If you would like to get more specific use case details, I'm more than willing to exchange emails or engage in phone calls.
Michael On Wednesday, April 29, 2015 at 10:34:25 PM UTC-4, Michael Young wrote: > > I thought that might be the case. > > The problem with Shield for my use case is authentication and > authorization are closely tied together. Generally speaking, we want to > limit access to indexes via LDAP/AD groups which are assigned to Shield > roles. We want to be able to use a "system/daemon" account to query > Elasticserach, but pass in a "proxy" or "impersonation" user which can be > used to looked up to see what effective groups they have and from which > indexes they can get results. Without the proxy user ability, we are > forced to login the user via their username and password. The problem is > that users will not directly access Easticsearch and we don't have access > to their password. > > Our users will be authenticated via a separate application/user interface > which will be using single sign on tokens. The application doesn't have > access to the user's password to pass to Elasticsearch. So there isn't an > easy way to say "I have user1234 running a query and I need you to filter > index results appropriately for this authenticated user". > > We want to manage index permissions using LDAP/AD groups and roles using > Shield. We don't want to have to do that in the application. The current > work around seems to be some sort of api overlay to elasticsearch which > will first check to see if the user exists using an admin account. If the > user account doesn't exist (first time logging in), then create the user > account using a hash of the users group permissions from LDAP/AD. It's not > ideal, but it'll probably get the job done until Shield is > extended/enhanced. > > On Wednesday, April 29, 2015 at 5:03:51 PM UTC-4, Jay Modi wrote: >> >> Hi Michael, >> >> We don't currently have a way to do this with Shield. Can you tell us a >> little more about your scenario? Your users are logging into your >> application and then accessing data in Elasticsearch, which is protected by >> Shield? >> >> This type of information is helpful for us as we plan features for future >> releases of Shield. >> >> -Jay >> >> On Wednesday, April 29, 2015 at 3:06:57 PM UTC-4, Michael Young wrote: >>> >>> I have Elasticsearch 1.5.2 and Shield 1.2.0 configured and working >>> against Active Directory. This seems to work pretty well. However, I was >>> wondering if there was a way to pass in a "proxy user" from an application >>> to get the appropriate index filtering via access controls without having >>> to pass in the username AND password from the application. >>> >>> Is there a way to do this with Shield? >>> >> -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/0c3ffd20-be82-4acb-b7cb-ee8a8db768ba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
