search

opensearch-project / helm-charts

:wheel_of_dharma: A community repository for Helm Charts of OpenSearch Project.
https://opensearch.org/docs/latest/opensearch/install/helm/
Apache License 2.0
170 stars 228 forks source link

[BUG][Chart Name]Unable to use the saml in opensearch config #496

Closed tarnjeetsingh closed 11 months ago

tarnjeetsingh commented 11 months ago

*Description

I am trying to add saml as the backend as per the official documentation it is mounted as such , but when it tries to run during the bootstrapping it give the following error

[2023-11-07T17:49:59,675][ERROR][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-2] Cannot apply default config (this is maybe not an error!) java.security.PrivilegedActionException: null at java.security.AccessController.doPrivileged(AccessController.java:573) ~[?:?] at org.opensearch.security.support.ConfigHelper.uploadFile(ConfigHelper.java:86) ~[opensearch-security-2.9.0.0.jar:2.9.0.0] at org.opensearch.security.support.ConfigHelper.uploadFile(ConfigHelper.java:65) ~[opensearch-security-2.9.0.0.jar:2.9.0.0] at org.opensearch.security.configuration.ConfigurationRepository.lambda$new$0(ConfigurationRepository.java:146) [opensearch-security-2.9.0.0.jar:2.9.0.0] at java.lang.Thread.run(Thread.java:833) [?:?] Caused by: com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while parsing a block mapping in 'reader', line 32, column 11: type: saml ^ expected , but found '' in 'reader', line 42, column 13: exchange_key: "e2fc20c4cca8f4242 ... ^ at [Source: (FileReader); line: 42, column: 13]

If tried manually it says issue in opensearch security 7 format

ERR: Seems ../../../config/opensearch-security/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while parsing a block mapping in 'reader', line 32, column 11: type: saml ^ expected , but found '' in 'reader', line 42, column 13: exchange_key: "e2fc20c4cca8f4242 ... ^

at [Source: (FileReader); line: 42, column: 13] To Reproduce Steps to reproduce the behavior:

  1. Install the opensearch chart with version opensearch-2.14.1
  2. use the following config for authc rest all is default authc: saml_auth_domain: http_enabled: true transport_enabled: false order: 1 http_authenticator: type: saml challenge: true config: idp: metadata_url: Entity_id: sp: entity_id: kibana_url: roles_key: Roles exchange_key: authentication_backend: type: noop kerberos_auth_domain: http_enabled: false transport_enabled: false order: 6 http_authenticator: type: kerberos challenge: true config:

    If true a lot of kerberos/security related debugging output will be logged to standard out

                krb_debug: false
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: false
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            jwt_clock_skew_tolerance_seconds: 30
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop

Expected behavior Saml config should be uploaded and usable

Chart Name opensearch-2.14.1

Screenshots If applicable, add screenshots to help explain your problem. image

rishabh6788 commented 11 months ago

@tarnjeetsingh This seems more like an issue with yaml parsing. Can you please refer https://github.com/opensearch-project/helm-charts/issues/268 to see sample config.yml and modify your settings according to that and then try? CC: @prudhvigodithi

tarnjeetsingh commented 11 months ago

Yes it was resolved , actually it was the secret mounts that was creating mess in the security config, figured that out Thanks for the help