更新时间:2023-06-20 GMT+08:00
如何通过Kibana配置openId
- 修改集群的主干配置,开放opendistro的配置修改能力。
opendistro_security.unsupported.restapi.allow_securityconfig_modification: true
配置修改后,表示能够通过opendsitro的接口直接操作opendistro的securityconfig。配置修改完成后需要重启集群才会生效。
- 获取当前的securityconfig。
- 在kibana的“Dev Tools”页面执行如下命令:
GET _opendistro/_security/api/securityconfig
- 以7.6.2版本为例,返回的结果如下。如果需要增加新的配置,可以在authc中新增一个openId。
{ "config" : { "dynamic" : { "filtered_alias_mode" : "warn", "disable_rest_auth" : false, "disable_intertransport_auth" : false, "respect_request_indices_options" : false, "kibana" : { "multitenancy_enabled" : true, "server_username" : "kibanaserver", "index" : ".kibana" }, "http" : { "anonymous_auth_enabled" : false, "xff" : { "enabled" : false, "internalProxies" : """192\.168\.0\.10|192\.168\.0\.11""", "remoteIpHeader" : "X-Forwarded-For" } }, "authc" : { "jwt_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 0, "http_authenticator" : { "challenge" : false, "type" : "jwt", "config" : { "signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key", "jwt_header" : "Authorization" } }, "authentication_backend" : { "type" : "noop", "config" : { } }, "description" : "Authenticate via Json Web Token" }, "ldap" : { "http_enabled" : false, "transport_enabled" : false, "order" : 5, "http_authenticator" : { "challenge" : false, "type" : "basic", "config" : { } }, "authentication_backend" : { "type" : "ldap", "config" : { "enable_ssl" : false, "enable_start_tls" : false, "enable_ssl_client_auth" : false, "verify_hostnames" : true, "hosts" : [ "localhost:8389" ], "userbase" : "ou=people,dc=example,dc=com", "usersearch" : "(sAMAccountName={0})" } }, "description" : "Authenticate via LDAP or Active Directory" }, "basic_internal_auth_domain" : { "http_enabled" : true, "transport_enabled" : true, "order" : 4, "http_authenticator" : { "challenge" : true, "type" : "basic", "config" : { } }, "authentication_backend" : { "type" : "intern", "config" : { } }, "description" : "Authenticate via HTTP Basic against internal users database" }, "proxy_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 3, "http_authenticator" : { "challenge" : false, "type" : "proxy", "config" : { "user_header" : "x-proxy-user", "roles_header" : "x-proxy-roles" } }, "authentication_backend" : { "type" : "noop", "config" : { } }, "description" : "Authenticate via proxy" }, "clientcert_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 2, "http_authenticator" : { "challenge" : false, "type" : "clientcert", "config" : { "username_attribute" : "cn" } }, "authentication_backend" : { "type" : "noop", "config" : { } }, "description" : "Authenticate via SSL client certificates" }, "kerberos_auth_domain" : { "http_enabled" : false, "transport_enabled" : false, "order" : 6, "http_authenticator" : { "challenge" : true, "type" : "kerberos", "config" : { "krb_debug" : false, "strip_realm_from_principal" : true } }, "authentication_backend" : { "type" : "noop", "config" : { } } } }, "authz" : { "roles_from_another_ldap" : { "http_enabled" : false, "transport_enabled" : false, "authorization_backend" : { "type" : "ldap", "config" : { } }, "description" : "Authorize via another Active Directory" }, "roles_from_myldap" : { "http_enabled" : false, "transport_enabled" : false, "authorization_backend" : { "type" : "ldap", "config" : { "enable_ssl" : false, "enable_start_tls" : false, "enable_ssl_client_auth" : false, "verify_hostnames" : true, "hosts" : [ "localhost:8389" ], "rolebase" : "ou=groups,dc=example,dc=com", "rolesearch" : "(member={0})", "userrolename" : "disabled", "rolename" : "cn", "resolve_nested_roles" : true, "userbase" : "ou=people,dc=example,dc=com", "usersearch" : "(uid={0})" } }, "description" : "Authorize via LDAP or Active Directory" } }, "auth_failure_listeners" : { }, "do_not_fail_on_forbidden" : false, "multi_rolespan_enabled" : true, "hosts_resolver_mode" : "ip-only", "do_not_fail_on_forbidden_empty" : false } } }
- 在kibana的“Dev Tools”页面执行如下命令:
- 新增openId的配置。
