Hello everyone,
I’m trying to authenticate Hue with keycloak using the helm charts. Whenever I try to log in with a user I have created in keycloak, I receive an unauthorized error. This is an extract of the log of hue:
[29/Jun/2021 06:32:18 -0700] database WARNING AXES: New login failure by {username: "None", ip_address: "10.244.4.39", user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36", path_info: "/oidc/callback/"}. Creating new record in the database.
[29/Jun/2021 06:32:18 -0700] access INFO 10.244.0.0 -anon- - "GET /oidc/callback/ HTTP/1.1" returned in 27ms 302 0 (mem: 116mb)
[29/Jun/2021 06:32:18 -0700] access INFO 10.244.0.0 -anon- - "GET /oidc/callback/ HTTP/1.1" returned in 27ms 302 0 (mem: 116mb)
10.244.4.39 - - [29/Jun/2021:13:32:18 +0000] "GET /oidc/callback/?state=7lwSiAK0FIKtJg5CnKHffNOXlv0PGF0x&session_state=381b1152-fe5f-46d3-acbf-723bfb60d23b&code=4a4d78d4-ea6c-40bb-bb9c-cf43035489aa.381b1152-fe5f-46d3-acbf-723bfb60d23b.5faeda43-f607-4373-8bb1-ec6783590218 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
[2021-06-29 13:32:18 +0000] [38] [DEBUG] GET /hue/oidc_failed/
[29/Jun/2021 06:32:18 -0700] access WARNING 10.244.0.0 -anon- - "GET /hue/oidc_failed/ HTTP/1.1" - (mem: 119mb)-- 401 Unauthorized by oidc
[29/Jun/2021 06:32:18 -0700] access WARNING 10.244.0.0 -anon- - "GET /hue/oidc_failed/ HTTP/1.1" - (mem: 119mb)-- 401 Unauthorized by oidc
and these warnings at the beginning of the log (right after the deployment of the hue application):
System check identified some issues:
WARNINGS:
?: (axes.W002) You do not have 'axes.middleware.AxesMiddleware' in your settings.MIDDLEWARE.
?: (axes.W003) You do not have 'axes.backends.AxesBackend' or a subclass in your settings.AUTHENTICATION_BACKENDS.
Allow me to provide the context:
- hue and keycloak are deployed behind two different domains: hue_mydomain_com and keycloak_mydomain_com
- hue’s helm chart is using a custom image based on the latest release of hue’s official docker image to overcome the issue as described in the post: OIDC fails with helm
Here’s my hue configuration (sorry, I had to replace dots with underscores and protocol from urls due to the “new user restriction”):
interpreters: |
[[[postgresql]]]
name = Postgresql
interface=sqlalchemy
options='{"url": "postgresql://hue:hue@postgres-hue:5432/hue"}'
ini: |
[desktop]
secret_key=hue123
app_blacklist=search,hbase,security,jobbrowser,oozie
django_debug_mode=true
gunicorn_work_class=sync
enable_prometheus=false
secure_content_security_policy="script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' fonts_googleapis_com;connect-src 'self' *_mydomain_com;frame-src *;child-src 'self' data: *_vimeo_com;object-src 'none'"
[[auth]]
backend=desktop.auth.backend.OIDCBackend
behind_reverse_proxy=true
reverse_proxy_header=HTTP_X_FORWARDED_FOR
[[oidc]]
# The client ID as relay party set in OpenID provider
oidc_rp_client_id=Hue
# The client secret as relay party set in OpenID provider
oidc_rp_client_secret=mysecrethere
# The OpenID provider authoriation endpoint
oidc_op_authorization_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/auth
# The OpenID provider token endpoint
oidc_op_token_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/token
# The OpenID provider user info endpoint
oidc_op_user_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/userinfo
# The OpenID provider signing key in PEM or DER format
## oidc_rp_idp_sign_key=/path/to/key_file
# The OpenID provider authoriation endpoint
oidc_op_jwks_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/certs
# Whether Hue as OpenID Connect client verify SSL cert
oidc_verify_ssl=false
# As relay party Hue URL path to redirect to after login
login_redirect_url=hue_mydomain_com/oidc/callback
# The OpenID provider URL path to redirect to after logout
logout_redirect_url=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/logout
# As relay party Hue URL path to redirect to after login
login_redirect_url_failure=hue_mydomain_com/hue/oidc_failed
# Create a new user from OpenID Connect on login if it doesn't exist
create_users_on_login=true
# When creating a new user, which 'claims' attribute from the OIDC provider to be used for creating the username.
# Default to 'preferred_username'. Possible values include: 'email'
oidc_username_attribute=preferred_username
# The group of users will be created and updated as superuser. To use this feature, setup in Keycloak:
# 1. add the name of the group here
# 2. in Keycloak, go to your_realm --> your_clients --> Mappers, add a mapper
# Mapper Type: Group Membership (this is predefined mapper type)
# Token Claim Name: group_membership (required exact string)
superuser_group=hue_superusers
[hadoop]
[[hdfs_clusters]]
[[[default]]]
fs_defaultfs=hdfs-namenode:8020
webhdfs_url=hdfs-namenode:50070/webhdfs/v1
Do I need an extra configuration on keycloak side related to roles and permissions?
Thanks a lot in advance for any support and suggestion
Best regards