Is there any way to map KeyCloak groups within OpenSearch. Following guidance I was able to configure the OpenSearch KeyCloak integration as well as map the OpenSearch roles with the backend roles (i.e. the KeyCloak roles). Now with my further exploration I wanted to understand is there any way to configure mapping between KeyCloak Groups & OpenSearch.
Configuration:
I’ve current setup in my local machine for KeyCloak & Opensearch in docker.
Yes, that is possible, you will need to pass groups with your token from Keycloak and map it in your config.ymlopenid_auth_domain.http_authenticator.config.roles_key:<name of the key for your groups>.
Thanks for the input @Mantas; following your instructions I’m able to see my KeyCloak Groups inside the OpenSearch as Backend roles.
However now I don’t see the KeyCloak roles as my Backend roles in OpenSearch. Is there any way to configure both I mean KeyCloak groups as well as roles. So that if any RBAC is created over the roles we can have that implemented over here in OpenSearch & same goes to Groups as well.
You can not have roles_key configured to multiple values, if you want to have both the groups and the roles mapped to your users’ backend_roles you will need to find how to pass both groups and, roles in the single claim in the JWT payload, that you could map to roles_key.
That is a good question, however, this would be completely up to the ipd (keycloak in your case).
I would say a good place to start looking for the answer would be: keycloak/keycloak · Discussions · GitHub or
If you find a solution please do let me know, if I stumble on one I will update you here.