[Feature] Accessing Dashboards page in security-enabled cluster from CLI

[davidcui1225]

Is your feature request related to a problem? Please describe.

For the reporting-anything project, one of the main goals is to provide an option for users to download a report from a cluster that has security enabled.

To do so, we need a method for the reporting-anything CLI to be able to access a dashboards page report source (e.g a dashboard or visualization) within a security-enabled cluster.

Describe the solution you'd like

Reporting's download functionality requires the use of puppeteer. Our solution requires a method to access a dashboards page with security enabled on the cluster to take a screenshot for a report. An example use case of reporting-anything would be

reporting-anything -u http://localhost:5601/app/dashboards#/view/7adfa750-4c81-11e8-b3d7-01146121b73d

which would create a report from the dashboard with saved object ID 7adfa750-4c81-11e8-b3d7-01146121b73d. However, currently if the cluster has security enabled, the downloaded PDF/PNG report will just be of the login page.

Our goal is a solution that will allow puppeteer to access the URLs in dashboards on security-enabled clusters.

Describe alternatives you've considered

The alternative considered has been the OpenSearch Javascript client here. After syncing with @ananzh and @kavilla , it seems that the client is not the correct solution for accessing the page itself.

Additional context A demo of the reporting-anything CLI can be found here for additional context.

The goal is not necessarily a feature request, but to first dive into if there is a current solution that can be implemented for this use case.

[ananzh]

@davidcui1225 thanks for opening this issue. In the demo, you represent two example to use this feature by the following command:

reporting-anything -u <url> -f png

Could you write down some reproduction steps? like how to install reporting-anything or which repo we could use to reproduce? thanks

[davidcui1225]

@davidcui1225 thanks for opening this issue. In the demo, you represent two example to use this feature by the following command:

reporting-anything -u <url> -f png

Could you write down some reproduction steps? like how to install reporting-anything or which repo we could use to reproduce? thanks

You can reproduce with the following steps:

git clone git@github.com:davidcui1225/dashboards-reports.git
cd dashboards-reports
git checkout reporting-anything && cd reporting-anything
*Add + unzip chromium zip file (attached separately, cannot upload it to this comment for some reason)
cd src
node download_report.js -u <url>

the -f is optional, the file format will default to PDF if no value is provided

[abbashus]

@davidcui1225 Have you tried passing the access credentials directly when invoking the dashboard url? What is the response when we do that.

[davidcui1225]

@davidcui1225 Have you tried passing the access credentials directly when invoking the dashboard url? What is the response when we do that.

No, I'm unfamiliar with that method. What would that look like?

Also, are there security concerns associated with that method?

[abbashus]

No, I'm unfamiliar with that method. What would that look like?

I am referring to adding HTTP basic auth to HTTP request, like how client makes request to security enabled OpenSearch cluster

curl -XGET "https://loclahost:9200/_cluster/settings?pretty" -u "username:password"

Since Puppeteer is nothing but a HTTP client we should be able to pass auth credentials See https://dev.to/sonyarianto/puppeteer-quick-tip-how-to-do-basic-authentication-2pe7

---

Also, are there security concerns associated with that method?

No, just make the CLI read credentials from environment variables instead of passing them on command line to prevent saving credentials in history.

[ananzh]

Hey @davidcui1225 I was trying to reproduce and see the following error. I did several things: 1)install security plugin 2)install reporting plugin according to your comment 3)yarn osd bootstrap to install modules required (don't need to run this in security and reporting) 4)yarn start

 log   [15:58:17.857] [fatal][root] Error: Cannot find module 'async-mutex'
Require stack:
- /home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/plugin.ts
- /home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugin.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/plugins_discovery.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugins_service.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/cli/serve/serve.js
- /home/anan/work/OpenSearch-Dashboards/src/cli/cli.js
- /home/anan/work/OpenSearch-Dashboards/src/cli/dev.js
- /home/anan/work/OpenSearch-Dashboards/scripts/opensearch_dashboards.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:61:29)
    at require (internal/modules/cjs/helpers.js:101:18)
    at Object.<anonymous> (/home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/plugin.ts:8:19)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Module._compile (/home/anan/work/OpenSearch-Dashboards/node_modules/pirates/lib/index.js:136:24)
    at Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Object.newLoader [as .ts] (/home/anan/work/OpenSearch-Dashboards/node_modules/pirates/lib/index.js:141:7)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/plugin.ts',
    '/home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugin.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/plugins_discovery.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugins_service.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/cli/serve/serve.js',
    '/home/anan/work/OpenSearch-Dashboards/src/cli/cli.js',
    '/home/anan/work/OpenSearch-Dashboards/src/cli/dev.js',
    '/home/anan/work/OpenSearch-Dashboards/scripts/opensearch_dashboards.js'
  ]
}

Is there something wrong with my reproduction steps?

