lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495
							[role="xpack"]
[[configuring-authorization-delegation]]
=== Configuring authorization delegation

In some cases, after the user has been authenticated by a realm, we may
want to delegate user lookup and assignment of roles to another realm.
Any realm that supports retrieving users (without needing their credentials)
can be used as an authorization realm.

For example, a user that is authenticated by the Kerberos realm can be looked up
in the LDAP realm. The LDAP realm takes on responsibility for searching the user
in LDAP and determining the role. In this case, the LDAP realm acts as an
_authorization realm_.

==== LDAP realm as an authorization realm
Following is an example configuration for the LDAP realm that can be used as
an _authorization realm_. This LDAP realm is configured in user search mode
with a specified filter.

For more information on configuring LDAP realms see <<ldap-realm>>.

[source, yaml]
------------------------------------------------------------
xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            order: 0
            authentication.enabled: true <1>
            user_search:
              base_dn: "dc=example,dc=org"
              filter: "(cn={0})"
            group_search:
              base_dn: "dc=example,dc=org"
            files:
              role_mapping: "ES_PATH_CONF/role_mapping.yml"
            unmapped_groups_as_roles: false
------------------------------------------------------------

<1> Here, we explicitly allow the LDAP realm to be used for authentication
(that is, users can authenticate using their LDAP username and password).
If we wanted this LDAP realm to be used for authorization only, then we
 would set this to `false`.

==== Kerberos realm configured to delegate authorization

Following is an example configuration where the Kerberos realm authenticates a
user and then delegates authorization to the LDAP realm. The
Kerberos realm authenticates the user and extracts user principal name
(usually of format `user@REALM`). In this example, we enable the `remove_realm_name`
setting to remove the `@REALM` part from the user principal name to get the username.
This username is used to do a user lookup by the configured authorization realms (in this case the LDAP realm).

For more information on Kerberos realm see <<kerberos-realm>>.

[source, yaml]
------------------------------------------------------------
xpack:
  security:
    authc:
      realms:
        kerberos:
          kerb1:
            order: 1
            keytab.path: "ES_PATH_CONF/es.keytab"
            remove_realm_name: true
            authorization_realms: ldap1
------------------------------------------------------------

==== PKI realm configured to delegate authorization

We can similarly configure PKI realm to delegate authorization to LDAP realm.
The user is authenticated by the PKI realm and the authorization is delegated to
the LDAP realm. In this example, the username is the common name (CN)
extracted from the DN of the client certificate. The LDAP realm uses this
username to lookup user and assign the role.

For more information on PKI realms see <<pki-realm>>.

[source, yaml]
------------------------------------------------------------
xpack:
  security:
    authc:
      realms:
        pki:
          pki1:
            order: 2
            authorization_realms: ldap1
------------------------------------------------------------

Similar to the above examples, we can configure realms to delegate authorization to
authorization realms (which have the capability to lookup users by the username and assign roles).