Open nitinjagjivan opened 8 months ago
[Triage] @cwperks will take a look and follow up here if there is an actual bug or if there is a misconfiguration.
I think I see what the problem is. I just tried to configure this using certs that were not part of the admin dn list (i.e. plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
) and received this error:
server log [20:48:17.181] [error][plugins][securityDashboards] StatusCodeError: Authorization Exception
at respond (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/transport.js:349:15)
at checkRespForFailure (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/transport.js:306:7)
at HttpConnector.<anonymous> (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
at IncomingMessage.wrapper (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/lodash/lodash.js:4991:19)
at IncomingMessage.emit (node:events:529:35)
at IncomingMessage.emit (node:domain:489:12)
at endReadableNT (node:internal/streams/readable:1400:12)
at processTicksAndRejections (node:internal/process/task_queues:82:21) {
status: 403,
displayName: 'AuthorizationException',
path: '/_plugins/_security/tenantinfo',
query: {},
body: undefined,
statusCode: 403,
response: '',
toString: [Function (anonymous)],
toJSON: [Function (anonymous)]
}
Unhandled Promise rejection detected:
StatusCodeError: Authorization Exception
at respond (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/transport.js:349:15)
at checkRespForFailure (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/transport.js:306:7)
at HttpConnector.<anonymous> (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
at IncomingMessage.wrapper (/Users/cwperx/Projects/opensearch/OpenSearch-Dashboards/node_modules/lodash/lodash.js:4991:19)
at IncomingMessage.emit (node:events:529:35)
at IncomingMessage.emit (node:domain:489:12)
at endReadableNT (node:internal/streams/readable:1400:12)
at processTicksAndRejections (node:internal/process/task_queues:82:21) {
The problem is how its authorized here, though I am not sure yet why its trying to authorize as the cert user rather than the internal user which is the one making the call.
I was able to get around the issue by change the order of the authenticators so that the clientcert authenticator came after basic authenticator.
@nitinjagjivan Does switching the order of the authenticators help?
@cwperks, I tried changing the order but unfortunetly it didn't work.
Describe the bug
For security, I want to make enable client certificate authentication mandatory on the OpenSearch nodes. Following Client certificate authentication - OpenSearch documentation 3 I set:
plugins.security.ssl.http.clientauth_mode: "REQUIRE"
The OpenSearch nodes are able to communicate, and I can make API calls using client certs and the admin username/password. The Dashboard can’t connect. Has anyone got this working?
To Reproduce Deploy opensearch and opensearch-dashboards with below settings:
opensearch.yml
opensearch-dashboard.yml
Expected behavior opnesearch-dashboard login page should accept existing username password.
OpenSearch Version v2.9.0
Dashboards Version v2.9.0
Environment deployed using helm