Reputation: 2968
Elasticsearch: how to list roles assigned to the current SSO user via role mappings
How do I find out which roles I have been assigned, having authenticated to an Elasticsearch cluster via OIDC SSO?
Roles have been assigned to me in AzureAD (to which I do not have access) and then I have logged in to Elastic using oidc/AzureAD.
Having logged in, I wish to know which roles of those listed at /app/management/security/roles were actually granted to me, by Azure claims, via one of the role mappings which I can see listed at /app/management/security/role_mappings
I can view which privileges I have via Kibana dev tools GET _security/user/_privileges but this doesn't tell me which roles they came from. The Get User API GET /_security/user doesn't help as it only includes native/builtin users, not SSO users.
Upvotes: 1
Views: 656
Answers (1)
Reputation: 2968
Eventually I figured out that you can discover this for the current user by calling the Authenticate API from Kibana dev tools (/app/dev_tools) e.g:
GET /_security/_authenticate
returns something like this, crucially with the roles list:
{
"username": "seemingly_random_number",
"roles": [
"editor",
"viewer",
"superuser"
],
"full_name": "[email protected]",
"email": "[email protected]",
"metadata": {
"saml_...": ...
},
...
}
Upvotes: 3
Related Questions
- How do I get fluentd / elasticsearch to parse the "log" key_name as json from a kubernetes pod?
- Can´t start Kibana because the superuser "elastic" can´t write indexes
- Elastic cloud roles are not mapping correctly to stack roles
- Access Denied You are not authorized to access Monitoring
- How to grant access to IAM Role/User to create role inside AWS Elasticsearch?
- Making a user or role with elasticsearch-py in AWS
- Kibana - Reporting feature is missing
- How to block selected Kibana subpages using nginx?