policy mapping. 

Regards,

Saddique

[Antonio Kim (Wazuh)]

Hasn't it been completely resolved?

Regards,

Antonio

[Saddique Khan]

Hello Antonio,

     Yes it is working fine as per expectations. However, I don't see indices template like sso for ldap users 8n indexmanagement. Do you  have an idea how to enable them?? 

Regards, 

Saddique 

Sent from Outlook for Android

---

From: 'Antonio Kim (Wazuh)' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: Tuesday, April 23, 2024 5:47:08 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Role Base Mapping for Groups is not Working

 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/UkWTReM1OXQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3bf6fc13-ec60-449d-956e-6bafbdb8e5d2n%40googlegroups.com.

[Antonio Kim (Wazuh)]

Hello Saddique,

I have searched about what you are asking, but I lack the information to find something specific that resolves your question.
Could you give us more information about what you mean by your question?

I will be waiting for your answer.

Antonio

[Saddique Khan]

Hey Antonio,

      Thanks for your response but everything is working fine now..

Regards,

Saddique

[Gael Miguez Mendez]

Hello Saddique, could you share how to fix it? I have been searching for this error for a while, and I cannot get rid of it, Thanks in advance!