I need to switch Kibana to OIDC auth through keycloak
I have default user dev
with basic auth and logs writing by vector (with username logstash) to elasticsearch
When i switch on OIDC, i cannot auth with that dev
user and my logs stop writing, because user logstash unable to auth (401)
How can I fix that?
There is a part of my elasticsearch.yml
config:
...
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic.p12
xpack.security.transport.ssl.keystore.password: ""
xpack.security.transport.ssl.truststore.password: ""
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/someserver.some.domain.p12
xpack:
security:
authc:
realms:
oidc.oidc1:
order: 2
rp.client_id: my_user
rp.response_type: code
rp.redirect_uri: http://somebalancer/kibana/api/security/oidc/callback
op.issuer: https://some.keycloak.server/auth/realms/somerealm
op.authorization_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/auth
op.token_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/token
op.jwkset_path: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/certs
op.userinfo_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/userinfo
op.endsession_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/logout
rp.post_logout_redirect_uri: http://somebalancer/kibana/security/logged_out
claims.principal: sub
ssl.certificate_authorities: /usr/share/elasticsearch/config/keycloak.cer
ssl.verification_mode: none
claims.groups: groups
...
Part of kibana.yml:
xpack.security.enabled: true
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: oidc1
description: "Log in with my OpenID Connect"
basic.basic1:
order: 1
...