Open hagaram opened 1 month ago
@hagaram thanks for opening.
@opensearch-project/admin please re-direct this to security dashboards plugin.
[Triage] @hagaram can you provide some more information about your setup? Are you using basepath with opensearch dashboards? There was a recent fix for dashboards with base path, but it will be released in 2.15: https://github.com/opensearch-project/security-dashboards-plugin/pull/1899.
Thank you very much for replying @derek-ho . Sure!
This is opensearch security plugins config:
_meta:
type: "config"
config_version: 2
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#server_username: kibanaserver
#index: '.kibana'
# OpenID settings
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ".*"
remoteIpHeader: "x-forwarded-for"
authc:
# In order for Dashboards to access OpenSearch, you must first use
# authentication_backend.type: internal
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
description: "Authenticate via Keycloak"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
enable_ssl: true
verify_hostnames: true
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://XXXXXX.XXXXX.XXXXX/realms/XXXXXX/.well-known/openid-configuration
kibana_url: https://XXXXX.XXXXXX.XXXX
authentication_backend:
type: noop
authz: {}
OSE dashboard config
server.port: 5601
server.host: "0.0.0.0"
opensearch.hosts: ["https://XXXXX.XXXXXX.XXXX:9200","https://XXXX.XXXX.XXXX:9200","https://XXXXX.XXX.XXXXX:9200"]
opensearch.username: "XXXXXXX"
opensearch.password: "XXXXXXXX"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch.ssl.verificationMode: "full"
*****
opensearch_security.cookie.secure: true
# OpenID settings
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.base_redirect_url: "https://XXXX.XXXX.XXX"
opensearch_security.openid.client_id: "XXXX.XXXX.XXXX"
opensearch_security.openid.scope: "openid profile email"
opensearch_security.openid.client_secret: "XXXXXXXXX"
opensearch_security.openid.connect_url: "https://XXXXX.XXXX.XXXX/realms/XXXX/.well-known/openid-configuration"
opensearch_security.openid.verify_hostnames: true
opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true
opensearch_security.ui.openid.login.buttonname: Sign in with XXXXXXX ID
opensearch.requestTimeout: 1200000
opensearch_security.openid.refresh_tokens: true
Is your feature request related to a problem? Please describe.
When user has opensearch dashboards opened in the browser, leaves the PC for few hours, returns back - session might be logged out. But the user was browsing some URL before he was logged out and would like to return to the same page after login.
Same behaviour occurs if someone sends the userlink e.g. some search...he is redirected to login via SSO, and after login he ends up on the "home page" of opensearch, no on the requested URL.
Describe the solution you'd like
Opensearch should remember or communicate somehow with the IDP: A) the URL he was browsing before the logout B) the URL hes trying to access before login
Describe alternatives you've considered Nothing comes to my mind really.