Configuring different urls for searchguard.openid.connect_url for internal & external access

shivani.aggarwal2195 · June 23, 2020, 5:42pm

Hello,
I have enabled searchguard openid authentication (using keycloak) to secure ELK running in kubernetes cluster.
Kibana interacts with keycloak at 2 points:

On kibana server startup, it connects to the openid metadata url configured (searchguard.openid.connect_url in kibana.yml).
When user accesses kibana UI on the browser, it redirects to keycloak for authentication.

For both these interactions, the same keycloak connect url is getting used by the kibana-searchguard openid module.
Is it possible to configure different urls for these two backend & frontend interactions?

In my case, keycloak server is accessible via https to the external world (i.e. to the browser) via a loadbalancer,
while internally to the kubernetes cluster, it is accessible on http (with the kubernetes service name and port).
I do not have one keycloak url that is reachable by both kibana pod as well as the browser.
Any suggestions on how we could proceed with openid authentication?

srgbnd · June 24, 2020, 7:46am

I’m not sure I understand the question.

You want to have a HTTP URL in Kibana.
kibana.yml

searchguard.openid.connect_url: "http://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration"

And HTTPS URL in Search Guard Elasticsearch plugin.
sg_config.yml

openid_auth_domain:
  enabled: true
  order: 1
  http_authenticator:
    config:
      openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration

Am I right? Did you try it? If tried, did you see errors?

shivani.aggarwal2195 · June 24, 2020, 6:44pm

Ok thanks, but my question is about the kibana searchguard plugin alone. Let me explain my use-case a bit to clarify the query

Keycloak, elasticsearch & kibana run as pods in kubernetes cluster. There are k8s services for each of these pods.

Within the k8s cluster, keycloak server is accessible at
http://keycloak.default.svc.cluster.local:8080 (‘keycloak’ is the k8s service name in default namespace).
That means - all pods in the cluster can reach the address

http://keycloak.default.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration

Keycloak is a UI application, so users need to access it from their browsers (which would be external to the k8s cluster). For this external access, a load-balancer(nginx ingress) is used and access is provided on https. That means, a user can access keycloak admin console on their browser by accessing https://abc-xyz/auth.
Now, to enable openid-auth in elasticsearch & kibana, following configurations are made:
sg_config.yml (searchguard-elasticsearch)

openid_auth_domain:
  enabled: true
  order: 1
  http_authenticator:
    config:
      openid_connect_url: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration

kibana.yml (searchguard-kibana)

searchguard.openid.connect_url: "http://keycloak.default.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration"

Issue -

Now, kibana server (pod) starts successfully. User tries to open kibana UI on the browser on https://abc-xyz/kibana. As this is the first attempt to login and user is not authenticated yet, Kibana would redirect to keycloak UI (using the keycloak address configured in kibana.yml) on the browser to open the authentication page. After entering the user creds, keycloak would authenticate the user and load kibana home pg.

But now, since my browser does not identify the internal k8s svc address keycloak.default.svc.cluster.local, the redirection to keycloak fails.

If I want the browser redirection from kibana to keycloak (explained in prev point) to succeed, Kibana’s searchguard.openid.connect_url should be configured with a url that the browser can resolve and reach. That means, in this case, https://abc-xyz/auth.
With this new configuration, when kibana server (pod) starts, it tries to contact the keycloak openid metadata url on service startup itself. Since the address in searchguard.openid.connect_url ( https://abc-xyz/auth) is not reachable from a pod inside the k8s cluster, kibana server fails with the error -
Failed when trying to obtain the endpoints from your IdP
( Ref - https://docs.search-guard.com/latest/troubleshooting-openid)

So coming back to my query, kibana has two types of interations with keycloak server when openid is enabled:
i. Kibana server to keycloak openid metadata url on kibana server startup
ii. Kibana UI redirection to keycloak UI on browser when user attempts to access

For both these interactions, the same searchguard.openid.connect_url is used by searchguard-kibana plugin.
In my case as explained above, I do not have a single keycloak server url that is reachable for both these interactions.

How can I proceed? Is there a way to configure separate urls?

srgbnd · June 26, 2020, 8:07am

Ok, now I understand. There is only one searchguard.openid.connect_url option, only for one URL.

Since the address in searchguard.openid.connect_url ( https://abc-xyz/auth) is not reachable from a pod inside the k8s cluster, kibana server fails with the error -
Failed when trying to obtain the endpoints from your IdP

Why can’t you make the URL reachable from the pod?