将角色与 Open Distro 和 Keycloak 集成答案

【问题标题】：Integrate roles with Open Distro and Keycloak将角色与 Open Distro 和 Keycloak 集成
【发布时间】：2021-08-16 13:42:21
【问题描述】：

我正在尝试将 Keycloak 与 ES Open Distro 集成。

我设法获取具有适当角色的令牌，但 Open Distro 似乎没有找到给定角色，并且它返回给定索引的禁止

我已经配置了

config:
  dynamic:
   ....
    authc:
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            pemtrustedcas_filepath: {omitted}
            enable_ssl: true
            verify_hostnames: false
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://keycloak:8000/auth/realms/{omitted}/.well-known/openid-configuration
            jwks_uri: https://keycloak:8000/auth/realms/{ommited}/protocol/openid-connect/certs
        authentication_backend:
          type: noop

如https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/openid-connect/#configure-openid-connect-integration

roles.yaml

my_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:monitor/main"
  - "indices:data/write/index"
  - "indices:data/write/bulk"
  - "indices:data/read/mget"
  - "indices:data/read/search"
  - "indices:data/read/search*"
  index_permissions:
  - index_patterns:
    - "*my-index*"
    - "indices:data/read/mget"
    allowed_actions:
    - "*"
  static: false

令牌

omitted
"roles": "my_role"

通过配置，我可以访问在日志中返回的 ES：

elasticsearch_1  | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No index-level perm match for User [name=developer, roles=[my_role], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked []]
elasticsearch_1  | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No permissions for [indices:data/read/search]
elasticsearch_1  | [2021-08-16T11:41:48,123][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] PrivEvalResponse [allowed=false, missingPrivileges=[indices:data/read/search], allowedFlsFields=null, maskedFields=null, queries=null]
elasticsearch_1  | [2021-08-16T11:41:48,124][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] no permissions for [indices:data/read/search]
elasticsearch_1  | [2021-08-16T11:41:48,125][DEBUG][r.suppressed             ] [elasticsearch] path: /_search, params: {}
elasticsearch_1  | org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:data/read/search] and User [name=developer, roles=[my_role], requestedTenant=null]

我看到 [RolesChecked []] 是空的。为什么它没有找到已经创建的任何角色（我已经通过 API 检查并且所有角色都已正确添加 + 内部用户正在正确使用给定角色）。

任何帮助将不胜感激。

【问题讨论】：

标签： elasticsearch keycloak elasticsearch-opendistro

【解决方案1】：

经过测试，我发现正确的配置应该是： roles.yaml

my_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:monitor/main"
  - "indices:data/write/index"
  - "indices:data/write/bulk"
  - "indices:data/read/mget"
  - "indices:data/read/search"
  - "indices:data/read/search*"
  index_permissions:
  - index_patterns:
    - "*my-index*"
    - "indices:data/read/mget"
    allowed_actions:
    - "*"
  static: false

roles_mapping.yaml

my_role: # This has to be the exactly the same name as my_role in roles.yaml
  reserved: false
  backend_roles:
  - "read_messages" # This value is a value that should be placed in token roles: read_messages
  description: "Allow access for anyone who has role read_messages assigned in token roles"

我意识到 backend_roles 基本上是必须在令牌中设置的角色。而且，roles_mapping.yaml 的 keyname 必须与 roles.yaml 中的角色名称完全相同。

【讨论】：