Oidc keycloak mapping users

Security
1

Versions:
k8s opensearch 2.7.0

Describe the issue:
Hello, i have some problems to implement rolemappings with keycloack. I have backend_roles via groups from keycloak but how can give the user specific rights dependent on the preferred username(e-mail) or groups (backend_roles)?

Configuration:
i am using the opensearch-k8s-operator and created a keycloak client. i added a example access token later on.

relevant opensearch configuration:

  config.yml: |-
    _meta:
      type: "config"
      config_version: "2"
    config:
      dynamic:
        http:
          anonymous_auth_enabled: false
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: "4"
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: "0"
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: groups
                openid_connect_url: "https://xxx/realms/yyy/.well-known/openid-configuration"
            authentication_backend:
              type: noop

Relevant Logs or Screenshots:
keycloak access token

“scope”: “openid groups email profile”,
“groups”: [
“my-example-group”
],
“preferred_username”: “xxx.yyy@company.com”,
i can find “my-example-group” as backend role at my user without mapping.

hopefully someone can give me some good hints. the documentation did not help me. Also i cant add a role mapping in opensearch dashboards because i am using the k8s opensearch version, where it is managed via yaml files.

best regards,
Danjin

2

@Danjin What do you mean you can’t add role mappings in OpenSearch Dashboards?
K8s has nothing to do with the functionality of the OpenSearch Dashboards’ functions.
Once you access your OpenSearch Dashboards UI, you can change the security settings if you use a privileged user.

If you’d like to use yaml files, then you must configure Kecloak’s group to OpenSearch roles with roles_mapping.yaml file.

4

@pablo thank you for your input. i found the “security” section in OpenSearch Dashboards and can add role mappings now.

due to better understanding of how roles and rolesmappings works, i can now also use .yaml files to map my backend_roles to roles.

from official documentation i found this statement

Unless you need to create new reserved or hidden users, we highly recommend using OpenSearch Dashboards or the REST API to create new users, roles, and role mappings. The .yml files are for initial setup, not ongoing use.

is this statement also for opensearch on k8s ? i would like to configure as much as possible in .yaml files and outside of opensearch.

thanks so far and best regards,
Danjin

5

@Danjin This statement regards only OpenSearch no matter the type of deployment.

The reason behind this is the fact that it is very easy to make mistakes in the .yaml file if you’re not familiar with its indent rules.
If you feel comfortable with the files then go ahead and use them.

Also, this statement is partially true as you must use securityadmin.sh script to configure the authentication type (config.yml).

When modifying security configuration with securityadmin.sh script, make a backup of the configuration beforehand, then make the changes in the files and upload them back to the cluster.