Add documentation for authorization_realms#100
Conversation
Authorization realms are a new feature in Elasticsearch that allow delegation of authorization from one realm to another. This commit adds a description of authorization realms to the main realms doc. Links to this page/section will be added from the docs for each of the applicable realms.
|
Ping: @elastic/es-security |
|
This will only be merged when the https://github.com/elastic/elasticsearch/tree/security-lookup-realms branch is merged to master, but the docs in that feature (see elastic/elasticsearch#32765) link to this new section, so I want to make sure it's reviewed and ready to merge when the feature lands. |
|
|
||
| Any realm that supports retrieving users (without needing their credentials) | ||
| may be used as an _authorization realm_ (that is, its name may appear as one of | ||
| the values in the list of `authorizing_realms`). See <<run-as-privilege>> for |
There was a problem hiding this comment.
s/authorizing_realms/authorization_realms
There was a problem hiding this comment.
Thanks, old habits die hard
| NOTE: Delegated authorization requires a | ||
| https://www.elastic.co/subscriptions[Platinum or Trial license]. | ||
|
|
||
| ==== Internal and external realms |
There was a problem hiding this comment.
I think maybe we should move this "internal and external realms" section up above the realm chain section, since it seems like an odd end to this page otherwise.
| TLS client certificates, but then lookup that user in an LDAP realm, and use | ||
| their LDAP group assignments to determine their roles in Elasticsearch. | ||
|
|
||
| For realms that support this feature, it can be enabled by configuring the |
There was a problem hiding this comment.
This "For realms that support this feature..." paragraph left me wondering how I'd know which ones support it. I think the answer is in the next paragraph, so my preference would be to have that info first (i.e. swap the order of these two paragraphs).
| For realms that support this feature, it can be enabled by configuring the | ||
| `authorization_realms` setting on the authenticating realm. Check the list of | ||
| supported settings for each realm to see if they support the | ||
| `authorization_realms` setting. |
There was a problem hiding this comment.
Maybe add a link to the settings page, e.g. {ref}/security-settings.html#realm-settings[Realm settings].
| If delegated authorization is enabled for a realm, then it will authenticate | ||
| the user in its standard manner (including relevant caching) and then look for | ||
| that user in the configured list of authorization realms, trying each realm in | ||
| order. The user is retrieved by principal - the user must have identical |
There was a problem hiding this comment.
Re "trying each realm in order..." is that the order specified in the authorization_realms setting or the order specified in the realm chain? I think the former
jaymode
left a comment
There was a problem hiding this comment.
LGTM from a technical perspective. Lisa's comments make sense to me
|
I implemented all of my suggestions and ended up splitting this new content (and the existing realm chain content) into a separate "realm chains" page, since the "realms" page felt overloaded. |
Authorization realms are a new feature in Elasticsearch that allow delegation of authorization from one realm to another. This commit adds a description of authorization realms to the main realms doc.
Authorization realms are a new feature in Elasticsearch that allow
delegation of authorization from one realm to another.
This commit adds a description of authorization realms to the main
realms doc. Links to this page/section will be added from the docs for
each of the applicable realms.