401 Unauthorized - Integrating with Keycloak using opster operator

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
k8s opensearch - 2.3.0

Describe the issue:
Hello, I am new to opensearch. I have installed opensearch using k8s opster and it is up and running fine. Next step is to integrate it with Keycloak. Following the documentation: OpenID Connect - OpenSearch documentation, when I hit the url of opensearch: https://opensearch_url.com/auth/openid/login?
Gives the following error:

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

Configuration:
Here are the steps I followed to set it up:

  1. Created client in keycloak - opensearch with following settings:
    image
    image1017×923 40.3 KB

    Added admin role to the client in keycloak and still the issue occurs.

Here’s my security-config:

        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
                http:
                  anonymous_auth_enabled: false
                authc:
                  basic_internal_auth_domain:
                    description: "Authenticate via HTTP Basic"
                    http_enabled: true
                    transport_enabled: true
                    order: 1
                    http_authenticator:
                      type: "basic"
                      challenge: false
                    authentication_backend:
                      type: "internal"

                  openid_auth_domain:
                    http_enabled: true
                    transport_enabled: true
                    
                    order: 0
                    http_authenticator:
                      type: openid
                      challenge: false
                      config:
                        openid_connect_idp:
                          enable_ssl: false
                          verify_hostnames: false
                        subject_key: preferred_username
                        roles_key: "roles"
                        openid_connect_url: "https://keycloak_url.com/auth/realms/master/.well-known/openid-configuration"
                    authentication_backend:
                      type: noop

Here’s the opensearch.yaml config:

    additionalConfig:
          logging.verbose: "true"
          server.port: "5601"
          server.host: "0.0.0.0"
          opensearch_security.openid.scope: "openid profile email"
          opensearch.hosts: |
              ["https://localhost:9200"]
          opensearch.username: admin
          opensearch.password: admin
          opensearch_security.auth.type: "openid"
          opensearch_security.openid.client_id: opensearch
          opensearch_security.openid.client_secret: "<<SECRET>>"
          opensearch_security.openid.base_redirect_url: https://opensearch_url.com
          opensearch_security.openid.connect_url: "https://keycloak_url.com/auth/realms/master/.well-known/openid-configuration"
          #opensearch_security.openid.verify_hostnames: "false"
          opensearch_security.openid.trust_dynamic_headers: "true"
          opensearch_security.cookie.secure: "false"
          opensearch.requestHeadersAllowlist: | 
              ["Authorization", "security_tenant", "WWW-Authenticate"]

Any help would be greatly appreciated.

Relevant Logs or Screenshots:

2

Hi @Ghata
Can you try to open in your browser the following URL?

https://keycloak_url.com/auth/realms/master/.well-known/openid-configuration

3

Yes… I am able to get following info:

