I have different kibana roles set up in AWS Elasticsearch to protect different indices. These kibana roles are mapped to IAM roles, which are mapped to Cognito groups.
My plan was to assign users into the one or more cognito groups and this would grant them access to their respective kibana indices.
However, when I attempt to login with a Cognito token containing multiple elements in the cognito:roles collection, I receive an error: OpenDistro ES: Missing Role No roles available for this user, please contact your system administrator.
Is this expected? The examples only include users that are part of a single cognito group (either limited user or admin). I'm able to log in if I'm part of one cognito group but as soon as I am part of multiple, I receive the error above. I expected to have multiple kibana roles.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html
https://github.com/aws-samples/amazon-elasticsearch-service-with-cognito/blob/master/lib/search-stack.ts
Apparently that is a design limitation per AWS architect, although it does not help solve my use case:
The ES Fine Grained Access Control is designed to map only one backend
role with an IAM role for Cognito token . Will you be able to merge
multiple backend roles into one role? ,is this an option? .This will
has the benefit of grouping users with the similar needs ,you’ve less
number of Cognito groups and IAM roles to manage.
AWS WWCS Geo Solutions Architecture
Related
I have a user, community and post type where a community can have multiple users and posts. The posts has an attribute called "visibility", if the visibility value is "private" only the users of that community can see the posts. If the visibility is "public" every user can see the post. Is possible to accomplish this using amplify and cognito? How?
Cognito has groups. You can create groups and add users into these groups. When your user authenticates they get a token, and the claims on that token can be used to confirm which groups they belong to.
Cognito Groups are really useful for controlling access to things like admin apis with an 'admin' group. However, if you're creating lots of groups of adding users in and out regularly, I would recommend implementing an application level feature (i.e. manage this in your database).
Cognito isn't as scalable as your application persistence is likely to be. It can be a bit slow and it doesn't come with nice features for managing your groups.
So yes, its possible to manage in Cognito, but I would recommend doing it with a database of some sort.
net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.
GE GSAS
- user1
- user2
APAC
-user3
-user4
SE&A
-user5
-user6
These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc
These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you
Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
A user can be assigned to multiple groups and roles can be assigned to individual users/groups.
Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
I installed a vault and configured OIDC with gsuite, that was already an adventure in itself as the documentation is limited and even wrong at more than one place.
Finally I have a working authentication with my google accounts and I began to create roles, and there I saw a huge issue. How do you restrict google users from using a role. Let's say I create a gsuite-admin role that has access to all of vault administration, any user entering the role before login can assume it.
I tried to use the different claims but those seems to be only for vault created groups or other things.
Does anyone has a solution for that?
Thank you in advance.
EDIT:
The configuration I'm using whith group claims:
{
“allowed_redirect_uris”: “https://URL/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback”,
“user_claim”: “sub”,
“policies”: “vault_admin”,
“ttl”: “24h”,
“groups_claim”: “devops”,
“oidc_scopes”: “profile”,
“bound_claims”: {
“group”: [“devops”]
}
}
That configuration only provides a lock of the role that can't be used anymore by anyone. From what I could see the JWT doesn't have any informations and that is why we used the config with the fetchgroup option in the oidc configuration.
I found a solution for this problem. Firstly, we need to ensure that a user is part of a G Suite group. Then mapping the G Suite group with Vault group (that has a policy assigned) ensures that the user is bound to the Vault policy.
This article contains some example steps and might be helpful.
I have created a an API in API Gateway named “Test” which has 2 methods – add and delete.
Criteria:
Create 2 users in Cognito with 1st user having access to both methods and 2nd user having access to only “add”.
Can anyone help me in this thanks in advance.
Check out the using Groups with API Gateway docs:
You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app. Using the IAM role associated with a group, you can also set different permissions for those different groups so that only contributors can put content into Amazon S3 and only editors can publish content through an API in Amazon API Gateway.
You should be able to set permissions on the groups such that one has access to both API endpoints and the other just to the one.
Here is the scenario, I have a service containing many records. My service also has many users, each with the ability to create, read, update and delete records. The ability to perform these operations on each record must be controlled at the record level.
For example, user A can only read and update record 1 but user B can read, update and delete records 1, 2 and 3 and user C can perform all operations on all records.
How if at all, can this be done using Azure AD?
Obviously, using application roles is not sufficient because that gives the user uniform access rights to all records.
The tenant is also not useful because its the same for all users (in this example).
I definitely do not want to define access rights for every record individually, I would like to do something like assigning roles to a user group and then somehow assign records to the group.
Is there a standard way to deal with this type of resource based authorization?
As you correctly mention, role based access or authorization is very generic and using that, a user with specific role gets access (or gets denied access) to all resources. (If your sceanrio permits, you could make it a little better by dividing your resources into a few types and give access for 1 or more types of resources to 1 or more roles).
When trying to control access for each record individually, you will need to implement custom logic for resource based authorization. Typically applications utilize a mix of role-based and resource-based authorization driven by their requirements.
In the end it will boil down to a mapping that you need to maintain between 3 things
Resource (or a collection of resources)
Azure AD object (like role, group, individual user that is being given permission)
Permission that you're giving (understood and enforced by your application e.g. Blogs.Create permission for a Blogs application)
Relevant Documentation available on Microsoft Docs
Role-based and resource-based authorization
This documentation talks about similar concepts and shows a good example which makes use of both role based and resource based. CRUD operations on resources based on roles and then special privileges on specific resource for the owner of that resource (i.e. resource based)
Code Samples
Multi-tenant Survey Application Code
Code base for the documentation link above
Authorization in a web app using Azure AD groups & group claims
This one provides a sample task tracker application where users can share tasks with other users or Azure AD groups. Again you will see a mapping between resources (i.e. tasks in this case) and Azure AD objects (i.e. Users or Groups) is being maintained in sample database.
Assigning Application Roles for groups
Since you mentioned this as part of your question, just letting you know that this is possible from Azure Portal but only if you have Azure AD Premium license (I'm not sure which specific ones support it, but search on Group based assignments feature and you'll find it.)