Before running OpenSearch you must run and configure a client in Keycloak.
There are 2 docker-compose files in this repository, for running keycloak navigate to the keycloak/ folder and run:
docker-compose -f docker-compose-keycloak.yml up
This will run a PostgreSQL database on port 5432 and keycloak on localhost:8080.
Once the containers have started, navigate to http://localhost:8080/auth in a web browser then click on Administration Console and login with:
Username: admin
Password: Pa55w0rd
Once logged in you need to create a Client.
- Click on
Clientson the left menu - Click on
Create client - Type in
Client ID: opensearch-dashboards-ssowith nameOpenSearch Dashboards SSO NextSave- In
Valid redirect URIsenter:http://localhost:5601/auth/openid/login - In
Valid post logout redirect URIsenter:http://localhost:5601 Save
- Click on
Userson the left menu - Click on
Add user - Fill out the form to create a new user (
user1for an example username) - Click on
Create - On the next screen (
User detailsin the breadcrumbs) click on theCredentialstab and give the user a password. - Go back to the
Detailstab and clickSave
In the root level of this repository run:
docker-compose up
Wait for startup and then navigate to https://localhost:5601
Login with the user created above
After completing the steps above the user is able to login/logout, but only has access to own_index.
In order to extract backend roles from keycloak, there needs to be additional configuration on the client to ensure that keycloak is populating a field that matches the roles_key that is configured in the authc section of the security plugin's config.yml file.
- Click on
Userson the left menu - Click on desired user
- Navigate to
Role mappingtab - Click on
Assign roleand map the user to the desired backend role - You can create new roles in the
Realm rolessection of the left menu