search

opensearch-project / OpenSearch-Dashboards

📊 Open source visualization dashboards for OpenSearch.
https://opensearch.org/docs/latest/dashboards/index/
Apache License 2.0
1.7k stars 898 forks source link

[BUG][opensearch-dashboards] opensearch_security.auth.type not a valid key #7308

Open rdvansloten opened 4 months ago

rdvansloten commented 4 months ago

Describe the bug When Attempting to leverage the security plugin, Dashboards pods crash and tell me:

{"type":"log","@timestamp":"2024-07-16T09:32:18Z","tags":["fatal","root"],"pid":1,"message":"InvalidConfigurationError: Unknown configuration key(s): \"​opensearch_security.auth.type\". Check for spelling errors and ensure that expected plugins are installed.\n    at ensureValidConfiguration (/usr/share/opensearch-dashboards/src/core/server/legacy/config/ensure_valid_configuration.js:50:11)\n    at Server.setup (/usr/share/opensearch-dashboards/src/core/server/server.js:156:5)\n    at Root.setup (/usr/share/opensearch-dashboards/src/core/server/root/index.js:60:14)\n    at bootstrap (/usr/share/opensearch-dashboards/src/core/server/bootstrap.js:113:5)\n    at Command.<anonymous> (/usr/share/opensearch-dashboards/src/cli/serve/serve.js:192:5) {\n  code: 'InvalidConfig',\n  processExitCode: 64,\n  cause: undefined\n}"}

To Reproduce Steps to reproduce the behavior:

  1. Go to your values.yaml
  2. Go to the docs to get the args:
  3. https://opensearch.org/docs/latest/security/configuration/multi-auth/#enabling-multiple-authentication-options
  4. https://opensearch.org/docs/latest/security/authentication-backends/saml/#opensearch-dashboards-configuration

  5. Add this in:

    config:
opensearch_dashboards.yml: |
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: [kibana_read_only]

# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
server.host: '0.0.0.0'
​opensearch_security.auth.type: ["basicauth","saml"]
opensearch_security.auth.multiple_auth_enabled: true

It does accept opensearch_security.auth.multiple_auth_enabled: true when I comment ​opensearch_security.auth.type: out. and boot up "correctly."

Expected behavior I expected to be able to config SAML.

Chart Name opensearch-dashboards, latest

Screenshots If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

Additional context Opensearch Helm values.yaml config:

securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  config:
    dynamic:
      authc:
        saml_auth_domain:
          http_enabled: true
          transport_enabled: false
          order: 1
          http_authenticator:
            type: saml
            challenge: true
            config:
              idp:
                metadata_url: https://login.microsoftonline.com/REDACTED
    #SAML's metadata url, provided by your IdP
                Entity_id: https://sts.windows.net/REDACTED/
    #SAML's IdP entity ID, provided by your IdP
              sp:
                entity_id: opensearch-ad-sso
              kibana_url: REDACTED/_dashboards
              roles_key: Roles
              exchange_key: "REDACTED"
          authentication_backend:
            type: noop
        basic_internal_auth_domain:
          description: "Authenticate via HTTP Basic against internal users database"
          http_enabled: true
          transport_enabled: true
          order: 0
          http_authenticator:
            type: basic
            challenge: false
          authentication_backend:
            type: intern

Opensearch plugin list:

[opensearch@opensearch-cluster-master-0 ~]$ bin/opensearch-plugin list
opensearch-alerting
opensearch-anomaly-detection
opensearch-asynchronous-search
opensearch-cross-cluster-replication
opensearch-custom-codecs
opensearch-flow-framework
opensearch-geospatial
opensearch-index-management
opensearch-job-scheduler
opensearch-knn
opensearch-ml
opensearch-neural-search
opensearch-notifications
opensearch-notifications-core
opensearch-observability
opensearch-performance-analyzer
opensearch-reports-scheduler
opensearch-security
opensearch-security-analytics
opensearch-skills
opensearch-sql
Divyaasm commented 4 months ago

[Triage] Transfer to OpenSearch-Dashboards repo

e-scheer commented 1 day ago

Any news regarding that problem ? How can I activate saml without that functionality ?

Hailong-am commented 23 hours ago

​opensearch_security.auth.type: ["basicauth","saml"] opensearch_security.auth.multiple_auth_enabled: true

@e-scheer When i copy the setting you shared to my editor, it looks like there has some special character before o, you might need to delete it and re-type with correct character.

by the way, the configuration is correct.

image