search

opendistro-for-elasticsearch / security-kibana-plugin

Apache License 2.0
3 stars 12 forks source link

OpenID Configuration Error #13

Open monkykap opened 3 years ago

monkykap commented 3 years ago

Hi, We are having some trouble getting our OIDC config to function properly. We have verified that our internal OIDC provider is setup properly. After authenticating with OIDC we are redirected the OIDC login in Kibana.

The error we are receiving in the Kibana logs is:

OpenId authentication failed: Error: Authentication Exception [When we set our Kibana base redirect url]

and

OpenId authentication failed: Error: Service Unavailable [When Kibana redirect base url is unset]

Our configurations in helm:

values.yml

elasticsearch:
  client:
    affinity: {}
    dedicatedPod:
      enabled: true
    enabled: true
    ingress:
      annotations: {}
      enabled: false
      hosts:
        - chart-example.local
      labels: {}
      path: /
      tls: []
    javaOpts: '-Xms512m -Xmx512m'
    livenessProbe:
      initialDelaySeconds: 60
      periodSeconds: 10
      tcpSocket:
        port: transport
    nodeSelector: {}
    podAnnotations: {}
    podDisruptionBudget:
      enabled: false
      minAvailable: 1
    readinessProbe: []
    replicas: 1
    resources: {}
    service:
      annotations: {}
      type: ClusterIP
    startupProbe: []
    tolerations: []
  config: {}
  configDirectory: /usr/share/elasticsearch/config
  data:
    affinity: {}
    dedicatedPod:
      enabled: true
    enabled: true
    javaOpts: '-Xms512m -Xmx512m'
    livenessProbe:
      initialDelaySeconds: 60
      periodSeconds: 10
      tcpSocket:
        port: transport
    nodeSelector: {}
    persistence:
      accessModes:
        - ReadWriteOnce
      annotations: {}
      enabled: true
      size: 8Gi
      subPath: ''
    podAnnotations: {}
    podDisruptionBudget:
      enabled: false
      minAvailable: 1
    readinessProbe: []
    replicas: 1
    resources: {}
    startupProbe: []
    tolerations: []
    updateStrategy: RollingUpdate
  discoveryOverride: ''
  extraEnvs: []
  extraInitContainers: []
  extraVolumeMounts: []
  extraVolumes: []
  fixmount:
    enabled: true
  image: amazon/opendistro-for-elasticsearch
  imagePullPolicy: ''
  imageTag: 1.13.2
  initContainer:
    image: busybox
    imageTag: 1.27.2
  log4jConfig: |-
    status = error

    logger.action.name = org.elasticsearch.action
    logger.action.level = debug

    appender.rolling.type = Console
    appender.rolling.name = console
    appender.rolling.layout.type = PatternLayout
    appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n

    rootLogger.level = info
    rootLogger.appenderRef.console.ref = console

    appender.deprecation_rolling.type = Console
    appender.deprecation_rolling.name = deprecation_rolling
    appender.deprecation_rolling.layout.type = ESJsonLayout
    appender.deprecation_rolling.layout.type_name = deprecation

    logger.deprecation.name = org.elasticsearch.deprecation
    logger.deprecation.level = warn
    logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling
    logger.deprecation.additivity = false

    appender.token_rolling.type = Console
    appender.token_rolling.name = token_rolling
    appender.token_rolling.layout.type = ESJsonLayout
    appender.token_rolling.layout.type_name = token

    logger.token.name = com.amazon.dlic.auth.http.saml.Token
    logger.token.level = debug
    logger.token.additivity = false
    logger.token.appenderRef.token_rolling.ref = token_rolling

    appender.opendistro_security_rolling2.type = Console
    appender.opendistro_security_rolling2.name = opendistro_security_rolling2
    appender.opendistro_security_rolling2.layout.type = ESJsonLayout
    appender.opendistro_security_rolling2.layout.type_name = opendistro_security2

    logger.opendistro_security2.name = com.amazon.opendistroforelasticsearch.security
    logger.opendistro_security2.level = debug
    logger.opendistro_security2.appenderRef.opendistro_security_rolling2.ref = opendistro_security_rolling2
    logger.opendistro_security2.additivity = false

    appender.opendistro_security_rolling.type = Console
    appender.opendistro_security_rolling.name = opendistro_security_rolling
    appender.opendistro_security_rolling.layout.type = ESJsonLayout
    appender.opendistro_security_rolling.layout.type_name = opendistro_security

