Basic authentication only for OpenSearch Dashboards

Security
, ,
1

Hi Opensearch enjoyers,

Would be possible to configure authentication with login/password only for Dashboards GUI and not for Opensearch itself ?

We trying to avoid a lot of reconfiguring ( meaning add login, password and trusted cert) all apps which are sending logs, metrics and traces to our Opensearch cluster, but it seems like it’s not possible because internal users are under control of security_admin.sh and/or security plugin which requires https and auth enabled on Opensearch. Is there some way how to do it ?

Our OpenSearch stack is behind corporate proxy and is not accessible from outside.
We are using OpenSearch and Dashboards both in version 2.1.0.

Thank you for all meaningful comments.

2

Hi @opensearchgenius

What exactly do you want to achieve? How do you want to connect external apps to the OpenSearch cluster?

3

Hey,

Well, simply , we want to achieve that not all user or people in company can see all data/dashboards/logs in Opensearch.

All external apps are already connected to OpenSearch cluster on port 9200. We use different external apps such as: Otell collector + Data Prepepr, Logstash, Fluentbit and Fluentd because there are lot of things in our environment which need to store logs.

Thats why we want to avoid configure all of them to and avoid to set authentication to Opensearch on port 9200.

Hope I explain our problem

4

@opensearchgenius Have you tried anonymous authentication? If not, please use the below procedure to enable it.

  1. Set “anonymous_auth_enabled” to true in config.yml
    image

  2. Add the below line to opensearch_dashboards.yml

opensearch_security.auth.anonymous_auth_enabled: true
  1. In roles.yml set the following role. (The permissions are just an example.)
opendistro_security_anonymous:
  cluster_permissions:
  - "unlimited"
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "unlimited"
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "kibana_all_write"
  1. In roles_mapping.yml configure the mapping of the anonymous backend role
opendistro_security_anonymous:
  backend_roles:
  - "opendistro_security_anonymous_backendrole"

Please remember to apply security plugin configuration changes with securityadmin.sh script.

You can also disable SSL on port 9200. To do so, add the following configuration to opensearch.yml file:

plugins.security.ssl.http.enabled: false
1 Like
5

Hey @Eugene7

Yes, we already tried it, here is screenshot of error we got after i run securityadmin.sh:

image
image999×481 18.8 KB

6

The error is caused by disabling SSL in HTTP 9200. Starting from version 2.0, the securityadmin.sh connects to OpenSearch through port 9200 (it was 9300 in versions 1.x). securityadmin.sh requires certificate authentication, which forces SSL on the API endpoint 9200.

1 Like