"openid_auth_domain": { "http_enabled": true, "transport_enabled": true, "order": 7, "http_authenticator": { "challenge": false, "type": "openid", "config": { "openid_connect_url": "https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration", "roles_key": "roles", "subject_key": "preferred_username" } }, "authentication_backend": { "type": "noop", "config": {} } },执行如下命令更新config:
PUT _opendistro/_security/api/securityconfig/config { "dynamic": { "filtered_alias_mode": "warn", "disable_rest_auth": false, "disable_intertransport_auth": false, "respect_request_indices_options": false, "kibana": { "multitenancy_enabled": true, "server_username": "kibanaserver", "index": ".kibana" }, "http": { "anonymous_auth_enabled": false, "xff": { "enabled": false, "internalProxies": """192\.168\.0\.10|192\.168\.0\.11""", "remoteIpHeader": "X-Forwarded-For" } }, "authc": { "jwt_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 0, "http_authenticator": { "challenge": false, "type": "jwt", "config": { "signing_key": "base64 encoded HMAC key or public RSA/ECDSA pem key", "jwt_header": "Authorization" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via Json Web Token" }, "openid_auth_domain": { "http_enabled": true, "transport_enabled": true, "order": 7, "http_authenticator": { "challenge": false, "type": "openid", "config": { "openid_connect_url": "https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration", "roles_key": "roles", "subject_key": "preferred_username" } }, "authentication_backend": { "type": "noop", "config": {} } }, "ldap": { "http_enabled": false, "transport_enabled": false, "order": 5, "http_authenticator": { "challenge": false, "type": "basic", "config": {} }, "authentication_backend": { "type": "ldap", "config": { "enable_ssl": false, "enable_start_tls": false, "enable_ssl_client_auth": false, "verify_hostnames": true, "hosts": [ "localhost:8389" ], "userbase": "ou=people,dc=example,dc=com", "usersearch": "(sAMAccountName={0})" } }, "description": "Authenticate via LDAP or Active Directory" }, "basic_internal_auth_domain": { "http_enabled": true, "transport_enabled": true, "order": 4, "http_authenticator": { "challenge": true, "type": "basic", "config": {} }, "authentication_backend": { "type": "intern", "config": {} }, "description": "Authenticate via HTTP Basic against internal users database" }, "proxy_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 3, "http_authenticator": { "challenge": false, "type": "proxy", "config": { "user_header": "x-proxy-user", "roles_header": "x-proxy-roles" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via proxy" }, "clientcert_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 2, "http_authenticator": { "challenge": false, "type": "clientcert", "config": { "username_attribute": "cn" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via SSL client certificates" }, "kerberos_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 6, "http_authenticator": { "challenge": true, "type": "kerberos", "config": { "krb_debug": false, "strip_realm_from_principal": true } }, "authentication_backend": { "type": "noop", "config": {} } } }, "authz": { "roles_from_another_ldap": { "http_enabled": false, "transport_enabled": false, "authorization_backend": { "type": "ldap", "config": {} }, "description": "Authorize via another Active Directory" }, "roles_from_myldap": { "http_enabled": false, "transport_enabled": false, "authorization_backend": { "type": "ldap", "config": { "enable_ssl": false, "enable_start_tls": false, "enable_ssl_client_auth": false, "verify_hostnames": true, "hosts": [ "localhost:8389" ], "rolebase": "ou=groups,dc=example,dc=com", "rolesearch": "(member={0})", "userrolename": "disabled", "rolename": "cn", "resolve_nested_roles": true, "userbase": "ou=people,dc=example,dc=com", "usersearch": "(uid={0})" } }, "description": "Authorize via LDAP or Active Directory" } }, "auth_failure_listeners": {}, "do_not_fail_on_forbidden": false, "multi_rolespan_enabled": true, "hosts_resolver_mode": "ip-only", "do_not_fail_on_forbidden_empty": false } }
父主题: Kibana使用相关
