Open jackevans43 opened 1 year ago
zhongnansu
commented
1 year ago @jackevans43 Thanks for submitting the issue. For the "detail of the logged in user", do you mean the user of Dashboards, or the user of datasource(the other OpenSearch cluster with basic auth)
seraphjiang
commented
1 year ago Thanks @jackevans43 for make the request. We love to hear more. I'm curious to know you current setup.
My current OpenSearch dashboards is connected to OpenSearch using proxy auth
What does proxy auth mean. what auth has been pass through in this case?.
Do the OpenSearch Dashboards and OpenSearch use Basic Auth ? you are looking for pass through the same user credential from Logged in OpenSearch Dashboards to OpenSearch?
jackevans43
commented
1 year ago Hey @zhongnansu @seraphjiang thanks for your quick replies!
Yes, I'd like the user of Dashboards to be passed through to the data source (OpenSearch) - ie. when following the quickstart Dashboards will require the username admin and password admin - these are the basic auth credentials that are normally passed through to OpenSearch when querying data, so it knows who logged in to Dashboards, so therefore what security roles to apply and the username for auditing.
Dashboards supports multiple other ways to authenticate the user, including proxy and JWT - both of these configure headers received by Dashboards, that should be transparently forwarded to OpenSearch.
zengyan-amazon
commented
1 year ago Hi @jackevans43 Thanks for this information! I think I understand your requirement here. When OSD multi-datasource feature needs to make a request to a data source, it uses the auth type based on the data source configuration, however, it ignores all other HTTP headers from the user request, such as the proxy headers you mentioned in this issue.
So I think there could be a few ways to solve this problem, for example adding a new auth type for data source, which allows user to specify one or a group of HTTP headers to pass to data sources as its auth info. Or in the data source client, we may need to support the asScoped function like OSD OpenSearch service, so that the headers configured in the requestHeadersWhitelist can be passed to data sources.
Meanwhile, can you help to elaborate more about your setup, specifically my questions are:
browser -> proxy -> Dashboards -> OpenSearch 1, and you have another OpenSearch 2 using basic auth and not behind your proxy?This information can help us to understand your use case better and choose which resolution option better fits your use case.
jackevans43
commented
1 year ago Hi @zengyan-amazon, no problem! Maybe there needs to be an additional authentication option in the multi-datasource feature to use whatever is configured by opensearch_security.auth.type to access the data source?
I'm currently using proxy auth:
public network | private network
|
browser -> proxy -> dashboards -> opensearch 1 (proxy auth)
| |
| +--> opensearch 2 (proxy auth)As opensearch 1 is configured as opensearch.hosts it's also used to store the .opensearch_dashboards index which Dashboards uses its own credentials for (but passes through the proxy headers for all user queries).
I'd like the ability to use whatever authentication method is configured in Dashboards opensearch_security.auth.type for data sources - for me this is currently proxy auth, but others might need basic auth, SAML, OIDC etc.
zengyan-amazon
commented
1 year ago Hi @jackevans43 Thank you for sharing your setup!
Based on what you described, I think it makes sense to add another auth type for data source connections, which relays whatever auth info sent from browser to OSD, to the backend OpenSearch data sources.
Please note that in order to make passing through the auth info to work with data sources, the opensearch1 and opensearch2 should have the same authN configurations, which means, in case of basicauth, the same username and password should exist in both opensearch1 and opensearch2 internal user database; and in case of OIDC , they should be configured as the same application in the IdP, means it shares the same client/secret in case of OIDC, and the same SAML metadata with the same 'signingKey' in the case of SAML
My current OpenSearch dashboards is connected to OpenSearch using proxy auth. I also have another instance using basic auth. This allows me to have per user security controls and auditing.
I'd like to add another OpenSearch cluster, using the multiple datasource feature, however the details of the logged in user are not passed to OpenSearch, so it cannot have per user security controls, and the audit logs are unable to record the user performing the searches.
Describe the solution you'd like
Like the traditional OpenSearch backend, support passing through details of the authenticated user, via proxy or basic auth etc, to an OpenSearch connected via the multiple datasource feature.