Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenId realm supports the authorization_realms setting #64583

Closed
merlixelastic opened this issue Nov 4, 2020 · 5 comments · Fixed by #64877
Closed

OpenId realm supports the authorization_realms setting #64583

merlixelastic opened this issue Nov 4, 2020 · 5 comments · Fixed by #64877
Assignees
@lockewritesdocs
Labels
>bug >docs General docs changes :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Docs Meta label for docs team Team:Security Meta label for security team

Comments

@merlixelastic
Copy link

Description of the problem including expected versus actual behavior:
This is a documentation issue about OpenID realm not showing authorization_realms setting support.

Steps to reproduce:

In the security settings, the authorization_realms setting is missing from the Open ID connect realm.
I do see the setting 4 times for the following realms: SAML, LDAP, PKI and Kerberos.
This implies this authorization_realms setting is not valid for OpenID realm hence authorization delegation is not supported.

However the role mapping page shows this setting is in fact supported.

  • Could we add edit the security settings to add documenation about authorization_realms setting for OpenID?

Provide logs (if relevant):
@merlixelastic merlixelastic added >bug >docs General docs changes needs:triage Requires assignment of a team area label labels Nov 4, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-docs (>docs)

@elasticmachine elasticmachine added the Team:Docs Meta label for docs team label Nov 4, 2020
@lockewritesdocs lockewritesdocs self-assigned this Nov 9, 2020
@cbuescher cbuescher added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC and removed needs:triage Requires assignment of a team area label labels Nov 10, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Nov 10, 2020
@lockewritesdocs
Copy link
Contributor

I'm a little perplexed on this one. @merlixelastic is correct that we indicate support in the Configuring role mappings page for OIDC:

  1. In your OpenID Connect realm, set authorization_realms to the name of the realm you created in step 2.

However, in Mapping users and groups to roles, there's a note indicating that:

The PKI, LDAP, Kerberos and SAML realms support using authorization realms as an alternative to role mapping.

We explicitly don't mention OpenID Connect. The commit that added this note includes "authorization_realm support in the pki, ldap, saml & kerberos realms". Again, I don't see any mention of OpenID Connect, which appears to be deliberate.

I'm wondering if the page for Configuring role mappings is incorrect, and we should revise or remove this information around configuring authorization_realms for OIDC:

If your users also exist in a repository that can be directly accessed by Elasticsearch (such as an LDAP directory) then you can use authorization realms instead of role mappings.

In this case, you perform the following steps:

  1. In your OpenID Connect realm, assign a claim to act as the lookup userid, by configuring the claims.principal setting.
  2. Create a new realm that can lookup users from your local repository (e.g. an ldap realm)
  3. In your OpenID Connect realm, set authorization_realms to the name of the realm you created in step 2.

cc: @tvernum and @ywangd, who can provide more perspective.

@jkakavas
Copy link
Member

We explicitly don't mention OpenID Connect. The commit that added this note includes "authorization_realm support in the pki, ldap, saml & kerberos realms". Again, I don't see any mention of OpenID Connect, which appears to be deliberate.

This is because we didnt have an openid connect realm back then ( it was introduced in 7.2 )

Openid connect supports authorization realms and we should add the missing setting in the reference page. I just missed to add it when adding the oidc docs the first time around, this was not done on purpose.

@lockewritesdocs
Copy link
Contributor

Ah, thanks for the context @jkakavas! I'll get that setting added 👍

@lockewritesdocs lockewritesdocs mentioned this issue Nov 10, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lockewritesdocs lockewritesdocs

Labels
>bug >docs General docs changes :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Docs Meta label for docs team Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[DOCS] Adding authorization_realms setting for OIDC lockewritesdocs/elasticsearch
5 participants
@jkakavas @cbuescher @elasticmachine @lockewritesdocs @merlixelastic