wazuh / wazuh-dashboard-plugins

Plugins for Wazuh Dashboard
https://wazuh.com/
GNU General Public License v2.0
434 stars 181 forks source link

OpenID Connect setup cannot handle backend roles #4781

Open zbalkan opened 2 years ago

zbalkan commented 2 years ago
Wazuh Elastic Rev Security
4.3.9 Wazuh-Indexer N/A Basic
Browser
N/A

Description When OpenID Connect is set up, the roles_mapping.xml does not handle the mapping for OIDC roles.

Preconditions

  1. Install Wazuh 4.3.9 using Wazuh-Indexer and Wazuh-Dashboard.
  2. Have a OIDC Provider, e.g. Keycloak.
  3. Set up OpenID Connect according to the documents OpenSearch documents.
  4. Create roles, e.g. admin and operator on OIDC provider.
  5. Set up the Wazuh configuration to match (details below)

Steps to reproduce

  1. Log in to Wazuh using OIDC SSO credentials.

Expected Result

  1. User gets to see the dashboard based on access roles

Actual Result

  1. User gets an error message that user has no backend roles mapped, hence no permissions.

Screenshots auth_admin_master_console General setup

OIDC roles OIDC Roles

Default Scopes Default Scopes

Error screen Error screen

Additional context _/etc/wazuh-dashboard/opensearchdashboards.yml

# OpenID Setup
# Enable OpenID authentication
opensearch_security.auth.type: "openid"

# The IdP metadata endpoint
opensearch_security.openid.connect_url: "https://<OIDC provider>/auth/realms/<realm>/.well-known/openid-configuration"

# The ID of the OpenID Connect client in your IdP
opensearch_security.openid.client_id: "wazuh-test-oidc"

# The client secret of the OpenID Connect client
opensearch_security.openid.client_secret: "secret"

# Configure the Kibana internal server user
opensearch.username: "kibanaserver"
opensearch.password: "password"

# Disable SSL verification when using self-signed demo certificates
opensearch.ssl.verificationMode: none
opensearch_security.openid.verify_hostnames: "false"

# Add roles to the scope (default value: openid profile email address phone)
# Needed when you add another scope to the clients
opensearch_security.openid.scope: "openid profile email address phone roles"

/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml

      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://<OIDC provider>/auth/realms/<realm>/.well-known/openid-configuration
        authentication_backend:
          type: noop

_/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/rolesmapping.yml

...
all_access:
  reserved: true
  hidden: false
  backend_roles:
  - "admin"
  - "wazuh-admin"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps admin to all_access"
...
readall:
  reserved: true
  hidden: false
  backend_roles:
  - "readall"
  - "wazuh-ro"
  hosts: []
  users: []
  and_backend_roles: []
...
kibana_user:
  reserved: false
  hidden: false
  backend_roles:
  - "kibanauser"
  - "wazuh-operator"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps kibanauser to kibana_user"
...

Edit: typos

Tostti commented 2 years ago

Hi @zbalkan ,

To be able to have the backend roles configured and successfully sent to wazuh-dashboard, you need to follow these steps:

  1. Create the desired roles in your realm's roles tab. In this example I will use the roles admin and all_access: image

  2. Add those roles to the user that you will use to log in from the users tab of your realm, and the Role mappings tab of your user. In this example, the user is wazuh: image

  3. Inside your client configuration, go to mappers and select realm_roles. Inside that, you will see a field named Token Claim Name. That field is the name that should go on roles_key inside your config.yml. image image

In this example the Token Claim Name is role, and therefore the config.yml file should contain that name. For example

      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: role
            openid_connect_url: https://<OIDC provider>/auth/realms/<realm>/.well-known/openid-configuration
        authentication_backend:
          type: noop

With that configuration, you will be able to see the backend roles once you log in image

I hope you find this information helpful. Regards,

ct-jby commented 6 days ago

Hello,

same problem, impossible to set up an sso with keycloak in either saml or oidc :/

always a 401 unauthorized error