ELK单点登录--keycloak--OIDC

本篇环境：

  ELK采用单机部署方式

  elasticsearch、kibana、logstash 三者部署在同一台机器

  机器ip为：192.168.0.200

 

一、 keycloak 配置客户端

  1、 不建议使用realm master，应新建一个realm

  2、 “Client Protocol” 选择“openid-connect”

  3、 “Setting” 中 “Access Type”项选择“confidential”，点击“save”

  4、 在 “Credentials” 中获取 “Secret”字段的值

 

二、 使用 elasticsearch-keystore 存储keycloak 客户端秘钥

cd ${elasticsearch_directory}/bin
./elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret

 

三、 使用 elasticsearch-certutil 生成ssl证书文件

> cd ${elasticsearch_directory}
> vim instance.yml
  # 写入内容如下
  instances:
    - name: '192.168.0.200'     # 此处可根据实际情况配置ip或域名
      dns: [ '192.168.0.200' ]  # 此处可根据实际情况配置ip或域名

> ./bin/elasticsearch-certutil cert ca --pem --in instance.yml

> unzip certificate-bundle.zip
  Archive: certificate-bundle.zip
  creating: ca/
  inflating: ca/ca.crt
  creating: 192.168.0.200/
  inflating: 192.168.0.200/192.168.0.200.crt
  inflating: 192.168.0.200/192.168.0.200.key

 

四、 修改 elasticsearch 配置文件

> cd ${elasticsearch_directory}/config

修改 elasticsearch.yml，添加如下内容:
xpack.security.authc.token.enabled: true
xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  key: 192.168.0.200/192.168.0.200.key
  certificate: 192.168.0.200/192.168.0.200.crt
  certificate_authorities: ca/ca.crt

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  key: 192.168.0.200/192.168.0.200.key
  certificate: 192.168.0.200/192.168.0.200.crt
  certificate_authorities: ca/ca.crt

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "kibana"  # 与 kecloak 创建的客户端名对应
  rp.response_type: code
  rp.redirect_uri: "https://${kibana_domainname}/api/security/oidc/callback"
  op.issuer: "https://${keycloak_domainname}/auth/realms/Single-Sign-On"
  op.authorization_endpoint: "https://${keycloak_domainname}/auth/realms/Single-Sign-On/protocol/openid-connect/auth"
  op.token_endpoint: "https://${keycloak_domainname}/auth/realms/Single-Sign-On/protocol/openid-connect/token"
  op.jwkset_path: "https://${keycloak_domainname}/auth/realms/Single-Sign-On/protocol/openid-connect/certs"
  op.userinfo_endpoint: "https://${keycloak_domainname}/auth/realms/Single-Sign-On/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "https://${keycloak_domainname}/auth/realms/Single-Sign-On/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "https://${kibana_domainname}/logged_out"
  claims.principal: preferred_username

 

五、  修改 kibana 配置文件

> cd ${kibana_directory}/config

kibana.yml:
修改
elasticsearch.hosts: ["https://192.168.0.200:9200"]
elasticsearch.ssl.verificationMode: none
添加：
xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: oidc1
    description: "Log in with Keycloak"
    icon: "https://${keycloak_domainname}/auth/resources/fyjnf/login/keycloak/img/favicon.ico"
  basic.basic1:
    order: 1

 

六、 修改 logstash 配置文件

> cd ${logstash_directory}/config

logstash.yml:
添加：
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: ${username}
xpack.monitoring.elasticsearch.password: ${password}
xpack.monitoring.elasticsearch.hosts: ["https://192.168.0.200:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: ${elasticsearch_directory}/config/ca/ca.crt

logstash.conf:
修改输出到es：
output {
    elasticsearch {
        hosts => ["https://192.168.0.200:9200"]
        ndex => "%{file_type}-%{+YYYY.MM.dd}"
        user => '${username}'
        password => '${password}'
        ssl => true
        cacert => "${elasticsearch_directory}/config/ca/ca.crt"
    }
}

 

七、 启动elk，登录页会有两个按钮以供选择登录方式

 

 

八、 在kibana配置角色映射，控制用户登录

  1、 kibana页面中，找到“Management”，点击“Stack Management”

  2、 找到“安全”，点击“角色映射”，然后“创建角色映射”

  3、 角色 选择 “superuser”

  4、 映射规则 选择 “任一为true”

  5、 用户字段 选择 “username”，值为拥有权限的用户的用户名