OpenSearch Security Part 4: Mapping Users to Roles

This article will show you how to use the OpenSearch role mapping feature to implement flexible mappings based in user groups.

In the last article of this series, we showed you how to set up new users and assign security roles to those users. For that, we added the user’s names to the list of users for a particular security role.

While this is straightforward and easy to understand, it is also somewhat inflexible, especially if you need to maintain many users and their permissions. This article will show you how to use the role mapping feature to cope with that challenge.

User Groups and Backend Roles

When designing the security infrastructure for any system, you usually do not think about individual people. Instead, you think about groups of people. For example, all users belonging to the “DevOps Engineer” group should have one set of access permissions. Users belonging to the “Software Engineer” or “QA Engineer” groups should have a different set of permissions. If there are any changes in the permission schema, you want to configure those changes based on groups rather than for each user separately.

And maybe you already have an authentication and authorization system in place that supports groups. If you use Active Directory or LDAP, you can assign users to groups. If you use OIDC, JWT, or SAML, your Identity Provider (“IdP”) most probably offers the possibility to add users to groups.

OpenSearch Security can use this information and assign users to security roles based on their group memberships (“backend roles”) retrieved from other systems like an IdP or LDAP.

Adding Backend Roles for Internal Users

Let’s start with an easy example and add user groups in the internal user database. In the last article, we added new users to the internal_users.yml file and uploaded the changes via the securityadmin command line tool. For this, we only had to specify the user name and the password hash in the internal_users.yml file. However, we can also add users to groups by defining one or more backend roles:

user-a:
  hash: "$2y$12$Zd5/KuxBgl1jSyx2w7UeFePv3KnUF0dE8yniajrNQBNmU1v3Vx6w."
  backend_roles:
    - "DevOps Engineer"

user-b:
  hash: "$2y$12$Kowf68LCvmN.Jo3vYRS7/OANBu/g0xr6o6B/8BSzWh56.oQWtref6"
  backend_roles:
    - "DevOps Engineer"
    - "QA Engineer"

Using Backend Roles for Assigning Permissions

Now that we have assiged backend roles to user-a and user-b, let’s see how we can use that for assigning OpenSearch security roles.

In our previous article, we used the users attribute to add users to security roles based on their names:

my-role-a:
  users:
    - "user-a"

Let’s switch that to backend roles:

my-role-a:
  backend_roles:
    - "DevOps Engineer"
    - "QA Engineer"

Now all users that have the backend role DevOps Engineer or QA Engineer are assigned to the security role my-role-a automatically. Whenever we add a new user, we just need to assign the user to one or more backend roles in the internal_users.yml file and the security roles are applied automatically.

Outlook: LDAP, Active Directory and more

The internal user database is not the only source we can use for retrieving user groups a.k.a backend roles. In the next articles we will take a look at how we can leverage LDAP / Active Directory groups for the role mapping. See you there!