I placed kibana and keycloak behind AWS LB. Configured self-signed certificates and Route53. Keycloak and kibana both configured to use HTTP, LB redirect HTTPS to HTTP. I can access kibana and keycloak using DNS names from both pods (they are running on Kubernetes). I added keycloak CA cert to elasticsearch and kibana:
config.yml:
* * *
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
pemtrustedcas_filepath: “/usr/share/elasticsearch/config/ca/keycloak-ca.pem”
subject_key: email
openid_connect_url: “https://mykeycloak.dns/auth/realms/myrealm/.well-known/openid-configuration”
enable_ssl: true
verify_hostnames: false
authentication_backend:
type: noop
kibana.yml:
* * *
opendistro_security.auth.type: “openid”
opendistro_security.openid.scope: “openid profile email”
opendistro_security.openid.connect_url: “https://mykeycloak.dns/auth/realms/myrealm/.well-known/openid-configuration”
opendistro_security.openid.client_id: “kibana-client-id”
opendistro_security.openid.client_secret: “xxx-yyy-zzzz”
opendistro_security.openid.root_ca: /usr/share/kibana/config/keycloak-ca.pem
opendistro_security.openid.base_redirect_url: “https://mykibana.dns/”
If “openid” configuration is not enabled - I can login in kibana UI with local admin account. If “openid” is enabled, I got redirected to keycloak login but after entering username/pwd for keycloak internal user I got kibana error web page: “Authentication failed. Please provide a new token”. Keycloak admin console shows that user did login but there are no log messages about login attempt in elasticsearch for this user. User’s email is mapped to “admin” role in kibana. Without HTTPS termination on AWS LB I didn’t have any problems with the same configuration. In Kibana log I saw that opendistro_security plugin is initialised. This is what I found in kibana log:
{“type”:“response”,“@timestamp”:“2020-05-20T04:32:07Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:302,“req”:{“url”:“/auth/openid/login?state=rbzmnzgfaeEXLrgzhvXgIF&session_state=c3e5dde1-33f6-4c18-868a-3d225de2e8c0&code=d1ecfd4f-ef7e-4974-8d2c-96c3b11e85ae.c3e5dde1-33f6-4c18-868a-3d225de2e8c0.4a938c58-ea13-41de-b221-f115d5668e06”,“method”:“get”,“headers”:{“host”:“mykibana.dns”,“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9”,“accept-encoding”:“gzip, deflate, br”,“accept-language”:“en-US,en;q=0.9”,“cache-control”:“max-age=0”,“referer”:“https://mykeycloak.dns/auth/realms/myrealm/protocol/openid-connect/auth?client_id=kibana-client-id&response_type=code&redirect_uri=https%3A%2F%2Fmykibana.dns%2Fauth%2Fopenid%2Flogin&state=rbzmnzgfaeEXLrgzhvXgIF&scope=openid%20profile%20email",“sec-fetch-dest”:“document”,“sec-fetch-mode”:“navigate”,“sec-fetch-site”:“same-site”,“sec-fetch-user”:“?1”,“upgrade-insecure-requests”:“1”,“user-agent”:"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36”,“x-forwarded-for”:“76.126.85.105”,“x-forwarded-port”:“443”,“x-forwarded-proto”:“https”,“connection”:“keep-alive”},“remoteAddress”:“10.204.71.29”,“userAgent”:“10.204.71.29”,“referer”:“https://mykeycloak.dns/auth/realms/myrealm/protocol/openid-connect/auth?client_id=kibana-client-id&response_type=code&redirect_uri=https%3A%2F%2Fmykibana.dns%2Fauth%2Fopenid%2Flogin&state=rbzmnzgfaeEXLrgzhvXgIF&scope=openid%20profile%20email"},“res”:{“statusCode”:302,“responseTime”:511,“contentLength”:9},“message”:"GET /auth/openid/login?state=rbzmnzgfaeEXLrgzhvXgIF&session_state=c3e5dde1-33f6-4c18-868a-3d225de2e8c0&code=d1ecfd4f-ef7e-4974-8d2c-96c3b11e85ae.c3e5dde1-33f6-4c18-868a-3d225de2e8c0.4a938c58-ea13-41de-b221-f115d5668e06 302 511ms - 9.0B”}
{“type”:“response”,“@timestamp”:“2020-05-20T04:32:07Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:200,“req”:{“url”:“/customerror?type=authError”,“method”:“get”,“headers”:{“host”:“mykibana.dns”,“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9”,“accept-encoding”:“gzip, deflate, br”,“accept-language”:“en-US,en;q=0.9”,“cache-control”:“max-age=0”,“referer”:“https://mykeycloak.dns/auth/realms/myrealm/protocol/openid-connect/auth?client_id=kibana-client-id&response_type=code&redirect_uri=https%3A%2F%2Fmykibana.dns%2Fauth%2Fopenid%2Flogin&state=rbzmnzgfaeEXLrgzhvXgIF&scope=openid%20profile%20email",“sec-fetch-dest”:“document”,“sec-fetch-mode”:“navigate”,“sec-fetch-site”:“same-site”,“sec-fetch-user”:“?1”,“upgrade-insecure-requests”:“1”,“user-agent”:"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36”,“x-forwarded-for”:“33.123.84.175”,“x-forwarded-port”:“443”,“x-forwarded-proto”:“https”,“connection”:“keep-alive”},“remoteAddress”:“10.204.71.224”,“userAgent”:“10.204.71.224”,“referer”:“https://mykeycloak.dns/auth/realms/kibana/protocol/openid-connect/auth?client_id=kibana-client-id&response_type=code&redirect_uri=https%3A%2F%2Fmykibana.dns%2Fauth%2Fopenid%2Flogin&state=rbzmnzgfaeEXLrgzhvXgIF&scope=openid%20profile%20email"},“res”:{“statusCode”:200,“responseTime”:38,“contentLength”:9},“message”:"GET /customerror?type=authError 200 38ms - 9.0B”}
What am I missing in configuration?