Keycloak security plugin for Elasticsearch

A Simple xpack security plugin to secure Elasticsearch with Keycloak

Installation

• Install plugin

<ES_HOME>/bin/elasticsearch-plugin install https://github.com/fb64/elastic-keycloak-security/releases/download/0.1_es6.4.3/keycloak-security-0.1_es6.4.3.zip

• Accept permissions to finish installation

• Permissions details

  • java.lang.RuntimePermission accessDeclaredMembers → used by keycloak-adapter
  • java.lang.RuntimePermission getClassLoader → used by keycloak-adapter
  • java.lang.reflect.ReflectPermission suppressAccessChecks → used by keycloak-adapter
  • java.net.SocketPermission * connect,resolve → use to communicate with keycloak server

Configuration

• Get client configuration file from keycloak : (Your Realm) → Clients → (Your client) → Installation

• Copy keycloak client configuration in <ES_HOME>/config/keycloak.config

• Add and configure keycloak realm in <ES_HOME>/config/elasticsearch.yml file :

xpack.security.authc.realms.keycloak.order: 0
xpack.security.authc.realms.keycloak.type: keycloak
xpack.security.authc.realms.keycloak.config: keycloak.config
xpack.security.enabled: true

• Test integration

curl -X GET http://<ES_HOST>:<ES_PORT>/ -H 'Authorization: Bearer <KEYCLOAK TOKEN>'

Development

For development and test you can run a keycloak instance with pre-configured realm by using docker (from repository root directory) :

docker run -d -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e KEYCLOAK_IMPORT=/tmp/elastic-realm-export.json -v "$(pwd)"/src/test/resources/config/elastic-realm-export.json:/tmp/elastic-realm-export.json -p 8080:8080 jboss/keycloak