In some cases, after the user has been authenticated by a realm, we may want to delegate user lookup and assignment of roles to another realm. Any realm that supports user lookup (without needing the user’s credentials) can be used as an authorization realm.
For example, a user that is authenticated by the Kerberos realm can be looked up in the LDAP realm. The LDAP realm takes on responsibility for searching the user in LDAP and determining the role. In this case, the LDAP realm acts as an authorization realm.
Following is an example configuration for the LDAP realm that can be used as an authorization realm. This LDAP realm is configured in user search mode with a specified filter.
For more information on configuring LDAP realms see LDAP user authentication.
Following is an example configuration where the Kerberos realm authenticates a
user and then delegates authorization to the LDAP realm. The
Kerberos realm authenticates the user and extracts user principal name
(usually of format
user@REALM). In this example, we enable the
setting to remove the
@REALM part from the user principal name to get the username.
This username is used to do a user lookup by the configured authorization realms (in this case the LDAP realm).
For more information on Kerberos realm see Kerberos authentication.
xpack: security: authc: realms: kerberos: kerb1: order: 1 keytab.path: "ES_PATH_CONF/es.keytab" remove_realm_name: true authorization_realms: ldap1
We can similarly configure PKI realm to delegate authorization to LDAP realm. The user is authenticated by the PKI realm and the authorization is delegated to the LDAP realm. In this example, the username is the common name (CN) extracted from the DN of the client certificate. The LDAP realm uses this username to lookup user and assign the role.
For more information on PKI realms see PKI user authentication.
xpack: security: authc: realms: pki: pki1: order: 2 authorization_realms: ldap1
Similar to the above examples, we can configure realms to delegate authorization to authorization realms (which have the capability to lookup users by the username and assign roles).