Global index permission definition for "JWT Validation Only" Authentication to Elasticsearch REST API?

Hello,

I am creating a project whereby I would like to leverage only JWT validation as authentication to the REST API of Elasticsearch with Open Distro. I have configured the file: "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml " as follows and this enables successful validation of the JWT passed in the "Authentication bearer " GET request from my clients:

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: |-
              -----BEGIN PUBLIC KEY-----
              AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
              -----END PUBLIC KEY-----
            jwt_header: "Authorization"
            roles_key: null
            subject_key: "name"

When i then authenticate from a client, the JWT is correctly validated. To confirm the structure of the payloadof my JWT:

{
  "iss": "https://<Accounts Server >",
  "azp": "<Authorized Party>",
  "aud": "<Audience>",
  "sub": "1234567",
  "given_name": "user",
  "iat": 1571587385,
  "exp": 1571590985
}

Upon successful validation by the Open Distro security plugin, the client receives the following response:

{
	"error": {
		"root_cause": [{
			"type": "security_exception",
			"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[], requestedTenant=null]"
		}],
		"type": "security_exception",
		"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[], requestedTenant=null]"
	},
	"status": 403
}

For the purposes of the project requirements, I do not need for the security plugin to authenticate user/role and only wish for all clients with a valid JWT to have at least the “indices:data/write/index” permission to one of my indexes. When i try to write a document to an index the client receives the following response:

  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [indices:data/write/index] and User [name=user, roles=[], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [indices:data/write/index] and User [name=user, roles=[], requestedTenant=null]"
  },
  "status": 403
}

Is there a method to disable all authentication to the Elasticsearch API (not Kibana) with Open Distro other than the JWT validation?
I assume this is achievable by simply defining a global permission of write to the desired indexes but do not know how to set this.

Many thanks in advance :smiley:
Major

I’ve answered my own question here by creating and mapping a new role to all users using the following:

PUT
https://10.226.42.55:9200/_opendistro/_security/api/roles/test_index_write

{
    "description": "Allow write to test index",
    "cluster_permissions": [
      "cluster_composite_ops"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "test"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "write"
        ]
      }
    ],
    "tenant_permissions": []
}
PUT
https://<HOSTNAME>:9200/_opendistro/_security/api/rolesmapping/test_index_write

{
   "backend_roles": [],
   "hosts": [],
   "users": [
     "*"
   ],
   "and_backend_roles": [],
   "description": "Allow write to test index"
}

Hope this helps anoyone else trying to achieve the same :slight_smile: