This feature is in development and not yet available for use. This documentation is provided for informational purposes only.
Security domains are a method of grouping multiple realms under the same domain so that the Elastic Stack can recognize when a single user authenticates with these realms. Users can authenticate with any of the realms in the domain group, and have access to the same set of resources regardless of which realm they authenticated with.
For example, a single user profile is associated with a user, enabling preferences, notifications, and other user data to be shared across realms. The user can view results from an asynchronous search request or a scrolling search across realms. If the user has the necessary privileges, they can also view and manage API keys across realms.
Some types of resources in Elasticsearch are owned by a single user, such as async search contexts, API keys, and user profiles. When a user creates a resource, Elasticsearch captures the user’s username and realm information as part of the resource’s metadata.
When a user later attempts to access the resource, Elasticsearch compares the captured username and realm information against those from the accessing user. Elasticsearch will deny access unless both the realm and username match. If Elasticsearch detects that a username from two different realms is attempting to access a resource, Elasticsearch assumes that these users are distinct and doesn’t allow resources to be shared between those users.
However, there are cases where the same user can authenticate with multiple realms and needs to share the same set of resources across realms. For example, an LDAP realm and a SAML realm can be backed by the same directory service. Additionally, authorization delegation allows one realm to delegate authorization to another realm. If both realms authenticate users with the same username, it’s reasonable to treat these users as the same user from a resource ownership perspective.
Security domains make resource sharing across realms possible by grouping those
realms under the same domain. Elasticsearch always enforces the privileges that are
associated with the currently authenticated user, which remains true with
security domains. Security domains don’t bypass
user authorization when resource sharing requires them. For
example, a user requires the
manage_own_api_key privilege to manage their own
API keys. If that user doesn’t have this privilege when authenticating with one
realm, they won’t be able to manage API keys while authenticating with another
Elasticsearch provides multiple ways to consistently apply roles across realms. For example, you can use authorization delegation to ensure that a user is assigned the same roles from multiple realms. You can also manually configure multiple realms that are backed by the same directory service. Though it’s possible to configure different roles for the same user when authenticating with different realms, it is not recommended.
You configure realms to be under a domain in
elasticsearch.yml. The realms must
be defined in
elasticsearch.yml but do not need to be enabled.
Add a security domain configuration to
- Restart Elasticsearch.
Elasticsearch can fail to start if the domain configuration is invalid, such as:
- A single realm is configured under multiple domains.
- Any undefined realm, synthetic realm, or the reserved realm is configured to be under a domain.