Version: SG FLX
Enterprise

Roles mapping API

Used to receive, create, update and delete the mapping of users, backendroles and hosts to Search Guard roles.

Endpoint

/_searchguard/api/rolesmapping/{rolename}

Where rolename is the name of the role.

GET

Get a single role mapping

GET /_searchguard/api/rolesmapping/{rolename}

Retrieve a role mapping, specified by rolename, in JSON format.

GET /_searchguard/api/rolesmapping/sg_role_starfleet
{
  "sg_role_starfleet" : {
    "description": "...",
    "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
    "hosts" : [ "*.starfleetintranet.com" ],
    "users" : [ "worf" ]
  }
}

Get all role mappings

GET /_searchguard/api/rolesmapping

Returns all role mappings in JSON format.

DELETE

DELETE /_searchguard/api/rolesmapping/{rolename}

Deletes the rolemapping specified by rolename. If successful, the call returns with status code 200 and a JSON success message.

DELETE /_searchguard/api/rolesmapping/sg_role_starfleet
{
  "status":"OK",
  "message":"rolesmapping sg_role_starfleet deleted."
}

PUT

PUT /_searchguard/api/rolesmapping/{rolename}

Replaces or creates the role mapping specified by rolename.

PUT /_searchguard/api/rolesmapping/sg_role_starfleet
{
  "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
  "hosts" : [ "*.starfleetintranet.com" ],
  "users" : [ "worf" ]
}

You need to specify at least one of backend_roles, hosts or users.

If the call is succesful, a JSON structure is returned, indicating whether the roles mapping was created or updated.

{
  "status":"OK",
  "message":"rolesmapping sg_role_starfleet created."
}

PATCH

The PATCH endpoint can be used to change individual attributes of a roles mapping, or to create, change and delete roles mappings in a bulk call. The PATCH endpoint expects a payload in JSON Patch format. Search Guard supports the complete JSON patch specification.

JSON patch specification: http://jsonpatch.com/

The PATCH endpoint is only available for Elasticsearch 6.4.0 and above.

Patch a roles mapping

PATCH /_searchguard/api/rolesmapping/{rolename}

Adds, deletes or changes one or more attributes of a user specified by rolename.

PATCH /_searchguard/api/rolesmapping/sg_human_resources
[ 
  { 
    "op": "replace", "path": "/users", "value": ["myuser"] 
  },
  { 
    "op": "replace", "path": "/backend_roles", "value": ["mybackendrole"] 
  }
]

Bulk add, delete and change roles mappings

PATCH /_searchguard/api/rolesmapping
[ 
  { 
    "op": "add", "path": "/sg_human_resources", "value": { "users": ["user1"], "backend_roles": ["backendrole2"] } 
  },
  { 
    "op": "add", "path": "/sg_finance", "value": { "users": ["user2"], "backend_roles": ["backendrole2"] } 
  },
  { 
    "op": "remove", "path": "/sg_management"
  }
]

Modifying an existing object or array

To append or remove items in an existing array according to the JSON patch format, you need to address the index or property name.

PATCH /_searchguard/api/rolesmapping/sg_human_resources
[
  {
    "op": "add", "path": "/users/0", "value": "user1"
  },
  {
    "op": "add", "path": "/users/-", "value": "user2"
  }
]

The operation inserts the value into an array. The value is inserted before the given index. The - character can be used instead of an index to insert at the end of an array.

PATCH /_searchguard/api/rolesmapping/sg_human_resources
[
  { 
    "op": "remove", "path": "/users/0"
  }
]

The operation removes the element 0 of the array (or just removes the "0" key if users is an object)

For more examples, please refer to JSON patch format.



Not what you were looking for? Try the search.