Adding exclusion rules in role mapping when using LDAP

[sandeepkanabar]

When using LDAP, I would normally have 3 sets of users:

1. Admins with full privileges.
2. End-users with specific privileges e.g. write to some indices and read to others.
3. Everyone else who are not in 1 and 2.

As it stands, while 1 and 2 can be easily achieved by creating appropriate roles and mapping them to backend-roles, there's no option to create a role mapping for 3 since currently exclusion rules aren't supported via Kibana UI and they don't look to be supported via curl API / JSON as well.

Can this feature be incorporated in upcoming releases?

Here's more detailed information.

1. A set of few users identified as Admins. Achieved this by configuring a role superuser having unlimited access to both cluster and indices. Mapped this to the backend role DL-ES-AdminUsers.
2. A second set of users identified as End Users. Achieved this by configuring a role end_users having read access to all indices and INDICES_ALL access to .kibana* indices and also CLUSTER_COMPOSITE_OPS_RO access. Mapped this to the backend role DL-ES-EndUsers.

Now I want to create a 3rd set of users who have only RO access. I created a role users with RO access to all indices and CLUSTER_COMPOSITE_OPS_RO. However, is there an option to create backend mapping such that the users role can be mapped to all who are NOT in 1 and 2 i.e. NOT in DL-ES-AdminUsers and NOT in DL-ES-EndUsers?

In normal elasticsearch with x-pack, I would have done the following:

{
  "ReadOnlyUsers" : {
    "enabled" : true,
    "roles" : [
      "user"
    ],
    "rules" : {
      "all" : [
        {
          "except" : {
            "field" : {
              "groups" : [
                "CN=DL-ES-EndUsers,OU=Distribution,OU=Groups,DC=FOO,DC=BAR,DC=COM",
                "CN=DL-ES-AdminUsers,OU=Distribution,OU=Groups,DC=FOO,DC=BAR,DC=COM"
              ]
            }
          }
        }
      ]
    },
    "metadata" : { }
  }

}

But I don't see any option to do similar thing in ODFE

[sandeepkanabar]

@debjanibnrj as discussed over AWS Support, submitting this.

[debjanibnrj]

Hi Sandeep, Thanks for bringing this feature request to our notice. I will speak to other opendistro contributors about its feasibility and the best way to provide this. Will update this issue regarding any progress.

[stephen-crawford]

[Triage] Thank you for your feature request. The OpenSearch security maintainers aim to use explicit grants whenever possible so we are not currently considering implementing this feature. Please open a new issue if you would like to discuss this further.