将角色与 Open Distro 和 Keycloak 集成

Question

我正在尝试将 Keycloak 与 ES Open Distro 集成。

我设法获取了具有适当角色的令牌，但似乎 Open Distro 没有找到给定的角色并且它返回 forbidden for given indexes

我已经配置

config:
  dynamic:
   ....
    authc:
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            pemtrustedcas_filepath: {omitted}
            enable_ssl: true
            verify_hostnames: false
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://keycloak:8000/auth/realms/{omitted}/.well-known/openid-configuration
            jwks_uri: https://keycloak:8000/auth/realms/{ommited}/protocol/openid-connect/certs
        authentication_backend:
          type: noop

如https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/openid-connect/#configure-openid-connect-integration

角色.yaml

my_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:monitor/main"
  - "indices:data/write/index"
  - "indices:data/write/bulk"
  - "indices:data/read/mget"
  - "indices:data/read/search"
  - "indices:data/read/search*"
  index_permissions:
  - index_patterns:
    - "*my-index*"
    - "indices:data/read/mget"
    allowed_actions:
    - "*"
  static: false

代币

omitted
"roles": "my_role"

通过配置，我可以访问在日志中返回的 ES：

elasticsearch_1  | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No index-level perm match for User [name=developer, roles=[my_role], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked []]
elasticsearch_1  | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No permissions for [indices:data/read/search]
elasticsearch_1  | [2021-08-16T11:41:48,123][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] PrivEvalResponse [allowed=false, missingPrivileges=[indices:data/read/search], allowedFlsFields=null, maskedFields=null, queries=null]
elasticsearch_1  | [2021-08-16T11:41:48,124][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] no permissions for [indices:data/read/search]
elasticsearch_1  | [2021-08-16T11:41:48,125][DEBUG][r.suppressed             ] [elasticsearch] path: /_search, params: {}
elasticsearch_1  | org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:data/read/search] and User [name=developer, roles=[my_role], requestedTenant=null]

我看到[RolesChecked []]是空的。 为什么它找不到已经创建的任何角色（我已经检查过 API 并且所有角色都已正确添加 + 内部用户正在正确使用给定的角色）。

任何帮助，将不胜感激。

Answer 1

经过测试我发现正确的配置应该是： roles.yaml

my_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:monitor/main"
  - "indices:data/write/index"
  - "indices:data/write/bulk"
  - "indices:data/read/mget"
  - "indices:data/read/search"
  - "indices:data/read/search*"
  index_permissions:
  - index_patterns:
    - "*my-index*"
    - "indices:data/read/mget"
    allowed_actions:
    - "*"
  static: false

roles_mapping.yaml

my_role: # This has to be the exactly the same name as my_role in roles.yaml
  reserved: false
  backend_roles:
  - "read_messages" # This value is a value that should be placed in token roles: read_messages
  description: "Allow access for anyone who has role read_messages assigned in token roles"

我意识到backend_roles基本上是必须在令牌中设置的角色。 roles_mapping.yaml的键名必须与 roles.yaml 中的角色名称完全相同。