search

opensearch-project / security-dashboards-plugin

🔐 Manage your internal users, roles, access control, and audit logs from OpenSearch Dashboards
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
68 stars 148 forks source link

[BUG] Session expiration and keepalive settings ignored #2021

Open hagaram opened 2 weeks ago

hagaram commented 2 weeks ago

What is the bug? These options seems to be ignored

opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true

I have no issue with frequent logouts, but with that that cookie is set as “session cookie” regardless of what I configure. This also happens when local account is used (tried with admin) - only difference is that with local login there is one cookie set: security_authentication With oidc login there is security_authentication AND security_authentication_oidc1.

In both cases the cookie is deleted after browser is closed. If I modify expiration date of cookie, everything work after closing and reopening the browser, but security_authentication is set back to session cookie, so I have to change it back with expiration, if I want to to live trought another browser closing.

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Log in to opensearch dashboards and inspect the cookies
  2. close browser
  3. open browser
  4. relogin is needed and cookies are gone

What is the expected behavior? Continue work with OSD without the need to relogin again

What is your host/environment?

Do you have any additional context?

scrawfor99 commented 1 week ago

[Triage] Hi @hagaram thanks for filing this issue. @derek-ho has taken a look at similar issue in the past so will check into this use case and see if that is something we are able to support.

hagaram commented 1 week ago

@scrawfor99 @derek-ho Thank you very much for taking a look at this.

If it helps anything, here is OSD config.

server.port: 5601
server.host: "0.0.0.0"
opensearch.hosts: ["https://xxxx.XXXXXXXX:9200","https://xxx.XXXXXXXX:9200","https://xxx.XXXXXXXX:9200"]
opensearch.username: "XXXXXXXXXX"
opensearch.password: "XXXXXXXXXX"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]

opensearch_security.multitenancy.enabled: false
# opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.readonly_mode.roles: ["kibana_read_only"]

opensearch.ssl.verificationMode: "full"
opensearch.ssl.certificate: "/usr/share/opensearch-dashboards/config/esnode.pem"
opensearch.ssl.key: "/usr/share/opensearch-dashboards/config/esnode-key.pem"
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem" ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/rest-esnode.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/rest-esnode-key.pem
server.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/rest-root-ca.pem" ]

opensearch_security.cookie.secure: true

# OpenID settings -> IDP used is Keycloak
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true

opensearch_security.openid.base_redirect_url: "https://xXXXXXX.XXXXXXXX"
opensearch_security.openid.client_id: "XXXXXXX.XXXXXXXX"
opensearch_security.openid.scope: "openid profile email"
opensearch_security.openid.client_secret: "XXXXXXXXX"
opensearch_security.openid.connect_url: "https://XXXXX.XXXXXX.XXXXX/realms/XXXXXX/.well-known/openid-configuration"
opensearch_security.openid.verify_hostnames: true

opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
#I've tried to change the bellow two setting to true/false - no effect regarding this issue
#opensearch_security.session.keepalive: false
#opensearch_security.openid.refresh_tokens: true
opensearch_security.ui.openid.login.buttonname: "Sign in with XXXXXX ID"

And here is security plugins config

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: ".*"
        remoteIpHeader: "x-forwarded-for"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            enable_ssl: true
            verify_hostnames: true
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://XXXXXX.XXXXX.XXXXX/realms/XXXXXX/.well-known/openid-configuration
            kibana_url: https://XXXXX.XXXXX.XXXXX
        authentication_backend:
          type: noop
    authz: {}