{
    "issuer": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master",
    "authorization_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/auth",
    "token_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/token",
    "introspection_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/token/introspect",
    "userinfo_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/userinfo",
    "end_session_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/logout",
    "frontchannel_logout_session_supported": true,
    "frontchannel_logout_supported": true,
    "jwks_uri": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/certs",
    "check_session_iframe": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials",
        "urn:ietf:params:oauth:grant-type:device_code",
        "urn:openid:params:grant-type:ciba"
    ],
    "acr_values_supported": [
        "0",
        "1"
    ],
    "response_types_supported": [
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "id_token_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA-OAEP-256",
        "RSA1_5"
    ],
    "id_token_encryption_enc_values_supported": [
        "A256GCM",
        "A192GCM",
        "A128GCM",
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512"
    ],
    "userinfo_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512",
        "none"
    ],
    "userinfo_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA-OAEP-256",
        "RSA1_5"
    ],
    "userinfo_encryption_enc_values_supported": [
        "A256GCM",
        "A192GCM",
        "A128GCM",
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512"
    ],
    "request_object_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512",
        "none"
    ],
    "request_object_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA-OAEP-256",
        "RSA1_5"
    ],
    "request_object_encryption_enc_values_supported": [
        "A256GCM",
        "A192GCM",
        "A128GCM",
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post",
        "query.jwt",
        "fragment.jwt",
        "form_post.jwt",
        "jwt"
    ],
    "registration_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/clients-registrations/openid-connect",
    "token_endpoint_auth_methods_supported": [
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post",
        "tls_client_auth",
        "client_secret_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "introspection_endpoint_auth_methods_supported": [
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post",
        "tls_client_auth",
        "client_secret_jwt"
    ],
    "introspection_endpoint_auth_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "authorization_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "authorization_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA-OAEP-256",
        "RSA1_5"
    ],
    "authorization_encryption_enc_values_supported": [
        "A256GCM",
        "A192GCM",
        "A128GCM",
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512"
    ],
    "claims_supported": [
        "aud",
        "sub",
        "iss",
        "auth_time",
        "name",
        "given_name",
        "family_name",
        "preferred_username",
        "email",
        "acr"
    ],
    "claim_types_supported": [
        "normal"
    ],
    "claims_parameter_supported": true,
    "scopes_supported": [
        "openid",
        "offline_access",
        "roles",
        "email",
        "address",
        "microprofile-jwt",
        "airflow_client_scope",
        "profile",
        "web-origins",
        "acr",
        "phone"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": true,
    "require_request_uri_registration": true,
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "tls_client_certificate_bound_access_tokens": true,
    "revocation_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/revoke",
    "revocation_endpoint_auth_methods_supported": [
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post",
        "tls_client_auth",
        "client_secret_jwt"
    ],
    "revocation_endpoint_auth_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "backchannel_logout_supported": true,
    "backchannel_logout_session_supported": true,
    "device_authorization_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/auth/device",
    "backchannel_token_delivery_modes_supported": [
        "poll",
        "ping"
    ],
    "backchannel_authentication_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/ext/ciba/auth",
    "backchannel_authentication_request_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "ES256",
        "RS256",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "require_pushed_authorization_requests": false,
    "pushed_authorization_request_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/ext/par/request",
    "mtls_endpoint_aliases": {
        "token_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/token",
        "revocation_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/revoke",
        "introspection_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/token/introspect",
        "device_authorization_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/auth/device",
        "registration_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/clients-registrations/openid-connect",
        "userinfo_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/userinfo",
        "pushed_authorization_request_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/ext/par/request",
        "backchannel_authentication_endpoint": "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/protocol/openid-connect/ext/ciba/auth"
    }
}
4

Hi @Eugene7 , anything wrong in the config?

5

Hi @Eugene7 @pablo
Getting below error in dashboard logs, what is wrong in config? We are stuck here.

["error","plugins","securityDashboards"],"pid":1,"message":"Error: self signed certificate in certificate chain\n    at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket._finishInit (_tls_wrap.js:937:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12)\n    at TLSWrap.callbackTrampoline (internal/async_hooks.js:130:17) {\n  code: 'SELF_SIGNED_CERT_IN_CHAIN',\n  trace: [\n    {\n      method: 'GET',\n      url: 'https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/.well-known/openid-configuration'\n    }\n  ],\n  isBoom: true,\n  isServer: true,\n  data: null,\n  output: {\n    statusCode: 502,\n    payload: {\n      message: 'Client request error: self signed certificate in certificate chain',\n      statusCode: 502,\n      error: 'Bad Gateway'\n    },\n    headers: {}\n  }\n}"}

Any suggestion to move forward on this would be appreciated

6

Please try to add pemtrustedcas_filepath parameter in your config.yml file. Also, change the following parameter:
enable_ssl: true

7

pemtrustedcas_filepath is an absolute path to the PEM file containing the root CAs of your IdP. You can find more infortation about that in the documentation below:

8

Hi @Eugene7

I have already made those changes and still getting the same error:
please review the cluster.yaml file is there’s anything missed:

