Elasticsearch: OpenId realm supports the authorization_realms setting

Created on 4 Nov 2020  路  5Comments  路  Source: elastic/elasticsearch

Description of the problem including expected versus actual behavior:
This is a documentation issue about OpenID realm not showing authorization_realms setting support.

Steps to reproduce:

In the security settings, the authorization_realms setting is missing from the Open ID connect realm.
I do see the setting 4 times for the following realms: SAML, LDAP, PKI and Kerberos.
This implies this authorization_realms setting is not valid for OpenID realm hence authorization delegation is not supported.

However the role mapping page shows this setting is in fact supported.

  • Could we add edit the security settings to add documenation about authorization_realms setting for OpenID?

Provide logs (if relevant):

:SecuritAuthorization >bug >docs Docs Security
Source
picture merlixelastic

All 5 comments

Pinging @elastic/es-docs (>docs)

elasticmachine picture elasticmachine on 4 Nov 2020

Pinging @elastic/es-security (:Security/Authorization)

elasticmachine picture elasticmachine on 10 Nov 2020

I'm a little perplexed on this one. @merlixelastic is correct that we indicate support in the Configuring role mappings page for OIDC:

  1. In your OpenID Connect realm, set authorization_realms to the name of the realm you created in step 2.

However, in Mapping users and groups to roles, there's a note indicating that:

The PKI, LDAP, Kerberos and SAML realms support using authorization realms as an alternative to role mapping.

We explicitly don't mention OpenID Connect. The commit that added this note includes "authorization_realm support in the pki, ldap, saml & kerberos realms". Again, I don't see any mention of OpenID Connect, which appears to be deliberate.

I'm wondering if the page for _Configuring role mappings_ is incorrect, and we should revise or remove this information around configuring authorization_realms for OIDC:

If your users also exist in a repository that can be directly accessed by Elasticsearch (such as an LDAP directory) then you can use authorization realms instead of role mappings.

In this case, you perform the following steps:

  1. In your OpenID Connect realm, assign a claim to act as the lookup userid, by configuring the claims.principal setting.
  2. Create a new realm that can lookup users from your local repository (e.g. an ldap realm)
  3. In your OpenID Connect realm, set authorization_realms to the name of the realm you created in step 2.

cc: @tvernum and @ywangd, who can provide more perspective.

lockewritesdocs picture lockewritesdocs on 10 Nov 2020

We explicitly don't mention OpenID Connect. The commit that added this note includes "authorization_realm support in the pki, ldap, saml & kerberos realms". Again, I don't see any mention of OpenID Connect, which appears to be deliberate.

This is because we didnt have an openid connect realm back then ( it was introduced in 7.2 )

Openid connect supports authorization realms and we should add the missing setting in the reference page. I just missed to add it when adding the oidc docs the first time around, this was not done on purpose.

jkakavas picture jkakavas on 10 Nov 2020
👍1

Ah, thanks for the context @jkakavas! I'll get that setting added 馃憤

lockewritesdocs picture lockewritesdocs on 10 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

DhairyashilBhosale picture DhairyashilBhosale  路  3Comments
makeyang picture makeyang  路  3Comments
ttaranov picture ttaranov  路  3Comments
jasontedor picture jasontedor  路  3Comments
clintongormley picture clintongormley  路  3Comments