How do I find out which roles I have been assigned, having authenticated to an Elasticsearch cluster via OIDC SSO?
Roles have been assigned to me in AzureAD (to which I do not have access) and then I have logged in to Elastic using oidc/AzureAD.
Having logged in, I wish to know which roles of those listed at /app/management/security/roles were actually granted to me, by Azure claims, via one of the role mappings which I can see listed at /app/management/security/role_mappings
I can view which privileges I have via Kibana dev tools GET _security/user/_privileges but this doesn't tell me which roles they came from. The Get User API GET /_security/user doesn't help as it only includes native/builtin users, not SSO users.
Eventually I figured out that you can discover this for the current user by calling the Authenticate API from Kibana dev tools (/app/dev_tools) e.g:
GET /_security/_authenticate
returns something like this, crucially with the roles list:
{
"username": "seemingly_random_number",
"roles": [
"editor",
"viewer",
"superuser"
],
"full_name": "my.azure.upn@company.com",
"email": "my.azure.upn@company.com",
"metadata": {
"saml_...": ...
},
...
}