├── README.md ├── conf └── proxy.json └── docker-compose.yml /README.md: -------------------------------------------------------------------------------- 1 | # Secure kibana dashboards using keycloak 2 | 3 | ### How it works 4 | The mode of operation is summed up in 3 simple steps: 5 | ![](https://aboullaite.me/content/images/2018/02/Presentation1.jpg) 6 | 7 | 1. External traffic is directed to the keycloak proxy. The proxy decides based on it configuration if the destination needs authentication. 8 | 2. The keycloak Proxy work together with Keycloak and redirects the user to the authentication server so the user can login. 9 | 3. After a successful login the proxy forwards the user to kibana instance. 10 | 11 | For more details check out this blog: https://aboullaite.me/secure-kibana-keycloak/ 12 | 13 | ![](https://media.giphy.com/media/ewCXHXd5lePqywsOq0/giphy.gif) 14 | -------------------------------------------------------------------------------- /conf/proxy.json: -------------------------------------------------------------------------------- 1 | { 2 | "target-url": "${env.TARGET_URL}", 3 | "bind-address": "0.0.0.0", 4 | "http-port": "${env.HTTP_PORT}", 5 | "https-port": "${env.HTTPS_PORT}", 6 | "applications": [ 7 | { 8 | "base-path": "${env.BASE_PATH}", 9 | "adapter-config": { 10 | "realm": "${env.REALM_NAME}", 11 | "auth-server-url": "${env.AUTH_SERVER_URL}", 12 | "public-client": true, 13 | "resource": "${env.CLIENT_ID}", 14 | "ssl-required": "${env.SSL_REQUIRED}" 15 | }, 16 | "constraints": [ 17 | { 18 | "pattern": "/*", 19 | "roles-allowed": [ 20 | "${env.ROLE_ALLOWED}" 21 | ] 22 | } 23 | ] 24 | } 25 | ] 26 | } -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | postgres: 5 | image: postgres 6 | container_name: postgres 7 | volumes: 8 | - postgres_data:/var/lib/postgresql 9 | environment: 10 | POSTGRES_DB: keycloak 11 | POSTGRES_USER: keycloak 12 | POSTGRES_PASSWORD: password 13 | keycloak: 14 | image: jboss/keycloak:3.4.3.Final 15 | container_name: keycloak 16 | environment: 17 | POSTGRES_PORT_5432_TCP_ADDR: postgres 18 | POSTGRES_DATABASE: keycloak 19 | POSTGRES_USER: keycloak 20 | POSTGRES_PASSWORD: password 21 | KEYCLOAK_USER: admin 22 | KEYCLOAK_PASSWORD: password 23 | ports: 24 | - 8080:8080 25 | depends_on: 26 | - postgres 27 | keycloak-proxy: 28 | image: jboss/keycloak-proxy:3.4.2.Final 29 | container_name: keycloak-proxy 30 | environment: 31 | TARGET_URL: http://kibana:5601 32 | HTTP_PORT: 8180 33 | HTTPS_PORT: 8443 34 | BASE_PATH: / 35 | REALM_NAME: kibana 36 | AUTH_SERVER_URL: http://keycloak:8080/auth 37 | CLIENT_ID: kibana 38 | ROLE_ALLOWED: user 39 | SSL_REQUIRED: external 40 | volumes: 41 | - $PWD/conf:/opt/jboss/conf 42 | ports: 43 | - 8180:8180 44 | depends_on: 45 | - keycloak 46 | elasticsearch: 47 | image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.2 48 | container_name: elasticsearch 49 | environment: ['http.host=0.0.0.0', 'transport.host=127.0.0.1', 'ELASTIC_PASSWORD=elastic'] 50 | 51 | kibana: 52 | image: docker.elastic.co/kibana/kibana-oss:6.2.2 53 | container_name: kibana 54 | environment: 55 | - ELASTICSEARCH_USERNAME=elasticsearch 56 | - ELASTICSEARCH_PASSWORD=elastic 57 | - ELASTICSEARCH_HOST=elasticsearch 58 | - ELASTICSEARCH_PORT=9200 59 | depends_on: ['elasticsearch'] 60 | 61 | volumes: 62 | postgres_data: 63 | driver: local --------------------------------------------------------------------------------