Create users using API - unable to attach Roles while create

Hello,

I am back with another question! :slight_smile:
I am trying to create an internal user in Kibana with FGAC, through OpenDistro API.

I was able to create a user! Great!

But I got two concerns with that -

  1. The users that I’ve created are visible in the internal-users section, but not able to filter by them in the Roles section.




  2. I am wondering if above point-1 is happening because, I did not map the Roles properly to the user I’ve created using this api call -

PUT _opendistro/_security/api/internalusers/<username>

The documentation says you can pass the Roles using the parameter/attribute ‘roles’
https://opendistro.github.io/for-elasticsearch-docs/old/0.9.0/docs/security/api/#create-user

But when I do that, I get a 400 error, the ‘doc’ prefix roles are not pre-defined ones -

Request:

PUT _opendistro/_security/api/internalusers/new-user-1
{
  "password": "some1@pass",
  "roles": ["readall_and_monitor", "doc_alerting_access", "doc_tenants"]
}

Response:

{
  "status_code": 400,
  "response": {
    "status": "error",
    "reason": "Invalid configuration",
    "invalid_keys": {
      "keys": "roles"
    }
  }
}

Can someone please help me understand what am I doing wrong, and help me fix this.


Update:
If I try to login with the newly created user -
image


Best
Prashanth Sripathi

@psripathi
which version of odfe are you using?

Can you change the “roles” to “opendistro_security_roles” and make sure the roles listed already exist in the security configuration.

Hope this helps

1 Like

@Anthony Our Kibana sits on top of AWS Elasticsearch service. I am not exactly sure on the ODFE version. But running Kibana 7.10
But I followed your suggestion, and was able to create a user with ‘opendistro_security_roles’ (Should the API document reflect this change?) -

{
"status_code": 201,
"response": {
  "status": "CREATED",
  "message": "'new-user-1' created."
}

And, the weird part is that, I couldn’t see the user in the Roles section under ‘Internal users’ column.

But interestingly was able to login with the created test user and has all the access I assigned while making the api call.

Is that a bug in the UI?
Because, from the front-end I wont be able to check what roles the user is assigned with during an audit or something.


Best
Prashanth Sripathi

@psripathi glad you got it working, regarding a bug, yes, it would appear to be a bug, however I can confirm that UI reflects the new user using odfe, therefore the issue is with AWS ES service offering and I would recommend raising a AWS support ticket as this forum is for odfe and opensearch.

Regarding the documentation, I think its already updated, see docs here

Hope this helps

@Anthony Yep, thank you for checking this for me, looking back at the documentation link I referenced, it seems to be an old version of ODFE.

JFYI, this issue I am seeing with user mapping in UI is only for users created through api call, if I create a user from the front-end directly, this doesn’t seem to occur.

I am assuming we are on the same page here. So I will check with AWS support why this issue is occurring. I will try and update this post when I receive an update.

Thank you again!