Add OpenID users to Open Distro Kibana

Question

I've configured opendistro_security for OpenID. When I attempt to authenticate a user, it fails. Presumably because that user has no permissions. How do I give permissions an openid user? I can't seem to find an obvious way to do so with the internal_user.yml.

Answer 1

I Solved it. For posterity, here's what needed to do in addition to the openis settings in the Kibana.yml File.

1: In the config.yml file on each of my Elasticsearch nodes I needed to add the following:

authc:
  openid_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: openid
      challenge: false
      config:
        subject_key: email
        roles_key: roles
        openid_connect_url: https://accounts.google.com/.well-known/openid-configuration
    authentication_backend:
      type: noop

Since I'm using google as my identity provider I needed to make sure my subject_key was "email"

2: Needed to run security config script on each node:

docker exec -it elasticsearch-node1 /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert /usr/share/elasticsearch/config/root-ca.pem -cert /usr/share/elasticsearch/config/kirk.pem -key /usr/share/elasticsearch/config/kirk-key.pem -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -icl && docker exec -it elasticsearch-node2 /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert /usr/share/elasticsearch/config/root-ca.pem -cert /usr/share/elasticsearch/config/kirk.pem -key /usr/share/elasticsearch/config/kirk-key.pem -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -icl

3: I needed to configure the usersthat I want to have access admin access to a role:

all_access:
  reserved: false
  backend_roles:
  - "admin"
  users:
  - "name@email.com"
  description: "Maps an openid user to all_access"

Now I can assign other users from Kibana