Hello,
I have enabled searchguard openid authentication (using keycloak) to secure ELK running in kubernetes cluster.
Kibana interacts with keycloak at 2 points:
On kibana server startup, it connects to the openid metadata url configured (searchguard.openid.connect_url in kibana.yml).
When user accesses kibana UI on the browser, it redirects to keycloak for authentication.
For both these interactions, the same keycloak connect url is getting used by the kibana-searchguard openid module. Is it possible to configure different urls for these two backend & frontend interactions?
In my case, keycloak server is accessible via https to the external world (i.e. to the browser) via a loadbalancer,
while internally to the kubernetes cluster, it is accessible on http (with the kubernetes service name and port). I do not have one keycloak url that is reachable by both kibana pod as well as the browser.
Any suggestions on how we could proceed with openid authentication?
Ok thanks, but my question is about the kibana searchguard plugin alone. Let me explain my use-case a bit to clarify the query
Keycloak, elasticsearch & kibana run as pods in kubernetes cluster. There are k8s services for each of these pods.
Within the k8s cluster, keycloak server is accessible at http://keycloak.default.svc.cluster.local:8080 (‘keycloak’ is the k8s service name in default namespace).
That means - all pods in the cluster can reach the address
Keycloak is a UI application, so users need to access it from their browsers (which would be external to the k8s cluster). For this external access, a load-balancer(nginx ingress) is used and access is provided on https. That means, a user can access keycloak admin console on their browser by accessing https://abc-xyz/auth.
Now, to enable openid-auth in elasticsearch & kibana, following configurations are made: sg_config.yml (searchguard-elasticsearch)
Now, kibana server (pod) starts successfully. User tries to open kibana UI on the browser on https://abc-xyz/kibana. As this is the first attempt to login and user is not authenticated yet, Kibana would redirect to keycloak UI (using the keycloak address configured in kibana.yml) on the browser to open the authentication page. After entering the user creds, keycloak would authenticate the user and load kibana home pg.
But now, since my browser does not identify the internal k8s svc address keycloak.default.svc.cluster.local, the redirection to keycloak fails.
If I want the browser redirection from kibana to keycloak (explained in prev point) to succeed, Kibana’s searchguard.openid.connect_url should be configured with a url that the browser can resolve and reach. That means, in this case, https://abc-xyz/auth.
With this new configuration, when kibana server (pod) starts, it tries to contact the keycloak openid metadata url on service startup itself. Since the address in searchguard.openid.connect_url ( https://abc-xyz/auth) is not reachable from a pod inside the k8s cluster, kibana server fails with the error - Failed when trying to obtain the endpoints from your IdP
( Ref - OpenID Troubleshooting | Security for Elasticsearch | Search Guard)
So coming back to my query, kibana has two types of interations with keycloak server when openid is enabled:
i. Kibana server to keycloak openid metadata url on kibana server startup
ii. Kibana UI redirection to keycloak UI on browser when user attempts to access
For both these interactions, the same searchguard.openid.connect_url is used by searchguard-kibana plugin.
In my case as explained above, I do not have a single keycloak server url that is reachable for both these interactions.
How can I proceed? Is there a way to configure separate urls?
Ok, now I understand. There is only one searchguard.openid.connect_url option, only for one URL.
Since the address in searchguard.openid.connect_url ( https://abc-xyz/auth) is not reachable from a pod inside the k8s cluster, kibana server fails with the error - Failed when trying to obtain the endpoints from your IdP
Why can’t you make the URL reachable from the pod?
