Help Center>
Cloud Search Service>
User Guide (Kuala Lumpur Region)>
FAQs>
Kibana>
How Do I Configure openId via Kibana?
Updated on 2023-06-20 GMT+08:00
How Do I Configure openId via Kibana?
- Modify the trunk configurations of the cluster and enable configuration modification for opendistro.
opendistro_security.unsupported.restapi.allow_securityconfig_modification: true
Now you can directly call the opendistro API to use securityconfig. Restart the cluster to make the configuration take effect.
- Obtain the current securityconfig.
- Run the following command on the Dev Tools page of Kibana:
GET _opendistro/_security/api/securityconfig
- Take the version 7.6.2 as an example. The command output is as follows. To add new configurations, you can add openId to authc.
{ "config" : { "dynamic" : { "filtered_alias_mode" : "warn", "disable_rest_auth" : false, "disable_intertransport_auth" : false, "respect_request_indices_options" : false, "kibana" : { "multitenancy_enabled" : true, "server_username" : "kibanaserver", "index" : ".kibana" }, "http" : { "anonymous_auth_enabled" : false, "xff" : { "enabled" : false, "internalProxies" : """192\.168\.0\.10|192\.168\.0\.11""", "remoteIpHeader" : "X-Forwarded-For" } }, "authc" : { "jwt_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 0, "http_authenticator" : { "challenge" : false, "type" : "jwt", "config" : { "signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key", "jwt_header" : "Authorization" } }, "authentication_backend" : { "type" : "noop", "config" : { } }, "description" : "Authenticate via Json Web Token" }, "ldap" : { "http_enabled" : false, "transport_enabled" : false, "order" : 5, "http_authenticator" : { "challenge" : false, "type" : "basic", "config" : { } }, "authentication_backend" : { "type" : "ldap", "config" : { "enable_ssl" : false, "enable_start_tls" : false, "enable_ssl_client_auth" : false, "verify_hostnames" : true, "hosts" : [ "localhost:8389" ], "userbase" : "ou=people,dc=example,dc=com", "usersearch" : "(sAMAccountName={0})" } }, "description" : "Authenticate via LDAP or Active Directory" }, "basic_internal_auth_domain" : { "http_enabled" : true, "transport_enabled" : true, "order" : 4, "http_authenticator" : { "challenge" : true, "type" : "basic", "config" : { } }, "authentication_backend" : { "type" : "intern", "config" : { } }, "description" : "Authenticate via HTTP Basic against internal users database" }, "proxy_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 3, "http_authenticator" : { "challenge" : false, "type" : "proxy", "config" : { "user_header" : "x-proxy-user", "roles_header" : "x-proxy-roles" } }, "authentication_backend" : { "type" : "noop", "config" : { } }, "description" : "Authenticate via proxy" }, "clientcert_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 2, "http_authenticator" : { "challenge" : false, "type" : "clientcert", "config" : { "username_attribute" : "cn" } }, "authentication_backend" : { "type" : "noop", "config" : { } }, "description" : "Authenticate via SSL client certificates" }, "kerberos_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 6, "http_authenticator" : { "challenge" : true, "type" : "kerberos", "config" : { "krb_debug" : false, "strip_realm_from_principal" : true } }, "authentication_backend" : { "type" : "noop", "config" : { } } } }, "authz" : { "roles_from_another_ldap" : { "http_enabled" : false, "transport_enabled" : false, "authorization_backend" : { "type" : "ldap", "config" : { } }, "description" : "Authorize via another Active Directory" }, "roles_from_myldap" : { "http_enabled" : false, "transport_enabled" : false, "authorization_backend" : { "type" : "ldap", "config" : { "enable_ssl" : false, "enable_start_tls" : false, "enable_ssl_client_auth" : false, "verify_hostnames" : true, "hosts" : [ "localhost:8389" ], "rolebase" : "ou=groups,dc=example,dc=com", "rolesearch" : "(member={0})", "userrolename" : "disabled", "rolename" : "cn", "resolve_nested_roles" : true, "userbase" : "ou=people,dc=example,dc=com", "usersearch" : "(uid={0})" } }, "description" : "Authorize via LDAP or Active Directory" } }, "auth_failure_listeners" : { }, "do_not_fail_on_forbidden" : false, "multi_rolespan_enabled" : true, "hosts_resolver_mode" : "ip-only", "do_not_fail_on_forbidden_empty" : false } } }
- Run the following command on the Dev Tools page of Kibana:
- Add the configurations of openId.