Blockquote
spec:
security:
config:
securityConfigSecret:
name: securityconfig
tls:
http:
generate: true
transport:
generate: true
perNode: true
general:
httpPort: 9200
serviceName: my-opensearch-cluster
version: 2.3.0
pluginsList: [“repository-s3”]
drainDataNodes: true
image: “opensearch:2.3.0”
imagePullSecrets:
- name: cde-reg-credentials
bootstrap:
nodeSelector: {“opensearch”:“true”}
initHelper:
image: “busybox:1.27.2-buildx”
imagePullSecrets:
- name: cde-reg-credentials
dashboards:
tls:
enable: true
generate: true
version: 2.3.0
enable: true
replicas: 1
resources:
requests:
memory: “512Mi”
cpu: “200m”
limits:
memory: “512Mi”
cpu: “200m”
image: “opensearch-dashboards:2.3.0”
imagePullSecrets:
- name: cde-reg-credentials
additionalConfig:
logging.verbose: “true”
server.port: “5601”
server.host: “0.0.0.0”
opensearch_security.openid.scope: “openid profile email”
opensearch.hosts: |
[“https://localhost:9200”]
# opensearch_security.openid.header: “Authorization”
# opensearch.url: https://10.101.88.209:9200
opensearch.username: admin
opensearch.password: admin
OpenSearch.ssl.verificationMode: none
opensearch_security.auth.type: “openid”
opensearch_security.openid.client_id: opensearch
opensearch_security.openid.client_secret: “SECRET”
opensearch_security.openid.base_redirect_url: https://service4.dev.npiam.bakerhughes.com
opensearch_security.openid.connect_url: “https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/.well-known/openid-configuration
#opensearch_security.openid.verify_hostnames: “false”
opensearch_security.openid.trust_dynamic_headers: “true”
opensearch_security.cookie.secure: “false”
opensearch.requestHeadersAllowlist: |
[“Authorization”, “security_tenant”, “WWW-Authenticate”]
nodePools:
- component: masters
replicas: 3
nodeSelector: {“opensearch”:“true”}
resources:
requests:
memory: “4Gi”
cpu: “1000m”
limits:
memory: “4Gi”
cpu: “1000m”
roles:
- “data”
- “cluster_manager”
persistence:
emptyDir: {}

also the security-config.yaml:

  config.yml: |-
    _meta:
      type: "config"
      config_version: 2
    config:
      dynamic:
            http:
              anonymous_auth_enabled: false
            authc:
              basic_internal_auth_domain:
                description: "Authenticate via HTTP Basic"
                http_enabled: true
                transport_enabled: true
                order: 1
                http_authenticator:
                  type: "basic"
                  challenge: false
                authentication_backend:
                  type: "internal"

              openid_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 0
                http_authenticator:
                  type: openid
                  challenge: false
                  config:
                    openid_connect_idp:
                      enable_ssl: true
                      pemtrustedcas_content: |-
                        ROOT_CA_CERTIFICATE_CONTENT
9

Could you share the output of the command below?

curl -k -u admin:admin -XGET https://your-domain-name:9200/_plugins/_security/api/securityconfig?pretty

11

Hi @Eugene7

Here’s the requested output:

Note: Unnecessary use of -X or --request, GET is already inferred.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 100.70.41.85:9200...
* Connected to my-opensearch-cluster.opensearch.svc.cluster.local (100.70.41.85) port 9200 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [32 bytes data]
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
{ [125 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1588 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
} [8 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: OU=my-opensearch-cluster; CN=my-opensearch-cluster
*  start date: Nov 24 11:53:40 2023 GMT
*  expire date: Nov 24 11:53:40 2024 GMT
*  issuer: CN=my-opensearch-cluster
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
} [5 bytes data]
> GET /_plugins/_security/api/securityconfig?pretty HTTP/1.1
> Host: my-opensearch-cluster.opensearch.svc.cluster.local:9200
> Authorization: Basic <TOKEN>
> User-Agent: curl/8.1.2
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [1890 bytes data]
{
  "config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "server_username" : "kibanaserver",
        "index" : ".kibana"
      },
      "http" : {
        "anonymous_auth_enabled" : false,
        "xff" : {
          "enabled" : false,
          "internalProxies" : "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}",
          "remoteIpHeader" : "X-Forwarded-For"
        }
      },
      "authc" : {
        "openid_auth_domain" : {
          "http_enabled" : true,
          "transport_enabled" : true,
          "order" : 0,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "openid",
            "config" : {
              "openid_connect_idp" : {
                "enable_ssl" : true,
                "pemtrustedcas_content" : "-----BEGIN CERTIFICATE-----<CERT_DETAILS>\n-----END CERTIFICATE-----"
              },
              "subject_key" : "preferred_username",
              "roles_key" : "roles",
              "openid_connect_url" : "https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/.well-known/openid-configuration"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          }
        },
        "basic_internal_auth_domain" : {
          "http_enabled" : true,
          "transport_enabled" : true,
          "order" : 1,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "internal",
            "config" : { }
          },
          "description" : "Authenticate via HTTP Basic"
        }
      },
      "authz" : { },
      "auth_failure_listeners" : { },
      "do_not_fail_on_forbidden" : false,
      "multi_rolespan_enabled" : true,
      "hosts_resolver_mode" : "ip-only",
      "do_not_fail_on_forbidden_empty" : false
    }
  }
}
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 4174
<
{ [4174 bytes data]

