Anonymous Dashboard Access

Hello Everyone,

Using the official documentation I have to set up anonymous dashboard access, but when browse to http://host:5601 or http://host:5601/auth/anonymous I am still prompted for a username and password.

The following is what I added/updated in the configs.

opensearch… … config.yml

    http:
      anonymous_auth_enabled: true

opensearch_dashboards.yml

opensearch_security.auth.anonymous_auth_enabled: true

opensearch… … roles.yml

##  Added for anonymous read only access.
anonymous_users_role:
  reserved: false
  hidden: false
  cluster_permissions:
    - "*"
  index_permissions:
    - index_patterns:
        - "smtp_data_*"
      allowed_actions:
        - "read"

opensearch… … roles_mapping.yml

anonymous_users_role:
  reserved: false
  hidden: false
  backend_roles:
  - "opendistro_security_anonymous_backendrole"
  description: "Added for anonymous read only access"

Cheers,
Eddie.

@big-edd This configuration should work. How do you deploy your cluster?
What is the version of your OS deployment?

Deployed with docker compose.
Built FROM opensearchproject/opensearch-dashboards:latest

Maybe this will help a little… …

$ docker logs -n 0 --follow feedsearch-dash-1
{"type":"log","@timestamp":"2024-04-17T03:42:51Z","tags":["info","plugins","securityDashboards"],"pid":1,"message":"The Redirect Path is /"}
{"type":"log","@timestamp":"2024-04-17T03:42:51Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed authentication: Error: Authentication Exception. Redirecting to Login Page"}
{"type":"response","@timestamp":"2024-04-17T03:42:51Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/auth/anonymous","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","upgrade-insecure-requests":"1"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0"},"res":{"statusCode":302,"responseTime":45,"contentLength":9},"message":"GET /auth/anonymous 302 45ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:51Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/app/login","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","upgrade-insecure-requests":"1"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0"},"res":{"statusCode":200,"responseTime":15,"contentLength":9},"message":"GET /app/login 200 15ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:51Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/logos/opensearch_spinner_on_light.svg","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"image/avif,image/jxl,image/webp,*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":32,"contentLength":9},"message":"GET /ui/logos/opensearch_spinner_on_light.svg 200 32ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:51Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/logos/opensearch_mark_on_light.svg","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"image/avif,image/jxl,image/webp,*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":36,"contentLength":9},"message":"GET /ui/logos/opensearch_mark_on_light.svg 200 36ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:51Z","tags":["api"],"pid":1,"method":"get","statusCode":304,"req":{"url":"/bootstrap.js","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login","if-none-match":"\"119fe1a7a96933af6169ac5c2ad34bb90f792421-gzip\""},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":304,"responseTime":48,"contentLength":9},"message":"GET /bootstrap.js 304 48ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:51Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/fonts/source_sans_3/SourceSans3-Regular.ttf.woff2","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"identity","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":251,"contentLength":9},"message":"GET /ui/fonts/source_sans_3/SourceSans3-Regular.ttf.woff2 200 251ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:52Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/apple-touch-icon.png","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"image/avif,image/jxl,image/webp,*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":10,"contentLength":9},"message":"GET /ui/favicons/apple-touch-icon.png 200 10ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:52Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon-16x16.png","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"image/avif,image/jxl,image/webp,*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":15,"contentLength":9},"message":"GET /ui/favicons/favicon-16x16.png 200 15ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:53Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/7326/bundles/osd-ui-shared-deps/osd-ui-shared-deps.v8.light.css","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"text/css,*/*;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /7326/bundles/osd-ui-shared-deps/osd-ui-shared-deps.v8.light.css 200 2ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:53Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/7326/bundles/osd-ui-shared-deps/osd-ui-shared-deps.css","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"text/css,*/*;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET /7326/bundles/osd-ui-shared-deps/osd-ui-shared-deps.css 200 4ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:53Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/node_modules/@osd/ui-framework/dist/kui_next_light.css","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"text/css,*/*;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":21,"contentLength":9},"message":"GET /node_modules/@osd/ui-framework/dist/kui_next_light.css 200 21ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:53Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/legacy_light_theme.css","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"text/css,*/*;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":18,"contentLength":9},"message":"GET /ui/legacy_light_theme.css 200 18ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:53Z","tags":[],"pid":1,"method":"get","statusCode":304,"req":{"url":"/translations/en.json","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","sec-gpc":"1","connection":"keep-alive","if-none-match":"\"37992637719f97813c3068cfbf877b2d3bb43b97\""},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":304,"responseTime":1,"contentLength":9},"message":"GET /translations/en.json 304 1ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"post","statusCode":401,"req":{"url":"/api/ism/apiCaller","method":"post","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","content-length":"82","origin":"http://poc-dash:5601","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"POST /api/ism/apiCaller 401 2ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/api/v1/restapiinfo","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /api/v1/restapiinfo 401 1ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/api/v1/configuration/account","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /api/v1/configuration/account 401 1ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/api/v1/auth/dashboardsinfo","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /api/v1/auth/dashboardsinfo 401 1ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"post","statusCode":200,"req":{"url":"/api/core/capabilities","method":"post","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","content-length":"759","origin":"http://poc-dash:5601","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":5,"contentLength":9},"message":"POST /api/core/capabilities 200 5ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/api/v1/configuration/account","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /api/v1/configuration/account 401 1ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/api/v1/multitenancy/tenant","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /api/v1/multitenancy/tenant 401 1ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/api/dataconnections","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://poc-dash:5601/app/login","content-type":"application/json","osd-version":"2.12.0","osd-xsrf":"osd-fetch","sec-gpc":"1","connection":"keep-alive"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /api/dataconnections 401 1ms - 9.0B"}
{"type":"response","@timestamp":"2024-04-17T03:42:55Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/logos/opensearch_on_light.svg","method":"get","headers":{"host":"poc-dash:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","accept":"image/avif,image/jxl,image/webp,*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","sec-gpc":"1","connection":"keep-alive","referer":"http://poc-dash:5601/app/login"},"remoteAddress":"172.28.246.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","referer":"http://poc-dash:5601/app/login"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /ui/logos/opensearch_on_light.svg 200 2ms - 9.0B"}

