/api/status endpoint is not working when client certificate auth is enabled

Security
1

Hi,
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
I am using Opensearch, opensearch dashboards 2.7.0 in k8s environment.

Describe the issue:
I have enabled client_cert_auth in opensearch and configured opensearch.ssl.certificate and opensearch.ssl.key in opensearch dashboards.
Dashboards pod is able to communicate with opensearch with this, but when I try to reach /api/status endpoint with these certificates it’s giving 401 error.
(I am using nonadmin certificate here)

curl -k --cert /etc/files/osClientCrt --key /etc/files/osClientKey https://od-dashboards-8568686ffc-bs944:5601/api/status
{"statusCode":401,"error":"Unauthorized","message":"Authentication required"}

I have also tried configuring opensearch_security.allow_client_certificates: “true”
But with this setting also curl is throwing 401 error. If I use admin credentials instead then it works fine.
I don’t want to use opensearch_security.auth.unauthenticated_routes: [“/api/status”] as it’s a security violation. Please suggest a way forward.

Configuration:
In dashboards.yml

opensearch.ssl.certificate: "/etc/files/osClientCrt"
opensearch.ssl.key: "/etc/files/osClientKey"

Relevant Logs or Screenshots:

curl -k --cert /etc/files/osClientCrt --key /etc/files/osClientKey https://od-dashboards-8568686ffc-bs944:5601/api/status
{"statusCode":401,"error":"Unauthorized","message":"Authentication required"}
2

This is used to authenticate OpenSearch Dashboards with OpenSearch using client certificate authentication.

Could you share your opensearch_dashboards.yml and config.yml files?

3

Hi,
dashboards.yml

server.name: dashboards
server.customResponseHeaders: { "X-Frame-Options": "DENY" }
csp.strict: true
server.ssl.supportedProtocols: ["TLSv1.2"]
opensearch.ssl.certificate: "/etc/files/osClientCrt"
opensearch.ssl.key: "/etc/files/osClientKey"
opensearch_security.allow_client_certificates: "true"
opensearch.hosts: "https://<os-svc-name>:9200"
server.ssl.enabled: true
server.ssl.certificate: "/etc/files/server.crt"
server.ssl.key: "/etc/files/server.key"

Opensearch configuration
config.yml

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    kibana:
       multitenancy_enabled: false
       server_username: kibanaserver
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: ".+"
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false   
          config: {}
        authentication_backend:
          type: "intern"
          config: {}
      clientcert_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: "clientcert"
          config:
            username_attribute: "cn"
          challenge: false
        authentication_backend:
          type: "noop"

roles_mapping.yml

_meta:
  type: "rolesmapping"
  config_version: 2
kibana_server:
  reserved: false
  users:
  - "nonadmin"