Opensearch backend + keycloak


According to authorization flow if no role passed to the user then user has no permissions but user is able to login. Keycloak is configured to provides roles for users to access to opensearch and does not provide roles for users which should not have access to opensearch.

Is any setting from the opensearch side to completely reject access if no opensearch roles provided ?

For example Grafana has such options:


If no role provided via jwt then grafana declined access.

@Antonio I’m not aware of such an option in OpenSearch.

As you may know, the login process has two phases.

  1. Authentication - where username and password are validated
  2. Authorization - where access to resources is given based on assigned roles/groups/privileges to the authenticated user.

The reason why you still can access OpenSearch Dashboards is the fact that default roles mapping of the own_index role is allowed to all authenticated users. It means that even users without assigned keycloak roles will access OpenSearch Dashboards.


If you restrict that roles mapping you should see the following screen in the OpenSearch Dashboards when the authenticated user has no roles assigned.