    logger.opendistro_security.name = com.amazon.dlic.auth.http.jwt
    logger.opendistro_security.level = debug
    logger.opendistro_security.appenderRef.opendistro_security_rolling.ref = opendistro_security_rolling
    logger.opendistro_security.additivity = false
  master:
    affinity: {}
    enabled: true
    extraContainers: []
    extraInitContainers: []
    javaOpts: '-Xms512m -Xmx512m'
    livenessProbe:
      initialDelaySeconds: 60
      periodSeconds: 10
      tcpSocket:
        port: transport
    nodeSelector: {}
    persistence:
      accessModes:
        - ReadWriteOnce
      annotations: {}
      enabled: true
      size: 8Gi
      subPath: ''
    podAnnotations: {}
    podDisruptionBudget:
      enabled: false
      minAvailable: 1
    readinessProbe: []
    replicas: 3
    resources: {}
    startupProbe: []
    tolerations: []
    updateStrategy: RollingUpdate
  maxMapCount: 262144
  securityConfig:
    enabled: true
    path: "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig"
    configSecret: security-config
    rolesMappingSecret: rolesmapping-config
    rolesSecret: null
    tenantsSecret: null
    internalUsersSecret: null
    actionGroupsSecret: null
  securityContextCustom: {}
  serviceAccount:
    create: true
    name: null
  ssl:
    admin:
      enabled: false
      existingCertSecret: null
      existingCertSecretCertSubPath: admin-crt.pem
      existingCertSecretKeySubPath: admin-key.pem
      existingCertSecretRootCASubPath: admin-root-ca.pem
    rest:
      enabled: false
      existingCertSecret: null
      existingCertSecretCertSubPath: elk-rest-crt.pem
      existingCertSecretKeySubPath: elk-rest-key.pem
      existingCertSecretRootCASubPath: elk-rest-root-ca.pem
    transport:
      existingCertSecret: null
      existingCertSecretCertSubPath: elk-transport-crt.pem
      existingCertSecretKeySubPath: elk-transport-key.pem
      existingCertSecretRootCASubPath: elk-transport-root-ca.pem
  sslKeyPassphrase:
    enabled: false
    passPhrase: null
  sys_chroot:
    enabled: true
  sysctl:
    enabled: true
  transportKeyPassphrase:
    enabled: false
    passPhrase: null
fullnameOverride: ''
global:
  clusterName: elasticsearch
  imageRegistry: docker.io
  psp:
    create: true
  rbac:
    enabled: true
kibana:
  affinity: {}
  certsDirectory: /usr/share/kibana/certs
  config:
    server.name: kibana
    server.host: "0"
    logging.verbose: true
    elasticsearch.hosts: https://opendistro-es-data-svc:9200
    elasticsearch.ssl.verificationMode: none
    elasticsearch.username: kibanaserver
    elasticsearch.password: kibanaserver
    elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
    opendistro_security.multitenancy.enabled: true
    opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
    opendistro_security.readonly_mode.roles: ["kibana_read_only"]
    opendistro_security.cookie.secure: false
    newsfeed.enabled: false
    telemetry.optIn: false
    telemetry.enabled: false
    security.showInsecureClusterWarning: false
    map.includeElasticMapsService: false
    opendistro_security.auth.type: openid
    opendistro_security.openid.client_secret: redacted
    opendistro_security.openid.client_id: redacted
    opendistro_security.openid.connect_url: https://oidc.redacted.io/.well-known/openid-configuration
    opendistro_security.openid.base_redirect_url: https://dev-kibana.redacted.io
    opendistro_security.openid.scope: "openid profile email vice"
  configDirectory: /usr/share/kibana/config
  elasticsearchAccount:
    keyPassphrase:
      enabled: false
    secret: ''
  enabled: true
  externalPort: 443
  extraContainers: []
  extraEnvs: []
  extraInitContainers: []
  extraVolumeMounts: []
  extraVolumes: []
  image: amazon/opendistro-for-elasticsearch-kibana
  imagePullPolicy: ''
  imageTag: 1.13.2
  ingress:
    annotations: {}
    enabled: false
    hosts:
      - chart-example.local
    labels: {}
    path: /
    tls: []
  livenessProbe: []
  nodeSelector: {}
  podAnnotations: {}
  port: 5601
  readinessProbe: []
  replicas: 1
  resources: {}
  service:
    annotations: {}
    type: ClusterIP
  serviceAccount:
    create: true
    name: null
  ssl:
    elasticsearch:
      enabled: false
      existingCertSecret: null
      existingCertSecretCertSubPath: elk-rest-crt.pem
      existingCertSecretKeySubPath: elk-rest-key.pem
      existingCertSecretRootCASubPath: elk-rest-root-ca.pem
    kibana:
      enabled: false
      existingCertSecret: null
      existingCertSecretCertSubPath: kibana-crt.pem
      existingCertSecretKeySubPath: kibana-key.pem
      existingCertSecretRootCASubPath: kibana-root-ca.pem
  startupProbe: []
  tolerations: []

ConfigSecret.yml

  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: oidc
          challenge: false
          config:
            openid_connect_url: https://oidc.redacted.io/.well-known/openid-configuration
            kibana_url: https://dev-kibana.gitm-dev-analysis.hostname.io/
            roles_key: vice_groups
            subject_key: preferred_username
        authentication_backend:
          type: noop

OIDC CLIENT APP Registration

{
  "name": "DEV Kibana",
  "id_token_lifetime_secs": 28800,
  "access_token_lifetime_secs": 28800,
  "authorization_groups": [
      "cn=gitm,ou=Groups,ou=redacted,ou=Environments,dc=redacted,dc=io"
  ],
  "redirect_uris": [
    "https://dev-kibana.gitm-dev-analysis.redacted.io/auth/openid/login"
  ]
}

One of the things we are unsure if it is correct is the redirect uri path: "auth/openid/login". Shown Above.

The other is how we configured the mapping backend role:

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "cn=gitm,ou=Groups,ou=redacted,ou=Environments,dc=redacted,dc=io"
  description: "Maps admin to all_access"