The configuration of openId is as follows:
"openid_auth_domain": { "http_enabled": true, "transport_enabled": true, "order": 7, "http_authenticator": { "challenge": false, "type": "openid", "config": { "openid_connect_url": "https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration", "roles_key": "roles", "subject_key": "preferred_username" } }, "authentication_backend": { "type": "noop", "config": {} } },Run the following command to update config:
PUT _opendistro/_security/api/securityconfig/config { "dynamic": { "filtered_alias_mode": "warn", "disable_rest_auth": false, "disable_intertransport_auth": false, "respect_request_indices_options": false, "kibana": { "multitenancy_enabled": true, "server_username": "kibanaserver", "index": ".kibana" }, "http": { "anonymous_auth_enabled": false, "xff": { "enabled": false, "internalProxies": """192\.168\.0\.10|192\.168\.0\.11""", "remoteIpHeader": "X-Forwarded-For" } }, "authc": { "jwt_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 0, "http_authenticator": { "challenge": false, "type": "jwt", "config": { "signing_key": "base64 encoded HMAC key or public RSA/ECDSA pem key", "jwt_header": "Authorization" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via Json Web Token" }, "openid_auth_domain": { "http_enabled": true, "transport_enabled": true, "order": 7, "http_authenticator": { "challenge": false, "type": "openid", "config": { "openid_connect_url": "https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration", "roles_key": "roles", "subject_key": "preferred_username" } }, "authentication_backend": { "type": "noop", "config": {} } }, "ldap": { "http_enabled": false, "transport_enabled": false, "order": 5, "http_authenticator": { "challenge": false, "type": "basic", "config": {} }, "authentication_backend": { "type": "ldap", "config": { "enable_ssl": false, "enable_start_tls": false, "enable_ssl_client_auth": false, "verify_hostnames": true, "hosts": [ "localhost:8389" ], "userbase": "ou=people,dc=example,dc=com", "usersearch": "(sAMAccountName={0})" } }, "description": "Authenticate via LDAP or Active Directory" }, "basic_internal_auth_domain": { "http_enabled": true, "transport_enabled": true, "order": 4, "http_authenticator": { "challenge": true, "type": "basic", "config": {} }, "authentication_backend": { "type": "intern", "config": {} }, "description": "Authenticate via HTTP Basic against internal users database" }, "proxy_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 3, "http_authenticator": { "challenge": false, "type": "proxy", "config": { "user_header": "x-proxy-user", "roles_header": "x-proxy-roles" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via proxy" }, "clientcert_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 2, "http_authenticator": { "challenge": false, "type": "clientcert", "config": { "username_attribute": "cn" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via SSL client certificates" }, "kerberos_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 6, "http_authenticator": { "challenge": true, "type": "kerberos", "config": { "krb_debug": false, "strip_realm_from_principal": true } }, "authentication_backend": { "type": "noop", "config": {} } } }, "authz": { "roles_from_another_ldap": { "http_enabled": false, "transport_enabled": false, "authorization_backend": { "type": "ldap", "config": {} }, "description": "Authorize via another Active Directory" }, "roles_from_myldap": { "http_enabled": false, "transport_enabled": false, "authorization_backend": { "type": "ldap", "config": { "enable_ssl": false, "enable_start_tls": false, "enable_ssl_client_auth": false, "verify_hostnames": true, "hosts": [ "localhost:8389" ], "rolebase": "ou=groups,dc=example,dc=com", "rolesearch": "(member={0})", "userrolename": "disabled", "rolename": "cn", "resolve_nested_roles": true, "userbase": "ou=people,dc=example,dc=com", "usersearch": "(uid={0})" } }, "description": "Authorize via LDAP or Active Directory" } }, "auth_failure_listeners": {}, "do_not_fail_on_forbidden": false, "multi_rolespan_enabled": true, "hosts_resolver_mode": "ip-only", "do_not_fail_on_forbidden_empty": false } }
Parent topic: Kibana
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