@big-edd Could you check if you all the configuration files are correctly mapped in the OpenSearch and OpenSearch Dashboards containers?

Also pleaee ensure that all mapped files belongs to opensearch user inside the containers.

@pablo

They look to be mapped OK, as I can see my additions/updates within the containers.

Dashboards:

$ cd /usr/share/opensearch-dashboards/config/

opensearch_dashboards.yml

$ ls -l opensearch_dashboards.yml
-rw-rw-r--. 1 opensearch-dashboards opensearch-dashboards 594 Apr 16 07:43 opensearch_dashboards.yml
$ grep opensearch_security.auth.anonymous_auth_enabled opensearch_dashboards.yml
opensearch_security.auth.anonymous_auth_enabled: true

OpenSearch:

$ cd /usr/share/opensearch/config/opensearch-security

config.yml

$ ls -l config.yml
-rw-rw-r--. 1 opensearch opensearch 10063 Apr 16 06:13 config.yml
$ grep anonymous_auth_enabled config.yml
      anonymous_auth_enabled: true

roles.yml

$ ls -l roles.yml
-rw-rw-r--. 1 opensearch opensearch 14478 Apr 16 07:51 roles.yml
$ grep -A 10 anonymous_users_role roles.yml
anonymous_users_role:
  reserved: false
  hidden: false
  cluster_permissions:
    - "*"
  index_permissions:
    - index_patterns:
        - "smtp_data_*"
      allowed_actions:
        - "read"

roles_mapping.yml

$ ls -l roles_mapping.yml
-rw-rw-r--. 1 opensearch opensearch 1021 Apr 16 08:19 roles_mapping.yml
$ grep -A 6 anonymous_users_role roles_mapping.yml
anonymous_users_role:
  reserved: false
  hidden: false
  backend_roles:
  - "opendistro_security_anonymous_backendrole"
  description: "Added for anonymous read only access"

Cheers,
Eddie.

@big-edd Thanks for checking. Could you run the below command against the OpenSearch node and share the results?

curl --insecure https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/authinfo?pretty

Output:

{
  "user" : "User [name=admin, backend_roles=[admin], requestedTenant=null]",
  "user_name" : "admin",
  "user_requested_tenant" : null,
  "remote_address" : "172.21.0.1:43632",
  "backend_roles" : [
    "admin"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index",
    "all_access"
  ],
  "tenants" : {
    "global_tenant" : true,
    "admin_tenant" : true,
    "admin" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

Since I do not see the anonymous user and role above, it is not using the config as expected?

Could this be why? … …

$ docker logs feedsearch-osearch-1 | grep roles

..  [WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch] File /usr/share/opensearch/config/opensearch-security/roles.yml has insecure file permissions (should be 0600)
..  [WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch] File /usr/share/opensearch/config/opensearch-security/roles_mapping.yml has insecure file permissions (should be 0600)
..  [INFO ][o.o.n.Node               ] [opensearch] node name [opensearch], node ID [q-k-tb_8Qjq1uf0q0MbOxQ], cluster name [docker-cluster], roles [ingest, remote_cluster_client, data, cluster_manager]
..  [INFO ][o.o.s.s.ConfigHelper     ] [opensearch] Will update 'roles' with /usr/share/opensearch/config/opensearch-security/roles.yml and populate it with empty doc if file missing and populateEmptyIfFileMissing=false
..  [INFO ][o.o.s.s.ConfigHelper     ] [opensearch] Index .opendistro_security already contains doc with id roles, skipping update.
..  [INFO ][o.o.s.s.ConfigHelper     ] [opensearch] Will update 'rolesmapping' with /usr/share/opensearch/config/opensearch-security/roles_mapping.yml and populate it with empty doc if file missing and populateEmptyIfFileMissing=false
..  [INFO ][o.o.s.s.ConfigHelper     ] [opensearch] Index .opendistro_security already contains doc with id rolesmapping, skipping update.

