[BUG] Question about and_backend_roles support for creating a role mapping

[rblcoder]

What is the bug?
While creating a role mapping and specifying and_backend_roles, the data specified as and_backend_roles does not seem to have any effect.

How can one reproduce the bug?
Steps to reproduce the behavior:
When I try to create a role mapping using the API

PUT _plugins/_security/api/rolesmapping/all_access
{
  "backend_roles" : [ "admin", "hr1"],
   "and_backend_roles" : [ "it1" ]
 
}

The UI only shows admin and hr1 mapped to all_access

Also if I execute the API as follows

PUT _plugins/_security/api/rolesmapping/all_access
{

   "and_backend_roles" : [  "admin", "hr1","it1" ]
 
}

the admin user loses access.

What is the expected behavior?
The entities specified in and_backend_roles also need to be mapped to the role.
If this is not supposed to be so, please remove all reference to this
https://github.com/search?q=org%3Aopensearch-project+and_backend_roles&type=code

What is your host/environment?

• PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
• Version 2.12.0
• Plugins

Do you have any screenshots?
[

]

Do you have any additional context?
Add any other context about the problem.

[stephen-crawford]

[Triage] Hi @rblcoder, thanks for filing this issue. @cwperks to follow up, but this looks like an issue around the documentation of the feature.

[cwperks]

Hi @rblcoder , thank you for creating an issue. The and_backend_roles feature is supported, but there is no documentation on the website and there is no UX support around the feature currently.

and_backend_roles is similar to backend_roles, but in order for a user to be mapped to the OpenSearch Role (opposed to backend role), the user must have all backend roles in the list, hence AND backend roles. It looks like this feature has existed for a while in the security plugin so it should have associated documentation and perhaps UX for the feature as well.

For the example you provided:

PUT _plugins/_security/api/rolesmapping/all_access
{

   "and_backend_roles" : [  "admin", "hr1","it1" ]
 
}

In order for a user to be mapped successfully to all_access they would need to have admin AND hr1 AND it1.

[rblcoder]

@cwperks Thank you for your reply. The purpose behind and_backend_roles is still not clear to me. Please share link for documentation and also examples. In my example admin, hr1, it1 are users. I am able to map them to the role all_access using backend_roles. Needed to understand about and_backend_roles.

[cwperks]

@rblcoder backend_roles are roles extracted from an external Identity Provider (or added manually via OpenSearch Dashboards onto internal users).

If you want to directly map users to roles than you would use user mapping like this:

PUT _plugins/_security/api/rolesmapping/all_access
{
   "users" : [ "admin", "hr1", "it1"]
}

Backend roles are typically used when you have OpenSearch Dashboards configured with a Single Sign-On provider and the user (and their attributes like roles) are external to OpenSearch and instead defined in a central Identity Provider (IdP). When authenticated, OpenSearch will get the user's roles from that external IdP and those are referred to as backend roles - opposed to roles defined in OpenSearch. To map backend roles to roles defined in OpenSearch, you can either use direct backend_roles mapping (i.e. if the user has this backend role X then map the user to OpenSearch role Y) or use and_backend_roles if you require the user to have multiple backend roles in order to be mapped to a role. In the case of and_backend_roles the user needs to have all backend roles in the list in order to be mapped to the respective OpenSearch role.

Effectively, and_backend_roles mapping would be the same as backend_roles mapping if the list only contained a single backend role, but if and_backend_roles is configured with multiple backend roles then the user needs to have all of them to be mapped.

I will create an issue on the documentation-website to go over role mapping in more detail. Currently role mapping supports 4 different methods:

1. Direct user mapping
2. Backend Role mapping
3. AND Backend Role mapping - user needs all backend roles to be mapped
4. Host mapping - map requests coming from specific IP address(es) or hostname(s) to particular role

[rblcoder]

Thank you @cwperks for your reply. Could you please also point to the code implementation and unit tests for and_backend_roles so that we can understand it better?

[cwperks]

The implementation for and_backend_roles is here. I am not seeing any corresponding tests to the feature.

[rblcoder]

@cwperks ConfigModelV7 extends ConfigModel. Could you please share the code flow for creating the roles mapping when the create roles mapping rest api is called and also evaluating the same for checking permissions?

[cwperks]

RolesMappingApi Handler: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java

The actual mapping of the roles occurs here. The mapped roles are used to evaluate whether a user is permitted to perform the given transport action or not.

[rblcoder]

In the following, all the users from roleMapValue.getUsers() are added to users

security/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

Line 1272 in f375765

for (String u : roleMapValue.getUsers()) {

In the following, all the backend roles from roleMapValue.getBackend_roles() are added to bars

security/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

Line 1282 in f375765

for (String bar : roleMapValue.getBackend_roles()) {

In the following all the and_backend_roles from roleMapValue.getAnd_backend_roles() are added to abars

security/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

Line 1278 in f375765

if (!abar.isEmpty()) {

I am trying to understand what is happening here

security/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

Lines 1316 to 1327 in f375765

	for (String p : WildcardMatcher.getAllMatchingPatterns(userMatchers, user.getName())) {
	securityRoles.addAll(users.get(p));
	}
	for (String p : WildcardMatcher.getAllMatchingPatterns(barMatchers, user.getRoles())) {
	securityRoles.addAll(bars.get(p));
	}
	for (List<WildcardMatcher> patterns : abars.keySet()) {
	if (patterns.stream().allMatch(p -> p.matchAny(user.getRoles()))) {
	securityRoles.addAll(abars.get(patterns));
	}
	}

Whatever is matching between userMatchers and user.getName(), the corresponding role to which the user is been mapped is added to securityRoles

Similarly with barMatchers and user.getRoles()

For abars and user.getRoles(), every backend_role in abars needs to be present in user.getRoles() for the mapping to work.

[rblcoder]

Have created an issue to support the same in dashboards.

[rblcoder]

@cwperks Thank you.