[英]Integrate roles with Open Distro and Keycloak
我正在尝试将 Keycloak 与 ES Open Distro 集成。
我设法获取了具有适当角色的令牌,但似乎 Open Distro 没有找到给定的角色并且它返回 forbidden for given indexes
我已经配置
config:
dynamic:
....
authc:
openid_auth_domain:
description: "Authenticate via Keycloak"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
pemtrustedcas_filepath: {omitted}
enable_ssl: true
verify_hostnames: false
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak:8000/auth/realms/{omitted}/.well-known/openid-configuration
jwks_uri: https://keycloak:8000/auth/realms/{ommited}/protocol/openid-connect/certs
authentication_backend:
type: noop
角色.yaml
my_role:
reserved: false
hidden: false
cluster_permissions:
- "cluster:monitor/main"
- "indices:data/write/index"
- "indices:data/write/bulk"
- "indices:data/read/mget"
- "indices:data/read/search"
- "indices:data/read/search*"
index_permissions:
- index_patterns:
- "*my-index*"
- "indices:data/read/mget"
allowed_actions:
- "*"
static: false
代币
omitted
"roles": "my_role"
通过配置,我可以访问在日志中返回的 ES:
elasticsearch_1 | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No index-level perm match for User [name=developer, roles=[my_role], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked []]
elasticsearch_1 | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No permissions for [indices:data/read/search]
elasticsearch_1 | [2021-08-16T11:41:48,123][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] PrivEvalResponse [allowed=false, missingPrivileges=[indices:data/read/search], allowedFlsFields=null, maskedFields=null, queries=null]
elasticsearch_1 | [2021-08-16T11:41:48,124][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] no permissions for [indices:data/read/search]
elasticsearch_1 | [2021-08-16T11:41:48,125][DEBUG][r.suppressed ] [elasticsearch] path: /_search, params: {}
elasticsearch_1 | org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:data/read/search] and User [name=developer, roles=[my_role], requestedTenant=null]
我看到[RolesChecked []]是空的。 为什么它找不到已经创建的任何角色(我已经检查过 API 并且所有角色都已正确添加 + 内部用户正在正确使用给定的角色)。
任何帮助,将不胜感激。
经过测试我发现正确的配置应该是: roles.yaml
my_role:
reserved: false
hidden: false
cluster_permissions:
- "cluster:monitor/main"
- "indices:data/write/index"
- "indices:data/write/bulk"
- "indices:data/read/mget"
- "indices:data/read/search"
- "indices:data/read/search*"
index_permissions:
- index_patterns:
- "*my-index*"
- "indices:data/read/mget"
allowed_actions:
- "*"
static: false
roles_mapping.yaml
my_role: # This has to be the exactly the same name as my_role in roles.yaml
reserved: false
backend_roles:
- "read_messages" # This value is a value that should be placed in token roles: read_messages
description: "Allow access for anyone who has role read_messages assigned in token roles"
我意识到backend_roles基本上是必须在令牌中设置的角色。 roles_mapping.yaml的键名必须与 roles.yaml 中的角色名称完全相同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.