Backend_roles in roles mapping seems to be ignored when using OpenID

Security
1
  • OpenSearch: v1.2.3
  • Authentication via KeyCloak (OpenID)

It seems that backend_roles in roles_mapping.yml are ignored if authentication is done via KeyCloak. Same for and_backend_roles (whatever that is, see docs)

  • If the roles_key is in the config.yml then OpenSearch logs complain about “Failed to get roles from JWT claims with roles_key ‘roles’. Check if this key is correct and available in the JWT payload.”
  • If the roles_key is removed then the warning disappears but the backend_roles in roles_mapping.yml seems be to ignored.
  • If I set up a role in roles.yml other than the standard role admin then it’s also ignored.
  • If I set the roles_key to family_name and change my family name in KeyCloak to admin then the backend_role is correctly assigned

It seems to me that backend roles MUST be provided via KeyCloak. Is that correct or am I doing something wrong?

config.yml

      openid_auth_domain:
        description: "KeyCloak settings for SSO"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            openid_connect_url: https://some-keycloak.com/auth/realms/master/.well-known/openid-configuration
            openid_connect_idp:
              enable_ssl: true
              pemtrustedcas_filepath: /etc/opensearch/ca-certificates.crt
        authentication_backend:
          type: noop

roles_mapping.yml

all_access:
  reserved: false
  backend_roles:
    - "admin"
  users:
    - user123
  description: "Maps admin to all_access"

Backend roles being ignored

image

2

@sergej Have you configured roles mapper in OpeinD client?
Check the below example.

image
image677×607 20.7 KB

3

@pablo

Thanks. As it turns out, it is not configured. But if I understand its function correctly (see here), this would enable KeyCloak to pass roles in the “access token”. I hope to rather set up users in the roles_mapping.yml because the implementation would be easier in our case.

4

To whom it may concern: I looked into the code and this doesn’t seem possible currently. There is no lookup of the internal file config for roles when using OpenID and no authz backend to handle this case. Roles must be set in the configured roles_key in the ID token.

I’ve made a feature request: https://github.com/opensearch-project/security/issues/1748

5

@sergej I’ve checked with my keycloak and I’m able to assign roles based on roles_mapping.yml.

My test user user1 doesn’t have any roles assigned in keycloak.

image
image848×385 15.7 KB

As result, I get the below after login into OpenSearch Dashboards.

image

When I assign user1 to all_access role in roles_mapping.yml.

image

I get the following in OpenSearch Dashboards.

image

I still have roles_key configured and if I add any group in Keycloak it will be added to the ones I get through roles_mapping.yml.

image

6

@sergej Based on your first screenshots the OpenSearch and Keycloak works as expected.
Could you explain again what is your issue?

How do you want to pass the groups? Through keycloack or roles_mapping.yml?

7

@pablo

Thanks for the reply. My issue is with the backend_roles, which you need to access the “Security” settings (to manage tenants and users).

As your screenshot shows, the role all_access is mapped to the user “pablo” and the backend_role “admin”.
image

In my expectation is would mean that if user “pablo” gets authenticated via KeyCloak that he will automatically get the role all_access and the backend_role “admin”. But to be assigned the backend_role “admin”, the KeyCloak ID Token has to have the field roles with the value “admin” (or at least I couldn’t get it to work without it).

Maybe it’s a feature and not a bug, but from the configuration as code perspective it would be beneficial to be able just to render this roles_mapping.yml file and have all the desired backend_role mappings included without the need to interact with an external entity additionally (i.e. KeyCloak), which is hard to manage. So it’s easier to delete all users and reapply them instead of having to deal with adding and deleting single users via some REST APIs. The security plugin actually works that way, see “A word of caution”.

We solved it now with the roles_key and the roles mapper in KeyCloak, which you mentioned in your first reply. Thanks a lot for your help!

8

@sergej I’ve placed an incorrect screenshot. There should be user1 instead of pablo.
User1 didn’t have any roles assigned in Keycloak as per my previous screenshots. OS assigned all_access based on the roles_mapping.yml.

1 Like
9

@pablo
I run securityadmin.sh to apply my roles_mapping.yml:

securityConfig:
  path: "/usr/share/opensearch/config/opensearch-security"
  config:
    data:
      roles_mapping.yml: |-
        _meta:
          type: "rolesmapping"
          config_version: 2
        all_access:
          reserved: false
          backend_roles:
            - "admin"
          users:
            - admin
            - mymail@mail.com
          description: "Maps admin to all_access"
        readall:
          reserved: false
          hidden: false
          backend_roles:
          - "readall"
          hosts: []
          users: []
          and_backend_roles: []
        logstash:
          reserved: false
          hidden: false
          backend_roles:
          - "logstash"
          hosts: []
          users:
            - logstash
          and_backend_roles: []
        kibana_server:
          reserved: true
          hidden: false
          backend_roles: []
          hosts: []
          users:
          - "kibanaserver"
          and_backend_roles: []
        own_index:
          reserved: false
          hidden: false
          backend_roles: []
          hosts: []
          users:
          - "*"
          and_backend_roles: []
          description: "Allow full access to an index named like the username"
        kibana_user:
          reserved: false
          hidden: false
          backend_roles:
          - "kibanauser"
          hosts: []
          users: []
          and_backend_roles: []
          description: "Maps kibanauser to kibana_user"

And i created a keycloak mapping as described above. The mapping is done fine: if I assign a role in kc to a user, it gets mapped to that user when logged into opensearch-dashboard (seen through view roles and identities
However the roles dont seem to work accept for all_access
Same I would add mymail@mail.com to any other role in roles_mapping.yml i will not get to see any indices nor data.

10

@Raki Please open a new thread and share the following information.

  1. Version of the OpenSearch
  2. config.yml and opensearch_dashboards.yml, roles.yml
  3. A screenshot of the assigned roles in the OpenSearch Dashboards UI.