Role mapping resourcesedit
A role mapping resource has the following properties:
-
enabled
-
(Boolean) Mappings that have
enabled
set tofalse
are ignored when role mapping is performed. -
metadata
-
(object) Additional metadata that helps define which roles are assigned to each
user. Within the
metadata
object, keys beginning with_
are reserved for system usage. -
roles
- (list) A list of roles that are granted to the users that match the role mapping rules.
-
rules
-
(object) The rules that determine which users should be matched by the mapping. A rule is a logical condition that is expressed by using a JSON DSL. The DSL supports the following rule types:
-
any
-
(array of rules) If any of its children are true, it evaluates to
true
. -
all
-
(array of rules) If all of its children are true, it evaluates to
true
. -
field
- (object) See Field rules.
-
except
-
(object) A single rule as an object. Only valid as a child of an
all
rule. If its child isfalse
, theexcept
istrue
.
-
Field rulesedit
The field
rule is the primary building block for a role mapping expression.
It takes a single object as its value and that object must contain a single
member with key F and value V. The field rule looks up the value of F
within the user object and then tests whether the user value matches the
provided value V.
The value specified in the field rule can be one of the following types:
Type | Description | Example |
---|---|---|
Simple String |
Exactly matches the provided value. |
|
Wildcard String |
Matches the provided value using a wildcard. |
|
Regular Expression |
Matches the provided value using a Lucene regexp. |
|
Number |
Matches an equivalent numerical value. |
|
Null |
Matches a null or missing value. |
|
Array |
Tests each element in the array in accordance with the above definitions. If any of elements match, the match is successful. |
|
User fieldsedit
The user object against which rules are evaluated has the following fields:
-
username
-
(string) The username by which the Elasticsearch security features knows this user. For
example,
"username": "jsmith"
. -
dn
-
(string) The Distinguished Name of the user. For example,
"dn": "cn=jsmith,ou=users,dc=example,dc=com",
. -
groups
-
(array of strings) The groups to which the user belongs. For example,
"groups" : [ "cn=admin,ou=groups,dc=example,dc=com","cn=esusers,ou=groups,dc=example,dc=com ]
. -
metadata
-
(object) Additional metadata for the user. For example,
"metadata": { "cn": "John Smith" }
. -
realm
-
(object) The realm that authenticated the user. The only field in this object is the realm name. For example,
"realm": { "name": "ldap1" }
.
The groups
field is multi-valued; a user can belong to many groups. When a
field
rule is applied against a multi-valued field, it is considered to match
if at least one of the member values matches. For example, the following rule
matches any user who is a member of the admin
group, regardless of any
other groups they belong to:
{ "field" : { "groups" : "admin" } }
For additional realm-specific details, see Active Directory and LDAP realms.