2 Factor Authentication

keks · October 20, 2021, 1:28pm

Hello OpenSearch Community!

Does anybody have a clue on the possible options for 2-Factor-Auth with OpenSearch ideally with Google’s 2FA?

It seems to me that I need to deploy some plugin for Dashboards, like:

At this point, I have 2 questions:

Is there any other applicable solution for Opensearch Dashboards 2FA?
Is there any documentation on plugin development for opensearch?

Thank you and have a nice day.

Anthony · October 21, 2021, 9:03am

@keks
Maybe I misunderstand the question,
But have you tried to configure Google as OpenID authentication in OS?
When this is set up it “should” be straight forward to enable 2FA from Google Cloud Console. Therefore I do not see a need for any additional plugin.
I have previously got it working with google using OpenID and test users, have yet to try MFA, but there is an article here that might help
Maybe I missed some requirement though, let me know

keks · October 21, 2021, 12:09pm

@Anthony
Thank you for your response.
I am deploying OpenSearch on my own infrastructure, not using any AWS or GCP etc. Can I still use Google for authentication? If so, how would I configure Google as OpenID authentication in OS?

I know in OpenDistro people also used Keycloak as authentication provider, but is there a plugin for this for opensearch?

Anthony · October 21, 2021, 12:35pm

@keks I had it working using local running instance of OS, therefore it’s definitely possible.
The configuration is the same as any other openID config, the part in config.yml would look something like this:

openid:
  http_enabled: true
  order: 1
  http_authenticator:
    type: openid
    challenge: true
    config:
      openid_connect_url: "https://accounts.google.com/.well-known/openid-configuration"
      subject_key: "name"
      roles_key: "" # can't retrieve roles from Google
   authentication_backend:
     type: noop

OpensearchDashboard.yml:

opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://accounts.google.com/.well-known/openid-configuration"
opensearch_security.openid.client_id: ".....apps.googleusercontent.com"
opensearch_security.openid.client_secret: "...."
opensearch_security.openid.base_redirect_url: "https://localhost:5601"

Regarding the actual google side, there are various tutorials out there, not sure which one is the most updated one, you will need to have a look.

Hope this helps

keks · October 23, 2021, 9:20am

Aah, so it is really possible to use some openid connector. Cool cool! So this I cannot do from docker-compose.yml, can I? Instead I should be using the distributions from the opensearch website, am I correct?
Also in your response above you mentioned the config.yml. Is this config from the openid connector, or from opensearch? it is definately not from dashbords, i guess… Sorry for noob questions

Anthony · October 24, 2021, 8:12pm

@keks You can use docker-compose yes, in fact this is how I had it running.

The config.yml file I mentioned is the security config located in /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ if you are using docker.

Hope this helps

Topic		Replies	Views
Opensearch Dashboards Returning 500 when logout using Dex OpenSearch Dashboards discuss , troubleshoot	0	836	May 12, 2022
Multi factor authentication in opensearch, opensearch dashboards Security	6	645	March 20, 2023
OpenID 401 Unauthorized with Keycloak Security troubleshoot , configure	14	3179	August 3, 2022
OpenID(keycloak) 401 Unauthorized Security	10	2241	January 10, 2023
Opensearch-dashboard + keycloak Security	1	423	July 12, 2022

2 Factor Authentication

Related topics