Help Center/ Cloud Search Service/ User Guide (Kuala Lumpur Region)/ FAQs/ Kibana/ How Do I Configure openId via Kibana?
Updated on 2023-06-20 GMT+08:00

How Do I Configure openId via Kibana?

  1. Modify the trunk configurations of the cluster and enable configuration modification for opendistro.
    opendistro_security.unsupported.restapi.allow_securityconfig_modification: true

    Now you can directly call the opendistro API to use securityconfig. Restart the cluster to make the configuration take effect.

  2. Obtain the current securityconfig.
    1. Run the following command on the Dev Tools page of Kibana:
      GET _opendistro/_security/api/securityconfig
    2. Take the version 7.6.2 as an example. The command output is as follows. To add new configurations, you can add openId to authc.
      {
        "config" : {
          "dynamic" : {
            "filtered_alias_mode" : "warn",
            "disable_rest_auth" : false,
            "disable_intertransport_auth" : false,
            "respect_request_indices_options" : false,
            "kibana" : {
              "multitenancy_enabled" : true,
              "server_username" : "kibanaserver",
              "index" : ".kibana"
            },
            "http" : {
              "anonymous_auth_enabled" : false,
              "xff" : {
                "enabled" : false,
                "internalProxies" : """192\.168\.0\.10|192\.168\.0\.11""",
                "remoteIpHeader" : "X-Forwarded-For"
              }
            },
            "authc" : {
              "jwt_auth_domain" : {
                "http_enabled" : false,
                "transport_enabled" : false,
                "order" : 0,
                "http_authenticator" : {
                  "challenge" : false,
                  "type" : "jwt",
                  "config" : {
                    "signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key",
                    "jwt_header" : "Authorization"
                  }
                },
                "authentication_backend" : {
                  "type" : "noop",
                  "config" : { }
                },
                "description" : "Authenticate via Json Web Token"
              },
              "ldap" : {
                "http_enabled" : false,
                "transport_enabled" : false,
                "order" : 5,
                "http_authenticator" : {
                  "challenge" : false,
                  "type" : "basic",
                  "config" : { }
                },
                "authentication_backend" : {
                  "type" : "ldap",
                  "config" : {
                    "enable_ssl" : false,
                    "enable_start_tls" : false,
                    "enable_ssl_client_auth" : false,
                    "verify_hostnames" : true,
                    "hosts" : [
                      "localhost:8389"
                    ],
                    "userbase" : "ou=people,dc=example,dc=com",
                    "usersearch" : "(sAMAccountName={0})"
                  }
                },
                "description" : "Authenticate via LDAP or Active Directory"
              },
              "basic_internal_auth_domain" : {
                "http_enabled" : true,
                "transport_enabled" : true,
                "order" : 4,
                "http_authenticator" : {
                  "challenge" : true,
                  "type" : "basic",
                  "config" : { }
                },
                "authentication_backend" : {
                  "type" : "intern",
                  "config" : { }
                },
                "description" : "Authenticate via HTTP Basic against internal users database"
              },
              "proxy_auth_domain" : {
                "http_enabled" : false,
                "transport_enabled" : false,
                "order" : 3,
                "http_authenticator" : {
                  "challenge" : false,
                  "type" : "proxy",
                  "config" : {
                    "user_header" : "x-proxy-user",
                    "roles_header" : "x-proxy-roles"
                  }
                },
                "authentication_backend" : {
                  "type" : "noop",
                  "config" : { }
                },
                "description" : "Authenticate via proxy"
              },
              "clientcert_auth_domain" : {
                "http_enabled" : false,
                "transport_enabled" : false,
                "order" : 2,
                "http_authenticator" : {
                  "challenge" : false,
                  "type" : "clientcert",
                  "config" : {
                    "username_attribute" : "cn"
                  }
                },
                "authentication_backend" : {
                  "type" : "noop",
                  "config" : { }
                },
                "description" : "Authenticate via SSL client certificates"
              },
              "kerberos_auth_domain" : {
                "http_enabled" : false,
                "transport_enabled" : false,
                "order" : 6,
                "http_authenticator" : {
                  "challenge" : true,
                  "type" : "kerberos",
                  "config" : {
                    "krb_debug" : false,
                    "strip_realm_from_principal" : true
                  }
                },
                "authentication_backend" : {
                  "type" : "noop",
                  "config" : { }
                }
              }
            },
            "authz" : {
              "roles_from_another_ldap" : {
                "http_enabled" : false,
                "transport_enabled" : false,
                "authorization_backend" : {
                  "type" : "ldap",
                  "config" : { }
                },
                "description" : "Authorize via another Active Directory"
              },
              "roles_from_myldap" : {
                "http_enabled" : false,
                "transport_enabled" : false,
                "authorization_backend" : {
                  "type" : "ldap",
                  "config" : {
                    "enable_ssl" : false,
                    "enable_start_tls" : false,
                    "enable_ssl_client_auth" : false,
                    "verify_hostnames" : true,
                    "hosts" : [
                      "localhost:8389"
                    ],
                    "rolebase" : "ou=groups,dc=example,dc=com",
                    "rolesearch" : "(member={0})",
                    "userrolename" : "disabled",
                    "rolename" : "cn",
                    "resolve_nested_roles" : true,
                    "userbase" : "ou=people,dc=example,dc=com",
                    "usersearch" : "(uid={0})"
                  }
                },
                "description" : "Authorize via LDAP or Active Directory"
              }
            },
            "auth_failure_listeners" : { },
            "do_not_fail_on_forbidden" : false,
            "multi_rolespan_enabled" : true,
            "hosts_resolver_mode" : "ip-only",
            "do_not_fail_on_forbidden_empty" : false
          }
        }
      }
  3. Add the configurations of openId.

