Help needed with access token to role mapping

Search Guard
1

Hi team,
We have integrated searchguard with kibana, elasticsearch.
in an attempt to implement single sign on we have integrated keycloak with Kibana.
And in Kibana we are getting below token.

"oidc_access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfNGw3X2F2QnNPRU82VTlNU3dKRjYxYXJJaXJaQ0t5RmVIOTNYT1MyNlBFIn0.eyJqdGkiOiI2MzdmYTU0My1mODUwLTQxZTAtYTUyMS0xNTViMTNiNzIwZmQiLCJleHAiOjE1ODUzMzA4NDUsIm5iZiI6MCwiaWF0IjoxNTg1MzMwNTQ1LCJpc3MiOiJodHRwczovL29vcmVkb28tY29yZS1wcm9kLnBubS5keW4ubmVzYy5ub2tpYS5uZXQvYXV0aC9yZWFsbXMvUG5tU3VpdGUiLCJhdWQiOlsib29yZWRvby1jb3JlLXByb2QrcG5tK2R5bituZXNjK25va2lhK25ldCIsImFjY291bnQiXSwic3ViIjoiNzRjNmUxY2EtYjY0Zi00MTZjLTg0M2MtMTQyNzhiMzJhMDFmIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2liYW5hIiwibm9uY2UiOiJ3OGhMYWctTjZuc3ZzTklNZTcwdHB2UVVMWlVXN3NQeVV1WGlXb0p6VVZVIiwiYXV0aF90aW1lIjoxNTg1MzMwNTQyLCJzZXNzaW9uX3N0YXRlIjoiNGMyZWU0Y2YtNzQ4ZC00M2FjLTk5ZmEtNTIzYWZkM2JhMjcxIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL29vcmVkb28tcHJvZC1raWJhbmEwMS1tYXN0ZXIwMS5wbm1lbGsuZHluLm5lc2Mubm9raWEubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsIlNHX1NVUEVSX1VTRVIiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsib29yZWRvby1jb3JlLXByb2QrcG5tK2R5bituZXNjK25va2lhK25ldCI6eyJyb2xlcyI6WyJhZG1pbiJdfSwia2liYW5hIjp7InJvbGVzIjpbImFkbWluIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiUCBTYXRoaXNoa3VtYXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwc2F0aGlzaCIsImdpdmVuX25hbWUiOiJQIiwiZmFtaWx5X25hbWUiOiJTYXRoaXNoa3VtYXIiLCJlbWFpbCI6InAuc2F0aGlzaGt1bWFyQG5va2lhLmNvbSJ9.K55lmO8mN6EZFN5G3QgLPfMGb0_MbyzDHqOeNdxA9o6b5vx_7YYleRiMzJJ-cmyfp9615h9K7-DaoDrQEX4KR0trzQJnKgO6LSZ5trzkilqDkzpRoz3LNIXE-mT1QENqNTOX8fH9hNCTCU2SiQXBFS31BmEnN5G89LVrn72VcoDukm5fnLAT_o8JQm79Xvpz_McB-FljBIEgNSL_kppu9oE8LrXiQiYVTxtgIZUaSUnSQrIYYlTG2WWcugf3HQ0-5GD_nWwy2FZhmrHU2jUSaLs5iMoARYHnzfRWO7egMtuUt2UAyVmRAB4mWcKNpbQ_gRuMLzY7fR-KgrcCoBH5_A","oidc_access_token_expires":"1585330846","x-forwarded-for":"10.139.223.141","x-forwarded-host":"ooredoo-prod-kibana01-master01.pnmelk.dyn.nesc.nokia.net","x-forwarded-server":"ooredoo-prod-kibana01-master01.novalocal","connection":"Keep-Alive"},"remoteAddress":"127.0.0.1","userAgent":"127.0.0.1","referer":"https://ooredoo-prod-kibana01-master01.pnmelk.dyn.nesc.nokia.net/customerror?type=authError"

This token translates to below jwt json,

{
  "jti": "637fa543-f850-41e0-a521-155b13b720fd",
  "exp": 1585330845,
  "nbf": 0,
  "iat": 1585330545,
  "iss": "https://ooredoo-core-prod.pnm.dyn.nesc.nokia.net/auth/realms/PnmSuite",
  "aud": [
    "ooredoo-core-prod+pnm+dyn+nesc+nokia+net",
    "account"
  ],
  "sub": "74c6e1ca-b64f-416c-843c-14278b32a01f",
  "typ": "Bearer",
  "azp": "kibana",
  "nonce": "w8hLag-N6nsvsNIMe70tpvQULZUW7sPyUuXiWoJzUVU",
  "auth_time": 1585330542,
  "session_state": "4c2ee4cf-748d-43ac-99fa-523afd3ba271",
  "acr": "1",
  "allowed-origins": [
    "https://ooredoo-prod-kibana01-master01.pnmelk.dyn.nesc.nokia.net"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "SG_SUPER_USER",
      "admin",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "ooredoo-core-prod+pnm+dyn+nesc+nokia+net": {
      "roles": [
        "admin"
      ]
    },
    "kibana": {
      "roles": [
        "admin"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid profile email",
  "email_verified": false,
  "name": "P Sathishkumar",
  "preferred_username": "psathish",
  "given_name": "P",
  "family_name": "Sathishkumar",
  "email": "p.sathishkumar@nokia.com"
}

sg_roles.yml:

_sg_meta:

  type: "roles"

  config_version: 2

SG_SUPER_USER:

  description: "my search guard role"

  cluster_permissions:

    - SGS_UNLIMITED

  index_permissions:

    - index_patterns:

        - "*"

      allowed_actions:

        - SGS_UNLIMITED

sg_roles_mapping.yml:

_sg_meta:

  type: "rolesmapping"

  config_version: 2

# Define your roles mapping here

# See https://docs.search-guard.com/latest/mapping-users-roles

## Demo roles mapping

SGS_ALL_ACCESS:

  reserved: true

  backend_roles:

  - "admin"

  description: "Maps admin to SGS_ALL_ACCESS"

SGS_OWN_INDEX:

  reserved: false

  users:

  - "*"

  description: "Allow full access to an index named like the username"

SGS_LOGSTASH:

  reserved: false

  backend_roles:

  - "logstash"

SGS_KIBANA_USER:

  reserved: false

  backend_roles:

  - "kibanauser"

  description: "Maps kibanauser to SGS_KIBANA_USER"

SGS_SUPER_USER:

  reserved: false

  backend_roles:

  - "superuser"

  description: "Maps superuser to SGS_SUPER_USER"

SGS_READALL:

  reserved: true

  backend_roles:

  - "readall"

SGS_MANAGE_SNAPSHOTS:

  reserved: true

  backend_roles:

  - "snapshotrestore"

SGS_KIBANA_SERVER:

  reserved: true

  users:

  - "kibanaserver"

But am getting search guard error page with message Authentication failed Please provide a new token.

i think theres some error with my roles coming from jwt and the roles i have in searchguard could you please help me in mapping the correct roles?

Or any tips on the which fields from the json will be the read by search guard for looking for mappings would be a great help.
Am first to integrate search guard in our project and stuck for a day without progress, please help me

2

Any help with this guys.

3

This can have several reasons, check the related OpenID troubleshooting page. Also, check this tutorial Kibana Single Sign-On with OpenID and Keycloak | Search Guard

4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.