100  4174  100  4174    0     0   115k      0 --:--:-- --:--:-- --:--:--  116k
* Connection #0 to host my-opensearch-cluster.opensearch.svc.cluster.local left intact
12

Does pemtrustedcas_content point to the OpenSearch root CA or the Keycloak certificate? Can the OpenSearch node resolve keycloak.dev.npiam.bakerhughes.com? Could you please execute the following command from the server where OpenSearch is running?

curl -k https://keycloak_url.com/auth/realms/master/.well-known/openid-configuration

13

Hi @Eugene7

pemtrustedcas_content points to keycloak certificate and yes it’s able to resolve the url.
the cmd output throws same error of self-signed certificate:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.15.201.134:443...
* Connected to keycloak.dev.npiam.bakerhughes.com (10.15.201.134) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /cacert.pem
*  CApath: none
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5434 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: self-signed certificate in certificate chain

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
14

Hi @Eugene7

Did you get a chance to look at the output?

15

Hi @Ghata

I suggest to set "order": 0 for basic_internal_auth_domain and "order": 1 for openid_auth_domain.

17

As per the documentation below, the following parameter should use OpenSearch Dashboard URL:

opensearch_security.openid.base_redirect_url: https://opensearch_url.com

Could you please check the value for this parameter?

18

logging.verbose: “true”
server.port: “5601”
server.host: “0.0.0.0”
server.ssl.certificateAuthorities: “/usr/share/opensearch/config/ca.crt”
opensearch_security.openid.scope: “openid”
opensearch.hosts: |
[“https://localhost:9200”]
opensearch.username: “admin”
opensearch.password: “admin”
opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: “/usr/share/opensearch/config/ca.crt”
opensearch_security.auth.type: “openid”
opensearch_security.openid.connect_url: “https://keycloak.dev.npiam.bakerhughes.com/auth/realms/master/.well-known/openid-configuration
opensearch_security.openid.client_id: “opensearch”
opensearch_security.openid.client_secret: “”
opensearch_security.openid.base_redirect_url: “https://service4.dev.npiam.bakerhughes.com/
opensearch_security.openid.verify_hostnames: “false”
opensearch_security.openid.root_ca: “/usr/share/opensearch/config/ca.crt”

With above config, able to get to Keycloak but after logging in, it throws 401.
I have 1 last q: configuration needed to be done at keycloak end??

  1. I created client in the keycloak: opensearch
  2. Created admin role under Clients-> Client details (opensearch) → Roles (admin)
  3. Created User realm role under Clients-> Client details (opensearch) → Client scopes → opensearch_dedicated(name of dedicated scope automatically created) → User Realm Role. To map this with opensearch, added role_mapping.yml:

roles_mapping.yml: |-
_meta:
type: “rolesmapping”
config_version: 2

    # Define your roles mapping here

    ## Demo roles mapping

    all_access:
      reserved: false
      backend_roles:
      - "admin"
      description: "Maps admin to all_access"

    own_index:
      reserved: false
      users:
      - "*"
      description: "Allow full access to an index named like the username"

    logstash:
      reserved: false
      backend_roles:
      - "logstash"

    kibana_user:
      reserved: false
      backend_roles:
      - "kibanauser"
      description: "Maps kibanauser to kibana_user"

    readall:
      reserved: false
      backend_roles:
      - "readall"

    manage_snapshots:
      reserved: false
      backend_roles:
      - "snapshotrestore"

    kibana_server:
      reserved: true
      users:
      - "kibanaserver"

There’s some gaps in this connection as when I enter my creds to keycloak, it logs me in and redirects me to the “https://service4.dev.npiam.bakerhughes.com/auth/openid/login?” end point and throws 401. What’s wrong? @Eugene7

19

@Ghata Do you use reverse proxy?

20

Hi @Eugene7

Yes, we are using reverse proxy.
Adding below setting in opensearch dashboards config, resolved the issue:

opensearch_security.openid.trust_dynamic_headers: "true"

Thanks for your support
Regards,
Ghata Saxena