opensearch-k8s-operator
opensearch-k8s-operator copied to clipboard
Published
20 hours ago •
opensearch-project
opensearch-project
[BUG] Keycloak with opensearch is not working
What is the bug?
Keycloak with opensearch is not working.
How can one reproduce the bug?
Hi All, We have deployed the below configuration file
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
name: my-cluster1
namespace: opensearch
spec:
initHelper:
image: "public.ecr.aws/opsterio/busybox"
security:
config:
adminCredentialsSecret:
name: a-admin-credentials-secret
securityConfigSecret:
name: a-securityconfig-secret
tls:
transport:
generate: true
http:
generate: true
general:
serviceName: my-cluster1
version: "2.8.0"
pluginsList: ["repository-s3"]
drainDataNodes: true
setVMMaxMapCount: true
imagePullPolicy: IfNotPresent
additionalVolumes:
- name: openid-certs
path: /usr/share/opensearch/config/certs/
configMap:
name: openid-certs
restartPods: true
#additionalConfig:
#plugins.security.allow_default_init_securityindex: "true"
#plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/openid-certs
dashboards:
additionalConfig:
logging.verbose: "true"
opensearch_security.auth.type: '["basicauth","openid"]'
opensearch_security.auth.multiple_auth_enabled: "True"
opensearch_security.openid.connect_url: https://efktest.com/auth/realms/os/.well-known/openid-configuration
opensearch_security.openid.base_redirect_url: https://osdashs.dev26.tatacommunications.com/
opensearch_security.openid.client_id: grafana
opensearch_security.openid.client_secret: 4zQdkx7ZSvHxpuiw4SCNTLibmGPElHhr
opensearch_security.openid.scope: openid profile email
opensearch_security.openid.header: Authorization
opensearch_security.openid.trust_dynamic_headers: "true"
opensearch.optimizedHealthcheckId: "my-cluster1"
opensearch_security.openid.verify_hostnames: "false"
opensearch.ssl.verificationMode: none
opensearch_security.cookie.secure: "false"
opensearch_security.auth.type: "openid"
opensearch.requestHeadersWhitelist: |
["securitytenant","Authorization","security_tenant"]
opensearch_security.readonly_mode.roles: '[ "kibana_user", "readall" ]'
imagePullPolicy: IfNotPresent
opensearchCredentialsSecret:
name: a-admin-credentials-secret
enable: true
tls:
enable: true
generate: true
version: "2.8.0"
replicas: 1
resources:
requests:
memory: "512Mi"
cpu: "200m"
limits:
memory: "512Mi"
cpu: "200m"
nodePools:
- component: masters
replicas: 3
diskSize: "5Gi"
jvm: "-Dopensearch.allow_insecure_settings=true"
resources:
requests:
memory: "2Gi"
cpu: "500m"
limits:
memory: "3Gi"
cpu: "1000m"
roles:
- "data"
- "master"
- "ingest"
persistence:
pvc:
storageClass: efk
accessModes: # You can change the accessMode
- ReadWriteOnce
Following is the security config.
apiVersion: v1
kind: Secret
metadata:
name: a-securityconfig-secret
namespace: opensearch
type: Opaque
stringData:
internal_users.yml: |-
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2a$12$JyfMv0Rsd9W0wjZWQGFi5udp7MPoNiacQ0b3Zzoh7rq219QU4fCLu"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
anomalyadmin:
hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
reserved: false
opendistro_security_roles:
- "anomaly_full_access"
description: "Demo anomaly admin user, using internal role"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo OpenSearch Dashboards user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo OpenSearch Dashboards read only user, using external role mapping"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user, using external role mapping"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user, using external role mapping"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user, using external role mapping"
config.yml: |-
_meta:
type: "config"
config_version: 2
config:
dynamic:
authz: {}
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: /usr/share/opensearch/config/certs/openid-certs
subject_key: preferred_username
roles_key: roles
openid_connect_url: "https://efktest.com/auth/realms/os/.well-known/openid-configuration"
authentication_backend:
type: noop
roles_mapping.yml: |-
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Demo roles mapping
all_access:
reserved: false
backend_roles:
- "admin"
- "roles"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "kibanaserver"
We have configured the keycloak configuration correctly. Also, the session id also provided to opensearch from keycloak. But we are getting the authorization error.
What is the expected behavior?
opensearch should login with keycloak
What is your host/environment?
Operating system, version.
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.