    The configuration of openId is as follows:

     "openid_auth_domain": {
            "http_enabled": true,
            "transport_enabled": true,
            "order": 7,
            "http_authenticator": {
              "challenge": false,
              "type": "openid",
              "config": {
                "openid_connect_url": "https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration",
                "roles_key": "roles",
                "subject_key": "preferred_username"
              }
            },
            "authentication_backend": {
              "type": "noop",
              "config": {}
            }
          },

    Run the following command to update config:

    PUT _opendistro/_security/api/securityconfig/config
    {
      "dynamic": {
        "filtered_alias_mode": "warn",
        "disable_rest_auth": false,
        "disable_intertransport_auth": false,
        "respect_request_indices_options": false,
        "kibana": {
          "multitenancy_enabled": true,
          "server_username": "kibanaserver",
          "index": ".kibana"
        },
        "http": {
          "anonymous_auth_enabled": false,
          "xff": {
            "enabled": false,
            "internalProxies": """192\.168\.0\.10|192\.168\.0\.11""",
            "remoteIpHeader": "X-Forwarded-For"
          }
        },
        "authc": {
          "jwt_auth_domain": {
            "http_enabled": false,
            "transport_enabled": false,
            "order": 0,
            "http_authenticator": {
              "challenge": false,
              "type": "jwt",
              "config": {
                "signing_key": "base64 encoded HMAC key or public RSA/ECDSA pem key",
                "jwt_header": "Authorization"
              }
            },
            "authentication_backend": {
              "type": "noop",
              "config": {}
            },
            "description": "Authenticate via Json Web Token"
          },
          "openid_auth_domain": {
            "http_enabled": true,
            "transport_enabled": true,
            "order": 7,
            "http_authenticator": {
              "challenge": false,
              "type": "openid",
              "config": {
                "openid_connect_url": "https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration",
                "roles_key": "roles",
                "subject_key": "preferred_username"
              }
            },
            "authentication_backend": {
              "type": "noop",
              "config": {}
            }
          },
          "ldap": {
            "http_enabled": false,
            "transport_enabled": false,
            "order": 5,
            "http_authenticator": {
              "challenge": false,
              "type": "basic",
              "config": {}
            },
            "authentication_backend": {
              "type": "ldap",
              "config": {
                "enable_ssl": false,
                "enable_start_tls": false,
                "enable_ssl_client_auth": false,
                "verify_hostnames": true,
                "hosts": [
                  "localhost:8389"
                ],
                "userbase": "ou=people,dc=example,dc=com",
                "usersearch": "(sAMAccountName={0})"
              }
            },
            "description": "Authenticate via LDAP or Active Directory"
          },
          "basic_internal_auth_domain": {
            "http_enabled": true,
            "transport_enabled": true,
            "order": 4,
            "http_authenticator": {
              "challenge": true,
              "type": "basic",
              "config": {}
            },
            "authentication_backend": {
              "type": "intern",
              "config": {}
            },
            "description": "Authenticate via HTTP Basic against internal users database"
          },
          "proxy_auth_domain": {
            "http_enabled": false,
            "transport_enabled": false,
            "order": 3,
            "http_authenticator": {
              "challenge": false,
              "type": "proxy",
              "config": {
                "user_header": "x-proxy-user",
                "roles_header": "x-proxy-roles"
              }
            },
            "authentication_backend": {
              "type": "noop",
              "config": {}
            },
            "description": "Authenticate via proxy"
          },
          "clientcert_auth_domain": {
            "http_enabled": false,
            "transport_enabled": false,
            "order": 2,
            "http_authenticator": {
              "challenge": false,
              "type": "clientcert",
              "config": {
                "username_attribute": "cn"
              }
            },
            "authentication_backend": {
              "type": "noop",
              "config": {}
            },
            "description": "Authenticate via SSL client certificates"
          },
          "kerberos_auth_domain": {
            "http_enabled": false,
            "transport_enabled": false,
            "order": 6,
            "http_authenticator": {
              "challenge": true,
              "type": "kerberos",
              "config": {
                "krb_debug": false,
                "strip_realm_from_principal": true
              }
            },
            "authentication_backend": {
              "type": "noop",
              "config": {}
            }
          }
        },
        "authz": {
          "roles_from_another_ldap": {
            "http_enabled": false,
            "transport_enabled": false,
            "authorization_backend": {
              "type": "ldap",
              "config": {}
            },
            "description": "Authorize via another Active Directory"
          },
          "roles_from_myldap": {
            "http_enabled": false,
            "transport_enabled": false,
            "authorization_backend": {
              "type": "ldap",
              "config": {
                "enable_ssl": false,
                "enable_start_tls": false,
                "enable_ssl_client_auth": false,
                "verify_hostnames": true,
                "hosts": [
                  "localhost:8389"
                ],
                "rolebase": "ou=groups,dc=example,dc=com",
                "rolesearch": "(member={0})",
                "userrolename": "disabled",
                "rolename": "cn",
                "resolve_nested_roles": true,
                "userbase": "ou=people,dc=example,dc=com",
                "usersearch": "(uid={0})"
              }
            },
            "description": "Authorize via LDAP or Active Directory"
          }
        },
        "auth_failure_listeners": {},
        "do_not_fail_on_forbidden": false,
        "multi_rolespan_enabled": true,
        "hosts_resolver_mode": "ip-only",
        "do_not_fail_on_forbidden_empty": false
      }
    }