We tried updating our keycloak to version 21.0.1 and below are my current configs, but still getting the same error… @pablo
opensearch.hosts: ["https://10.212.162.111:9200","https://10.202.162.111:9200","https://10.223.32.44:9200"]
#opensearch.hosts: ["https://localhost:9200"]
server.host: 0.0.0.0
server.port: 5601
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/apps/opensearch-2.6.0/config/root-ca.pem"]
server.ssl.enabled: true
server.ssl.certificate: /apps/opensearch-2.6.0/config/runops_chain.crt
server.ssl.key: /apps/opensearch-2.6.0/config/runops_wildcardkey.key
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: true
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.client_id: "opensearch-prod"
opensearch_security.openid.connect_url: "https://qa-sso.runops.ohlogistics.com/realms/sso/.well-known/openid-configuration"
opensearch_security.openid.client_secret: "q4Jc7DvenZKiw6zWb5hFzsaXelXe4g4j"
opensearch_security.openid.root_ca: "/apps/opensearch-2.6.0/config/runops_chain.crt"
opensearch_security.openid.base_redirect_url: "https://opensearch.runops.ohlogistics.com:5601/"
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: "https://qa-sso.runops.ohlogistics.com/realms/sso/.well-known/openid-configuration"
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: "/apps/opensearch-2.6.0/config/runops_chain.pem"
authentication_backend:
type: noop
I managed to solve the Keycloak authentication issue, it was just me being stupid by not running the securityadmin.sh after I made the changes. But now I’m facing a new issue where the roles I assign in Keycloak are not being reflected on OpenSearch Dashboards side. I have tried assigning both realm roles and client roles but none seems to work… Any suggestions?
. I got side tracked and didnt finish. Being the weekend I probably wont get around to it till next week.