401 Unathorized when POSTing on _bulk using CORS

Hello,

I’m trying to POST on _bulk on an index from another page but it doesn’t ask for credentials and i get a “401 Unauthorized” response.

Here is my page code for sending the request :

url = "https://my.server:9209/my-index/_bulk";
req1.open("POST", url,false);
req1.setRequestHeader("Access-Control-Allow-Origin","*");
req1.setRequestHeader("Content-Type","application/x-ndjson");
req1.setRequestHeader("X-Requested-With","XMLHttpRequest");
req1.send(objtopost);

And my opensearch.yml configuration :

# WARNING: revise all the lines below before you go into production
# https://opensearch.org/docs/latest/security-plugin/configuration/tls/
plugins.security.disabled: false
# TRANSPORT LAYER TLS
plugins.security.ssl.transport.pemcert_filepath: ./node-cert.pem
plugins.security.ssl.transport.pemkey_filepath: ./node-key.pem
# plugins.security.ssl.transport.pemkey_password: NO PASSWORD FOR KEY
plugins.security.ssl.transport.pemtrustedcas_filepath: ./node-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
# REST LAYER TLS
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: ./node-cert.pem
plugins.security.ssl.http.pemkey_filepath: ./node-key.pem
#plugins.security.ssl.http.pemkey_password: NO PASSWORD FOR KEY
plugins.security.ssl.http.pemtrustedcas_filepath: ./node-ca.pem

plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - [...]
plugins.security.nodes_dn:
  - [...]
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

# For FSCrwaler https://forum.opensearch.org/t/alternative-to-fscrawler-in-opensearch/7157/7
compatibility.override_main_response_version: true

## Enabling CORS
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: "access-control-allow-origin,X-Requested-With,X-Auth-Token,Content-Type,Content-Length,X-User,Authorization"
http.cors.allow-credentials: true

PS : When I was using ElasticSearch this was working fine but it looks like the configuration with OpenSearch must be different

Any ideas ? Tell me if I forgot anything

Thanks !

@JorisV
The user/password would definitely need to specified.
Can you try to add below (With correct username and password):

req1.setRequestHeader('Authorization', 'Basic ' + btoa('user:password'));

If this doesn’t work, have you tried normal curl query? Is the issue only with _bulk?

@Anthony
Yes this is working ! But I need a challenge in browser to allow the user to entre its credentials

With curl query I get “401 Unauthorized” unless i add -u option with my username

@JorisV Can you elaborate on the set up?

Are you building a web page, that when clicked will send request to a server (The code you copied) which will then contact opensearch?

If that is the case, then the challenge will not happen on the browser, as from the point of view of opensearch the client is the server sending the request (not the browser). And therefore if the credentials are needed this will have to be handled by the server, prior to sending the request to opensearch. The challenge is indeed issued to the server, however as there is no mechanism to handle it, it reverts with 401

If my understanding of the topology is not correct, please elaborate.