[英]Integrate roles with Open Distro and Keycloak
我正在嘗試將 Keycloak 與 ES Open Distro 集成。
我設法獲取了具有適當角色的令牌,但似乎 Open Distro 沒有找到給定的角色並且它返回 forbidden for given indexes
我已經配置
config:
dynamic:
....
authc:
openid_auth_domain:
description: "Authenticate via Keycloak"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
pemtrustedcas_filepath: {omitted}
enable_ssl: true
verify_hostnames: false
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak:8000/auth/realms/{omitted}/.well-known/openid-configuration
jwks_uri: https://keycloak:8000/auth/realms/{ommited}/protocol/openid-connect/certs
authentication_backend:
type: noop
角色.yaml
my_role:
reserved: false
hidden: false
cluster_permissions:
- "cluster:monitor/main"
- "indices:data/write/index"
- "indices:data/write/bulk"
- "indices:data/read/mget"
- "indices:data/read/search"
- "indices:data/read/search*"
index_permissions:
- index_patterns:
- "*my-index*"
- "indices:data/read/mget"
allowed_actions:
- "*"
static: false
代幣
omitted
"roles": "my_role"
通過配置,我可以訪問在日志中返回的 ES:
elasticsearch_1 | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No index-level perm match for User [name=developer, roles=[my_role], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked []]
elasticsearch_1 | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No permissions for [indices:data/read/search]
elasticsearch_1 | [2021-08-16T11:41:48,123][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] PrivEvalResponse [allowed=false, missingPrivileges=[indices:data/read/search], allowedFlsFields=null, maskedFields=null, queries=null]
elasticsearch_1 | [2021-08-16T11:41:48,124][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] no permissions for [indices:data/read/search]
elasticsearch_1 | [2021-08-16T11:41:48,125][DEBUG][r.suppressed ] [elasticsearch] path: /_search, params: {}
elasticsearch_1 | org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:data/read/search] and User [name=developer, roles=[my_role], requestedTenant=null]
我看到[RolesChecked []]是空的。 為什么它找不到已經創建的任何角色(我已經檢查過 API 並且所有角色都已正確添加 + 內部用戶正在正確使用給定的角色)。
任何幫助,將不勝感激。
經過測試我發現正確的配置應該是: roles.yaml
my_role:
reserved: false
hidden: false
cluster_permissions:
- "cluster:monitor/main"
- "indices:data/write/index"
- "indices:data/write/bulk"
- "indices:data/read/mget"
- "indices:data/read/search"
- "indices:data/read/search*"
index_permissions:
- index_patterns:
- "*my-index*"
- "indices:data/read/mget"
allowed_actions:
- "*"
static: false
roles_mapping.yaml
my_role: # This has to be the exactly the same name as my_role in roles.yaml
reserved: false
backend_roles:
- "read_messages" # This value is a value that should be placed in token roles: read_messages
description: "Allow access for anyone who has role read_messages assigned in token roles"
我意識到backend_roles基本上是必須在令牌中設置的角色。 roles_mapping.yaml的鍵名必須與 roles.yaml 中的角色名稱完全相同。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.