[davidcui1225]

Hey @davidcui1225 I was trying to reproduce and see the following error. I did several things: 1)install security plugin 2)install reporting plugin according to your comment 3)yarn osd bootstrap to install modules required (don't need to run this in security and reporting) 4)yarn start

 log   [15:58:17.857] [fatal][root] Error: Cannot find module 'async-mutex'
Require stack:
- /home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/plugin.ts
- /home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugin.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/plugins_discovery.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugins_service.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/core/server/index.ts
- /home/anan/work/OpenSearch-Dashboards/src/cli/serve/serve.js
- /home/anan/work/OpenSearch-Dashboards/src/cli/cli.js
- /home/anan/work/OpenSearch-Dashboards/src/cli/dev.js
- /home/anan/work/OpenSearch-Dashboards/scripts/opensearch_dashboards.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:61:29)
    at require (internal/modules/cjs/helpers.js:101:18)
    at Object.<anonymous> (/home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/plugin.ts:8:19)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Module._compile (/home/anan/work/OpenSearch-Dashboards/node_modules/pirates/lib/index.js:136:24)
    at Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Object.newLoader [as .ts] (/home/anan/work/OpenSearch-Dashboards/node_modules/pirates/lib/index.js:141:7)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39)
    at Module.Hook._require.Module.require (/home/anan/work/OpenSearch-Dashboards/node_modules/require-in-the-middle/index.js:80:39) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/plugin.ts',
    '/home/anan/work/OpenSearch-Dashboards/plugins/dashboards-reports/dashboards-reports/server/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugin.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/plugins_discovery.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/discovery/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/plugins_service.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/plugins/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/core/server/index.ts',
    '/home/anan/work/OpenSearch-Dashboards/src/cli/serve/serve.js',
    '/home/anan/work/OpenSearch-Dashboards/src/cli/cli.js',
    '/home/anan/work/OpenSearch-Dashboards/src/cli/dev.js',
    '/home/anan/work/OpenSearch-Dashboards/scripts/opensearch_dashboards.js'
  ]
}

Is there something wrong with my reproduction steps?

yarn osd bootstrap is not needed for reporting-anything- as per my comment here, it's just necessary to clone the repo from my fork, check out the branch and cd into reporting-anything before installing dependencies with yarn install and then cd src.

[davidcui1225]

I was able to download a report from a security-enabled cluster- unfortunately, puppeteer's http authentication method didn't work, I had to replicate entering username & password and selecting tenant.

Code snippet:

      await page.type('input[data-test-subj="user-name"]', username);
      await page.type('[data-test-subj="password"]', password);
      await page.click('button[type=submit]');
      await page.waitFor(5000);
      await page.click('label[for=global]');
      await page.click('button[data-test-subj="confirm"]');

I'm able to log in and download the report, would this be considered a viable workaround?

[davidcui1225]

I was able to download a report from a security-enabled cluster- unfortunately, puppeteer's http authentication method didn't work, I had to replicate entering username & password and selecting tenant.

Code snippet:

      await page.type('input[data-test-subj="user-name"]', username);
      await page.type('[data-test-subj="password"]', password);
      await page.click('button[type=submit]');
      await page.waitFor(5000);
      await page.click('label[for=global]');
      await page.click('button[data-test-subj="confirm"]');

I'm able to log in and download the report, would this be considered a viable workaround?

@ananzh @kavilla any feedback here?

[abuwarez]

hello,

I have a dashboard which has been created inside a tenant and i would like to embed it inside an iframe via an URL as described here: https://opensearch.org/docs/latest/security-plugin/access-control/multi-tenancy/

The suggested method, to pass security_tenant= inside the URL is not working:

http://<opensearch_dashboards_host>:5601/app/opensearch-dashboards?security_tenant=analysts#/visualize/edit/c501fa50-7e52-11e9-ae4e-b5d69947d32e?_g=()

Any idea why?

Thanks, C.

[abuwarez]

hello,

I have a dashboard which has been created inside a tenant and i would like to embed it inside an iframe via an URL as described here: https://opensearch.org/docs/latest/security-plugin/access-control/multi-tenancy/

The suggested method, to pass security_tenant= inside the URL is not working:

http://<opensearch_dashboards_host>:5601/app/opensearch-dashboards?security_tenant=analysts#/visualize/edit/c501fa50-7e52-11e9-ae4e-b5d69947d32e?_g=()

Any idea why?

Thanks, C

Solved the issue, the URL parameter needs to securitytenant= (without the underscore). Works now as expected.