Open ahopp opened 1 year ago
Great work! Looking forward to test this feature. Will provide feedback when tested!
Thanks
This feature is awesome! Increases so much the possibilities with OpenSearch Observability Stack 👍
I had problems creating a data source connection to an OpenSearch with HTTPS protocol (created with a self-signed certificate). I received this problem:
Response:
{
"statusCode": 400,
"error": "Bad Request",
"message": "Data Source Error: unable to verify the first certificate",
"attributes": {
"error": "Data Source Error: unable to verify the first certificate"
}
}
observation: I tested the communication in the
opensearch-dashboard
terminal. I executed$ curl -k https://opensearch-b:9200
and worked it.
When I configure a new data source connection to an OpenSearch with HTTPS protocol with a valid certificate, it works as expected. It also works when I configure OpenSearch with HTTP protocol.
Do you have some tips or suggestions? Is it a requirement that the data source connection with HTTPS must have a valid certificate? I did not find this information in the documentation.
- OpenSearch: 2.8.0
- OpenSearch-Dashboards: 2.8.0
- Tests made on docker-compose
For sharing knowledge purposes, I will describe in this message what I did.
I configured an environment variable in the OpenSearch-Dashboards container.
# When set, the well-known "root" CAs (like VeriSign) will be extended with the extra certificates in file
NODE_EXTRA_CA_CERTS: /usr/share/opensearch-dashboards/config/root-ca.pem
My Test Notes:
- The environment variable
NODE_TLS_REJECT_UNAUTHORIZED: 0
to disable certificate validation in TLS connections does not bring effect.- The
NODE_EXTRA_CA_CERTS
environment variable needs to be configured even if theroot-ca.pem
is present in the ca-trust store of the Operational System.
In the OpenSearch-Dashboards, I configured the certificate authorities in opensearch_dashboards.yml
:
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem" ]
Then, the connection between OpenSearch-Dashboards and OpenSearch in the menu /app/management/opensearch-dashboards/dataSources/
works successfully ✅ !
Maybe some steps do not make sense with the final result, but sharing my experiences maybe to help others with the same problems. I'm open to receiving corrections and other approaches.
Thanks, the above work around seems to be working for me as well.
@carlos-neto-trustly Thanks for sharing your solution! I think it would be great to get some of this additional context in the documentation. If you (or anyone else in this thread) is interested in updating the multiple data source documentation, the documentation repo and file is here: https://github.com/opensearch-project/documentation-website/blob/main/_dashboards/discover/multi-data-sources.md
I don't know if my workaround step is a bug or a step that needs to be done and is not documented. If the last case is true, I kindly make myself available to update the documentation 😃
@zhongnansu @kristenTian Can you confirm whether this is a bug or documentation gap?
We need to dive more into the issue. Generally I believe declaring NODE_EXTRA_CA_CERTS
env var should not be a recommended approach, even tho it did work in your case. If CA needs to be configured for data sources, it should only be configured within the scope of Opensearch-Dashboards configuration(opensearch-dashboards.yml).
@carlos-neto-trustly Thanks for submitting the issue and provided the workaround. But let's hold on to any documentation update
We need to dive more into the issue. Generally I believe declaring
NODE_EXTRA_CA_CERTS
env var should not be a recommended approach, even tho it did work in your case. If CA needs to be configured for data sources, it should only be configured within the scope of Opensearch-Dashboards configuration(opensearch-dashboards.yml).@carlos-neto-trustly Thanks for submitting the issue and provided the workaround. But let's hold on to any documentation update
I am able to re-produce the issue, and created a new issue #4524 for tracking.
@zhongnansu @kristenTian Can you confirm whether this is a bug or documentation gap?
I'm pretty sure this is a bug since setting opensearch.ssl.verificationMode: none
doesn't solve it, so the setting is being ignored.
How to restrict access to only a specific set of indices when using data sources?
@zhongnansu @kristenTian Can you confirm whether this is a bug or documentation gap?
I'm pretty sure this is a bug since setting
opensearch.ssl.verificationMode: none
doesn't solve it, so the setting is being ignored.
this has been supported via https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6171 let us know if any more question.
How to restrict access to only a specific set of indices when using data sources?
hi @ghost datasource feature doesn't change the data access policy for existing user/role/index. Let's say, if you add a datasource to a cluster with basic auth(user/password), you could restrict this user to only access certain index.
OpenSearch Dashboards supports multiple data sources, allowing users to manage connections to different OpenSearch endpoints and build visualizations and dashboards with data from different OpenSearch clusters. Available as an experimental feature, this is the first of many capabilities on the project roadmap as OpenSearch toolkit that will provide a unified view of users data.
We have created this issue to gather feedback on your experiences with the feature.