Hi There!,
Is there any way to map KeyCloak groups within OpenSearch. Following guidance I was able to configure the OpenSearch KeyCloak integration as well as map the OpenSearch roles with the backend roles (i.e. the KeyCloak roles). Now with my further exploration I wanted to understand is there any way to configure mapping between KeyCloak Groups & OpenSearch.
Configuration:
I’ve current setup in my local machine for KeyCloak & Opensearch in docker.
Hi @vishal.gilbile,
Yes, that is possible, you will need to pass groups with your token from Keycloak and map it in your config.yml openid_auth_domain.http_authenticator.config.roles_key:<name of the key for your groups>.
Best,
Mantas
the below setup worked for me in my lab passing groups to OpenSearch backend_roles:
config.yml
openid_auth_domain.http_authenticator.config.roles_key: groups
let me know if you need some clarification.
Best,
Mantas
Thanks for the input @Mantas; following your instructions I’m able to see my KeyCloak Groups inside the OpenSearch as Backend roles.
However now I don’t see the KeyCloak roles as my Backend roles in OpenSearch. Is there any way to configure both I mean KeyCloak groups as well as roles. So that if any RBAC is created over the roles we can have that implemented over here in OpenSearch & same goes to Groups as well.
Hi @vishal.gilbile,
You can not have roles_key configured to multiple values, if you want to have both the groups and the roles mapped to your users’ backend_roles you will need to find how to pass both groups and, roles in the single claim in the JWT payload, that you could map to roles_key.
Best,
Mantas
Hi @Mantas .
How can this be implemented in keycloak version 21?
In client scope “roles”, Tab Mappers, create group membership type or use custom mapper like “User Attribute”?
Hi @ActiveSync,
That is a good question, however, this would be completely up to the ipd (keycloak in your case).
I would say a good place to start looking for the answer would be: keycloak/keycloak · Discussions · GitHub or
If you find a solution please do let me know, if I stumble on one I will update you here.
thanks,
mj
