Integrate roles with Open Distro and Keycloak

Question

I am trying to integrate Keycloak with ES Open Distro.

I managed to fetch token with proper roles but it seems that Open Distro is not finding a given role and it returns forbidden for given indexes

I have configured

config:
  dynamic:
   ....
    authc:
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            pemtrustedcas_filepath: {omitted}
            enable_ssl: true
            verify_hostnames: false
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://keycloak:8000/auth/realms/{omitted}/.well-known/openid-configuration
            jwks_uri: https://keycloak:8000/auth/realms/{ommited}/protocol/openid-connect/certs
        authentication_backend:
          type: noop

as in https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/openid-connect/#configure-openid-connect-integration

roles.yaml

my_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:monitor/main"
  - "indices:data/write/index"
  - "indices:data/write/bulk"
  - "indices:data/read/mget"
  - "indices:data/read/search"
  - "indices:data/read/search*"
  index_permissions:
  - index_patterns:
    - "*my-index*"
    - "indices:data/read/mget"
    allowed_actions:
    - "*"
  static: false

Token

omitted
"roles": "my_role"

With configuration, I am able to reach ES which returns in logs :

elasticsearch_1  | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No index-level perm match for User [name=developer, roles=[my_role], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked []]
elasticsearch_1  | [2021-08-16T11:41:48,123][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No permissions for [indices:data/read/search]
elasticsearch_1  | [2021-08-16T11:41:48,123][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] PrivEvalResponse [allowed=false, missingPrivileges=[indices:data/read/search], allowedFlsFields=null, maskedFields=null, queries=null]
elasticsearch_1  | [2021-08-16T11:41:48,124][DEBUG][c.a.o.s.f.OpenDistroSecurityFilter] [elasticsearch] no permissions for [indices:data/read/search]
elasticsearch_1  | [2021-08-16T11:41:48,125][DEBUG][r.suppressed             ] [elasticsearch] path: /_search, params: {}
elasticsearch_1  | org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:data/read/search] and User [name=developer, roles=[my_role], requestedTenant=null]

I see that [RolesChecked []] is empty. Why it does not find any roles created already ( I have checked through API and all roles are added correctly + the internal user is using the given role correctly).

Any help would be appreciated.

Answer 1

After testing I found out that the proper configuration should be : roles.yaml

my_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:monitor/main"
  - "indices:data/write/index"
  - "indices:data/write/bulk"
  - "indices:data/read/mget"
  - "indices:data/read/search"
  - "indices:data/read/search*"
  index_permissions:
  - index_patterns:
    - "*my-index*"
    - "indices:data/read/mget"
    allowed_actions:
    - "*"
  static: false

roles_mapping.yaml

my_role: # This has to be the exactly the same name as my_role in roles.yaml
  reserved: false
  backend_roles:
  - "read_messages" # This value is a value that should be placed in token roles: read_messages
  description: "Allow access for anyone who has role read_messages assigned in token roles"

I realized that backend_roles are basically roles that have to be set in the token. And keyname for roles_mapping.yaml has to be exactly the same as the role name in roles.yaml.