andloh
commented
1 year ago Great work! Looking forward to test this feature. Will provide feedback when tested!
Thanks
Open ahopp opened 1 year ago
andloh
commented
1 year ago Great work! Looking forward to test this feature. Will provide feedback when tested!
Thanks
carlos-neto-trustly
commented
1 year ago This feature is awesome! Increases so much the possibilities with OpenSearch Observability Stack 👍
I had problems creating a data source connection to an OpenSearch with HTTPS protocol (created with a self-signed certificate). I received this problem:
Response:
{
"statusCode": 400,
"error": "Bad Request",
"message": "Data Source Error: unable to verify the first certificate",
"attributes": {
"error": "Data Source Error: unable to verify the first certificate"
}
}observation: I tested the communication in the
opensearch-dashboardterminal. I executed$ curl -k https://opensearch-b:9200and worked it.
When I configure a new data source connection to an OpenSearch with HTTPS protocol with a valid certificate, it works as expected. It also works when I configure OpenSearch with HTTP protocol.
Do you have some tips or suggestions? Is it a requirement that the data source connection with HTTPS must have a valid certificate? I did not find this information in the documentation.
- OpenSearch: 2.8.0
- OpenSearch-Dashboards: 2.8.0
- Tests made on docker-compose
carlos-neto-trustly
commented
1 year ago For sharing knowledge purposes, I will describe in this message what I did.
I configured an environment variable in the OpenSearch-Dashboards container.
# When set, the well-known "root" CAs (like VeriSign) will be extended with the extra certificates in file
NODE_EXTRA_CA_CERTS: /usr/share/opensearch-dashboards/config/root-ca.pemMy Test Notes:
- The environment variable
NODE_TLS_REJECT_UNAUTHORIZED: 0to disable certificate validation in TLS connections does not bring effect.- The
NODE_EXTRA_CA_CERTSenvironment variable needs to be configured even if theroot-ca.pemis present in the ca-trust store of the Operational System.
In the OpenSearch-Dashboards, I configured the certificate authorities in opensearch_dashboards.yml:
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem" ]Then, the connection between OpenSearch-Dashboards and OpenSearch in the menu /app/management/opensearch-dashboards/dataSources/ works successfully ✅ !
Maybe some steps do not make sense with the final result, but sharing my experiences maybe to help others with the same problems. I'm open to receiving corrections and other approaches.
dhirajguptaa
commented
1 year ago Thanks, the above work around seems to be working for me as well.
joshuarrrr
commented
1 year ago @carlos-neto-trustly Thanks for sharing your solution! I think it would be great to get some of this additional context in the documentation. If you (or anyone else in this thread) is interested in updating the multiple data source documentation, the documentation repo and file is here: https://github.com/opensearch-project/documentation-website/blob/main/_dashboards/discover/multi-data-sources.md
carlos-neto-trustly
commented
1 year ago I don't know if my workaround step is a bug or a step that needs to be done and is not documented. If the last case is true, I kindly make myself available to update the documentation 😃
joshuarrrr
commented
1 year ago @zhongnansu @kristenTian Can you confirm whether this is a bug or documentation gap?
zhongnansu
commented
1 year ago We need to dive more into the issue. Generally I believe declaring NODE_EXTRA_CA_CERTS env var should not be a recommended approach, even tho it did work in your case. If CA needs to be configured for data sources, it should only be configured within the scope of Opensearch-Dashboards configuration(opensearch-dashboards.yml).
@carlos-neto-trustly Thanks for submitting the issue and provided the workaround. But let's hold on to any documentation update
zhongnansu
commented
1 year ago We need to dive more into the issue. Generally I believe declaring
NODE_EXTRA_CA_CERTSenv var should not be a recommended approach, even tho it did work in your case. If CA needs to be configured for data sources, it should only be configured within the scope of Opensearch-Dashboards configuration(opensearch-dashboards.yml).@carlos-neto-trustly Thanks for submitting the issue and provided the workaround. But let's hold on to any documentation update
I am able to re-produce the issue, and created a new issue #4524 for tracking.
Martin-Kemp
commented
1 year ago @zhongnansu @kristenTian Can you confirm whether this is a bug or documentation gap?
I'm pretty sure this is a bug since setting opensearch.ssl.verificationMode: none doesn't solve it, so the setting is being ignored.
ghost
commented
9 months ago How to restrict access to only a specific set of indices when using data sources?
seraphjiang
commented
3 months ago @zhongnansu @kristenTian Can you confirm whether this is a bug or documentation gap?
I'm pretty sure this is a bug since setting
opensearch.ssl.verificationMode: nonedoesn't solve it, so the setting is being ignored.
this has been supported via https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6171 let us know if any more question.
seraphjiang
commented
3 months ago How to restrict access to only a specific set of indices when using data sources?
hi @ghost datasource feature doesn't change the data access policy for existing user/role/index. Let's say, if you add a datasource to a cluster with basic auth(user/password), you could restrict this user to only access certain index.
OpenSearch Dashboards supports multiple data sources, allowing users to manage connections to different OpenSearch endpoints and build visualizations and dashboards with data from different OpenSearch clusters. Available as an experimental feature, this is the first of many capabilities on the project roadmap as OpenSearch toolkit that will provide a unified view of users data.
We have created this issue to gather feedback on your experiences with the feature.