@big-edd With anonymous authetication enabled you don’t need to run curl command with user and password. Please run the curl command as I posted in my last message. Share the output even if you’ll get an error.

How did you update roles and roles_mapping? You must use either OpenSearch Dashboards or securityadmin.sh.

Also, please run the below command and share the output.

curl --insecure -u admin:<password> https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/securityconfig?pretty

Hello,

I only changed the config files to update roles and roles_mapping.
Did not realize that we must use either securityadmin.sh or OpenSearch Dashboards.
How do people automate it? We would like it to happen as the containers are deployed.

$ curl --insecure https://localhost:9200/_plugins/_security/authinfo?pretty

(No output). 

$ curl --insecure -u admin:********* https://localhost:9200/_plugins/_security/api/securityconfig?pretty

{
  "config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "private_tenant_enabled" : true,
        "default_tenant" : "",
        "server_username" : "kibanaserver",
        "index" : ".kibana"
      },
      "http" : {
        "anonymous_auth_enabled" : false,
        "xff" : {
          "enabled" : false,
          "internalProxies" : "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
          "remoteIpHeader" : "X-Forwarded-For"
        }
      },
      "authc" : {
        "jwt_auth_domain" : {
          "http_enabled" : false,
          "order" : 0,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "jwt",
            "config" : {
              "signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key",
              "jwt_header" : "Authorization",
              "jwt_clock_skew_tolerance_seconds" : 30
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via Json Web Token"
        },
        "ldap" : {
          "http_enabled" : false,
          "order" : 5,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : false,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "localhost:8389"
              ],
              "userbase" : "ou=people,dc=example,dc=com",
              "usersearch" : "(sAMAccountName={0})"
            }
          },
          "description" : "Authenticate via LDAP or Active Directory"
        },
        "basic_internal_auth_domain" : {
          "http_enabled" : true,
          "order" : 4,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "intern",
            "config" : { }
          },
          "description" : "Authenticate via HTTP Basic against internal users database"
        },
        "proxy_auth_domain" : {
          "http_enabled" : false,
          "order" : 3,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "proxy",
            "config" : {
              "user_header" : "x-proxy-user",
              "roles_header" : "x-proxy-roles"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via proxy"
        },
        "clientcert_auth_domain" : {
          "http_enabled" : false,
          "order" : 2,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "clientcert",
            "config" : {
              "username_attribute" : "cn"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via SSL client certificates"
        },
        "kerberos_auth_domain" : {
          "http_enabled" : false,
          "order" : 6,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "kerberos",
            "config" : {
              "krb_debug" : false,
              "strip_realm_from_principal" : true
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          }
        }
      },
      "authz" : {
        "roles_from_another_ldap" : {
          "http_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : { }
          },
          "description" : "Authorize via another Active Directory"
        },
        "roles_from_myldap" : {
          "http_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : false,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "localhost:8389"
              ],
              "rolebase" : "ou=groups,dc=example,dc=com",
              "rolesearch" : "(member={0})",
              "userrolename" : "disabled",
              "rolename" : "cn",
              "resolve_nested_roles" : true,
              "userbase" : "ou=people,dc=example,dc=com",
              "usersearch" : "(uid={0})"
            }
          },
          "description" : "Authorize via LDAP or Active Directory"
        }
      },
      "auth_failure_listeners" : { },
      "do_not_fail_on_forbidden" : false,
      "multi_rolespan_enabled" : true,
      "hosts_resolver_mode" : "ip-only",
      "do_not_fail_on_forbidden_empty" : false,
      "on_behalf_of" : {
        "enabled" : false
      }
    }
  }
}

Cheers,
Eddie.

Maybe the question re automation is beyond the scope of this forum?

Tried via the Dashboards Web UI, but did not have any luck that way. Are there instructions/documentation stepping through this?

@big-edd You cannot change security configuration with OpenSearch Dashboards as the change requires a super admin user defined in admin_dn in opensearch.yml.

According to your output, the OpenSearch security plugin configuration wasn’t updated with your settings. That’s why your anonymous authentication doesn’t work.

What kind of automation do you expect?

In the future we are hoping to automatically build and deploy with CI/CD pipelines, without the need to manually administer before users can just go ahead and use it.

So I guess something (config and/or script) during the “docker build”?
Or maybe a script and/or “docker-compose” cleverness as it is deployed?

@big-edd When the fresh cluster deployment is executed, the index with security plugin configuration doesn’t exist. Then plugin imports configuration from /usr/share/opensearch/config/opensearch-security. If you’d like to use a custom security configuration during the deployment, then you can map config files in docker-compose.yml file.