I have following setup:
- User provides credentials to a proxy
- Proxy talks to keycloak and validates the user
- Proxy passes x-auth-username and x-auth-group to kibana
- Kibana is configured to get the header variables
This set up works, but I have some miss understanding related to the “backend roles”.
My Idea was: I do not need to map the users directly to the respective searchguard roles but I can use the backend role, which is coming from the proxy in x-auth-group variable. But this does not seems to work.
When I configure following in the role mapping GUI in Kibana:
the user cannot access kibana at all, even though he provides the correct backend role. In this case: SOME_RANDOM_BACKEND_ROLE
When I configure
The user has acess to kibana with the correct rights, but… what is the backend role for then? It has no effect.
It looks i miss something. Can you help me to understand how users, backend roles and search guard guard roles work together and most important: Am I able to do authorization based on the backend roles only ?