Authenticate AWS Opensearch dashboard using LDAP via keycloak - amazon-web-services

Requirement
I am working on a client project where we need to setup our AWS managed OpenSearch dashboard (Kibana). As per the requirement, we should use keycloak for SAML configurations. Also need to use LDAP as user federation.
Current Setup
AWS OpenSearch setup is completed and able to login with the master user credentials.
Integration of Keycloak with OpenSearch dashboard is done. I am able to login to the OpenSearch dashboard using keycloak local user by adding it in the all_access group in Dashboard (kibana).
LDAP integration with Keycloak is also completed. I can sync all LDAP users within Keycloak and able to login with individual LDAP users when adding them in the all_access group in Dashboard (Kibana).
Issue/Open tasks
How can I add the entire keycloak group to the OpenSearch Dashboard so I do not have to add individual users. I tried adding the group name in the dashboard under backend role section but it does not work. Also tried a few mappings (not sure if they were correct) but got no luck. Every time it gives "missing role-contact your administrator"
Same issue with LDAP groups as well, I can sync all LDAP groups within my Keycloak but not sure how to map them with OpenSearch Dashboard to login.
Ultimate Goal
Create two groups, one as admin and other as limitedaccess so that users who are part of admin group can login with the assigned permissions and users in limitedaccess group can login with their permissions.
I do not want to add individual users in the Dashboard rather they should be able to login directly based on role/group mapping.

The issue is resolved.
Following are the things I did, which may be useful for others looking for similar setup.
Created two groups in my Keycloak. "admin" and "limited".
Created two roles "admin_role" and "limited_role".
Made the limited group as default group and the limited_role as default role so the new users will directly get the limited permissions.
Next, which i was missing all the time (and thanks to other stack overflow answers) was to enable the Single Role mapping. For this, Go to Client scope role_list --> mappers --> role list --> enable "Single Role attribute"
Added the "Role" keyword in OpenSearch in the role key section (under additional settings in AWS OpenSearch SAML configs.). Also mentioned a generic user in the SAML master user section (generic user which I created in Keycloak) so that I can gain admin privileges to add backend roles in OpenSearch Dashboard.
Finally, logged in to my OpenSearch with this generic user. Go to the security --> Roles --> Manage mapping --> backend roles --> added my admin_role to the all_access and limited_role to the read roles.
Now I am able to login with all the users who are part of the respective groups in Keycloak.

Related

How to map a SAML Attribute from your IdP to an AWS Elastic Search Role?

The recently added SAML support for AWS Elastic Search solution:
https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-elasticsearch-service-adds-native-saml-authentication-kibana/
Lists in its documentation that backend roles are supported:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
In Okta, for example, you might have a user, jdoe, who belongs to the group admins. If you add jdoe to the SAML master username field, only that user receives full permissions. If you add admins to the SAML master backend role field, any user who belongs to the admins group receives full permissions.
If you want to use backend roles (recommended), specify an attribute from the assertion in the Role key field, such as role or group. This is another situation in which tools like SAML-tracer can help.
But some users have problems finalizing the configuration once they are done with the AWS Console.
The answer lies beyond the AWS Console and must be completed within the Elastic Search cluster with the Master User that you created either within the cluster as an Internal User, via an IAM role or by using the Master User field in the SAML configuration section of the Modify Authentication Wizard in the AWS console for Elastic Search.
You must:
Create a Backend role that matches your SAML attribute value
Create a Mapping between the new backend role and an actual Elastic Search Role
After you're done configuring your IdP by creating a custom Attribute/Claim like roles or groups and after you've configure SAML authentication integration in the Elastic search cluster.
1.-Log into Kibana using your master user
2.-Go to OpenDistro -> Security -> Roles -> The Role you want to grant access to, i.e. readall
3.-Go to the Mapped Users tab under the role screen
4.-On the Backend Roles field type the VALUE of the Azure Claim you created by following these steps: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management
For reference the claim value is: user.assignedroles.
The claim key is whatever you configure your Azure Enterprise application as.
You'll have a key value pair of "Your chosen Claim Name": user.assignedroles
5.-Save the Mapping in Kibana
Using the Azure IdP log into Kibana using users with different Azure Claim assigned to them. The Open Distro Security plugin will parse the SAML token attribute find the field for user.assignedroles and map that as a Kibana Backend Role to the actual Elastic Search roles.

configure list users for service provider WSO2 API Manager

I have installed Wso2 api manager and am trying to set up authentication and authorization via Api manager. I can't figure out how to configure certain users who will be able to login through the app. Currently, all users who are in user story are allowed to login. I need to restrict the ability to login to the app for a certain range of users. How can this be done?
You can achieve this by adding roles to the particular users. Refer to this doc https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#managing-user-roles
You need to configure the roles and permissions according to your use case:
Create a role (eg: testRole) and assign required permissions except for the login permission(Admin Permissions > Login) to that role [1].
Create a new user(eg: testUser) and assign the testRole to that user[2].
Now the testUser that you have created has no login permissions to the app.
[1] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#create-user-roles
[2] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-users/#adding-a-new-user

How to give service account access to two projects?

Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.

AWS Cognito User Management

For the last few years, I've built a PHP and MySQL based website where users can submit reprographics and IT requests. I'm hoping to make this cloud-based rather than running it from a local webserver. My initial idea was to have an EC2 instance running as a web server for each company which uses my system, but as the system is PHP session based I'm assuming the security would not be great so I think I need to move towards more of an AWS system using Cognito for user management and the API Gateway with Lambda to do the job of getting the data from the databases. My question is, my current system has an admin console where the admin user can access the lists of users, and assign them permissions (session variables) which allows them access to specific pages. How would I make a webpage where users can manage the users in a Cognito user pool without giving them access to the AWS console.
Implement a Cognito AdminAddUserToGroup operation in your Lambda function for admin users to manage what Cognito Groups your users belong to. Your admins will be the only ones that are able to invoke the API call to the Lambda function because they'll be included in the Cognito Admin Group with appropriate permissions to invoke the Lambda function that you specified as the developer.
Specify permissions of what each Congito Group has access to by assigning roles for each Cognito Group.
You can also decode the jwt on the backend to determine what Cognito Group the user belongs to that made the request and use Amplify on the FrontEnd to manage the FrontEnd's display of content based on the Group (links, etc). More info about that can be found in this thread: How do I access the group for a Cognito User account?
I do not have enough points to comment on the CLI update-user-pool suggestion, but wanted you to know that wouldn't work because 1.) It would impact the entire user pool and affect ALL users in the user pool and 2.) It would make no difference in regards to what your users were able to have permission to access in your application.

Create AWS IAM users based on e-mail domain

I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).