Adding exclusion rules in role mapping when using LDAP

I’ve set-up opendistro 0.10.0.0 with LDAP authentication and authorization and now trying to set-up role-mapping for backend LDAP users. Reason for choosing version 0.10.0.0 is because it corresponds to ES version 6.8.1

This is what I have done so far:

  1. A set of few users identified as Admins. Achieved this by configuring a role superuser having unlimited access to both cluster and indices. Mapped this to the backend role DL-ES-AdminUsers. Works fine.
  2. A second set of users identified as End Users. Achieved this by configuring a role end_users having read access to all indices and INDICES_ALL access to .kibana* indices and also CLUSTER_COMPOSITE_OPS_RO access. Mapped this to the backed role DL-ES-EndUsers.

Now I want to create a 3rd set of users who have only RO access. I created a role users with RO access to all indices and CLUSTER_COMPOSITE_OPS_RO. The point where I’m stuck is in backend mapping since I need to map the users role to all who are NOT in 1 and 2 i.e. NOT in DL-ES-AdminUsers and NOT in DL-ES-EndUsers. How can I achieve that?

In normal elasticsearch with x-pack, I would have done the following:

{
  "ReadOnlyUsers" : {
    "enabled" : true,
    "roles" : [
      "user"
    ],
    "rules" : {
      "all" : [
        {
          "except" : {
            "field" : {
              "groups" : [
                "CN=DL-ES-EndUsers,OU=Distribution,OU=Groups,DC=FOO,DC=BAR,DC=COM",
                "CN=DL-ES-AdminUsers,OU=Distribution,OU=Groups,DC=FOO,DC=BAR,DC=COM"
              ]
            }
          }
        }
      ]
    },
    "metadata" : { }
  }

}

But I don’t see any option to do similar thing in opendistro.

This is how I have configured role mapping for 1 and 2:

{
  "end_user" : {
    "backendroles" : [
      "DL-ES-EndUsers"
    ],
    "hosts" : [ ],
    "users" : [ ]
  },
  ....
  "superuser" : {
    "backendroles" : [
      "DL-ES-AdminUsers"
    ],
    "hosts" : [ ],
    "users" : [ ]
  }
}

Will appreciate some inputs on this. Thanks.

Spoke to OpenDistro committer and got confirmation that currently there’s NO WAY to set exclusion rules. Filed a feature/enhancement request here.

And I solved this issue by creating 3rd set of users who have only RO access as following:
Created a role users with RO access to all indices and CLUSTER_COMPOSITE_OPS_RO. Mapped it to backend role DL-ALL-Employees. If a user is in DL-ES-AdminUsers or DL-ES-EndUsers then that specific role privileges will apply else it will be RO privs.