keydeap、apache、mod\u auth\u openidc、elasticsearch opendistro

eqqqjvef  于 2021-06-10  发布在  ElasticSearch
关注(0)|答案(1)|浏览(610)

我正在尝试为访问Apache2.4上的私有目录设置单点登录(sso),并在elasticsearch(opendistro)中为keyClope登录的用户分配角色。在keyposet中将角色分配给用户没有实际问题(并且成功地连接到openldap服务器)。如果我将承载令牌发送到es,它会将角色链接到后端角色。万事如意。
问题是elasticsearch是无状态的,它似乎不读取从key斗篷和mod\u auth\u openidc获得的cookie(无法正确地成功安装config.xml)。所以,我无法让es使用opendid connect会话。
所以,我决定为es选择承载身份验证,并且需要在es的每个http请求中添加承载http报头。
我从mod\u auth\u openidc获得一个承载令牌,添加:
header set authorization“bearer%{oidc\u access\u token}e”env=oidc\u access\u token
我在apache conf(enabled headers模块)中的受保护位置。但是当我尝试使用curl的标记(用于测试)时,它就行不通了

curl -i -k --noproxy '*' -H "Authorization: thebearerfromapache" https://es.*****.com:9200/protectedresources

我没有得到授权。elasticsearch日志:

[2020-11-22T14:58:58,404][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Check authdomain for rest noop/0 or 2 in total
[2020-11-22T14:58:58,405][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] 'java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c' extracting credentials from jwt-key-by-oidc http authenticator
java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c
        at java.lang.Enum.valueOf(Enum.java:273) ~[?:?]

编辑:我把key斗篷中访问令牌的算法改为hs256,现在我得到了

[2020-11-22T15:27:31,195][INFO ][c.a.d.a.h.j.k.JwtVerifier] [node-1] Escaped Key ID from JWT Token
[2020-11-22T15:27:31,196][DEBUG][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] performRefresh(c3145a71-0a3c-4b99-86e0-a8bf30c33f23)
[2020-11-22T15:27:31,197][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] Performing refresh 1
[2020-11-22T15:27:31,450][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] KeySetProvider finished
[2020-11-22T15:27:31,452][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [node-1] Extracting JWT token from eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMzE0NWE3MS0wYTNjLTRiOTktODZlMC1hOGJmMzBjMzNmMjMifQ.eyJleHAiOjE2MDYwNTkwMzEsImlhdCI6MTYwNjA1ODczMSwiYXV0aF90aW1lIjoxNjA2MDU4NzMxLCJqdGkiOiI2MzFjYmIyZS1hODhjLTQwZmItYjU1My1lYzM0YmI2NTQ5YzEiLCJpc3MiOiJodHRwczovL2F1dGguc2VhcmNoZXZvbHV0aW9uLmNvbTo4NDQzL2F1dGgvcmVhbG1zL3dlYiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkNDgxNTE5OS0zZTExLTQyOTktYmY3My1jZGUzYmI3MDMwM2UiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGFjaGUtbm9kZTEiLCJub25jZSI6IjFwd3lQUUpOZlhFOTlTaTVNbjF2NGd2MXBtdkZQdWtqZEpYS3pnd3RiM0EiLCJzZXNzaW9uX3N0YXRlIjoiOGZjMTk0ZDQtMjY2Yy00ZTc0LWE0MGQtNmFjOGY0ZDU2NDEyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIiLCJodHRwczovL25vZGUxLnNlYXJjaGV2b2x1dGlvbi5jb20vIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXSwibmFtZSI6IkpvaG4gRG9lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamRvZSIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJEb2UifQ.dpX_F5r-KqSYr7atK7K9B3FzJ9VbDiIdqmhYBMsHyV0 failed
com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Unknown kid c3145a71-0a3c-4b99-86e0-a8bf30c33f23

这个shell脚本可以工作:

RESULT=`curl -k --noproxy '*' -d 'client_id=apache-node1' -d 'username=jdoe' -d 'password=*****' -d 'grant_type=password' -d 'client_secret=6a7a0299-e420-4206-ae02-9e68bf7044ff' -d 'scope=openid' 
'https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/token'`

TOKEN=`echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/'`

curl -i -k --noproxy '*' -H "Authorization: Bearer $TOKEN" https://es.****.com:9200/humanresources/_search

opendistro安全插件配置:

jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            jwt_header: Authorization
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://auth.****.com:8443/auth/realms/web/.well-known/openid-configuration

            jwks_uri: https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/certs
        authentication_backend:
          type: noop

你知道如何设置elasticsearch来识别这个标记吗?

qlvxas9a

qlvxas9a1#

最后,正确的apache配置是包含id令牌(而不是访问令牌)
所以,

Header set Authorization "Bearer %{OIDC_id_token}e" env=OIDC_id_token

以及在virtualhost的全局配置中(否则在http报头中不添加id令牌)

OIDCPassIDTokenAs serialized

我在keydepot管理中使用了“es256”:细粒度openid connect配置id令牌签名算法

相关问题