Bypass sign-in to an embedded Opensearch dashboard iframe

Hi All,

I’m trying to iframe opensearch dashboards in my website. Unfortunately when I add the iframe I am always landing on the login page rather then going directly to the dashboard itself.

This is the iframe tag:

iframe src=“https://0.0.0.0:5601/app/dashboards?security_tenant=private#/view/938fdaf0-bd82-11ed-a292-25232984eee0?embed=true&_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!f%2Cvalue%3A900000)%2Ctime%3A(from%3Anow-90d%2Cto%3Anow) &show-top-menu=true&show-query-input=true&show-time-filter=true” height=“600” width=“800”></iframe

Please suggest on how to skip this login page prompt and show the dashboard.

I tried by adding the authorization headers in the nginx configuration. I’ve converted the username: password into base64 with a colon between them.

Configuration:

        listen 443 http2 ssl default_server;
        listen [::]:443 http2 ssl default_server;

                location / {
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                #proxy_pass            https://opensearch;
                proxy_pass             https://0.0.0.0:5601;
                #proxy_set_header Access-Control-Allow-Origin 'https://0.0.0.0:5601';
                proxy_set_header Authorization "Basic YWRtaW46QWNjZW50dXJlQDEyMw==";
                #proxy_pass_header Authorization;
                #proxy_pass https://0.0.0.0:5601;
                proxy_read_timeout    90;
                proxy_connect_timeout 90;
                proxy_redirect        off;
                proxy_cache off;
                #proxy_ssl_verify              off;
      }

Relevant Logs or Screenshots:
config.yml

image1045×241 6.52 KB

opensearch.yml

# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
plugins.security.disabled: false
######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: /home/aiml/opensearch-2.3.0/config/node1-2.pem
plugins.security.ssl.transport.pemkey_filepath:  /home/aiml/opensearch-2.3.0/config/node1-key-2.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /home/aiml/opensearch-2.3.0/config/root-ca-2.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /home/aiml/opensearch-2.3.0/config/node1-2.pem
plugins.security.ssl.http.pemkey_filepath:  /home/aiml/opensearch-2.3.0/config/node1-key-2.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /home/aiml/opensearch-2.3.0/config/root-ca-2.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - 'CN=XX,OU=YY,O=LL,L=BB,ST=II,C=AA'
plugins.security.nodes_dn:
  - 'CN=XX,OU=YY,O=LL,L=BB,ST=II,C=AA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########
#
#

OpenSearch Dashboard.yml

---
# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0

# Description:
# Default configuration for OpenSearch Dashboards

# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"

# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
# server.basePath: ""

# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# server.rewriteBasePath: false

# The maximum payload size in bytes for incoming server requests.
# server.maxPayloadBytes: 1048576

# The OpenSearch Dashboards server's name.  This is used for display purposes.
#server.name: "cnas-ino-opensearch.westeurope.cloudapp.azure.com"

# The URLs of the OpenSearch instances to use for all your queries.
#opensearch.hosts: ["https://t:9200"]

# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
# opensearchDashboards.index: ".opensearch_dashboards"

# The default application to load.
opensearchDashboards.defaultAppId: "home"
# Set the value of this setting to true to capture region blocked warnings and errors
# for your map rendering services.
# map.showRegionBlockedWarning: false%

opensearch.hosts: [https://localhost:9200]
opensearch.username: "admin"
opensearch.password: "admin"
opensearch.requestHeadersAllowlist: [authorization, securitytenant]
server.ssl.enabled: true
opensearch.ssl.verificationMode: certificate
server.ssl.certificate: /home/aiml/opensearch-2.3.0/config/node1-2.pem
server.ssl.key: /home/aiml/opensearch-2.3.0/config/node1-key-2.pem
opensearch.ssl.certificateAuthorities: [ "/home/aiml/opensearch-2.3.0/config/root-ca-2.pem" ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: true

@Bindu Try adding the below lines to your opensearch_dashboards.yml

opensearch_security.cookie.isSameSite: "None"

Also, your opensearch_dashboards has the below line duplicated.

opensearch_security.cookie.secure: true

You still need this option set to true when you use isSameSite.

@Bindu Regarding the passing login screen, you could consider using JWT token authentication.

<iframe src="https://<OpenSearch_Dashboards_FQDN_or_IP>:5601/goto/afd8b289be9a7b90241ec7358b40f2ce?mytoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsIm5hbWUiOiJhZG1pbiIsImlhdCI6MTUxNjIzOTAyMn0.z7PUfQ8XlAsQnXxgoa7BqCUzAkcpECqDQZ9_s6ijlb0&security_tenant=global" height="600" width="800"></iframe>

image1332×769 44.3 KB

config.yml

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: "jwt"
          challenge: false
          config:
            signing_key: "MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI="
            jwt_header: "Authorization"
            jwt_url_parameter: mytoken
            subject_key: sub

Add the below to opensearch_dashboards.yml

opensearch_security.auth.type: "jwt"
opensearch_security.jwt.url_param: 'mytoken'

Hi @pablo

I tried enabling the JWT token authentication. However, I am seeing 401 Unauthorized page while accessing OpenSearch Dashboards.

OpenSearch Logs:

image1888×870 98.6 KB

Config.yml

jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "+Rv9REK+Du99IHILhJwqHmj+L5lJpniM4rDZO84BrMw="
            jwt_header: "Authorization"
            jwt_url_parameter: "jwtToken"
            #roles_key: "roles"
            subject_key: "sub"
        authentication_backend:
          type: noop

Opensearch-Dashboards.yml

opensearch.hosts: [https://0.0.0.0:9200]
opensearch.username: "admin"
opensearch.password: "admin"
opensearch.requestHeadersAllowlist: [authorization, securitytenant]


#server.ssl.certificate: /home/aiml/opensearch-dashboards-2.3.0/config/client.cert.pem
#server.ssl.key: /home/aiml/opensearch-dashboards-2.3.0/config/client-key.pem
#opensearch.ssl.certificateAuthorities: [ "/home/aiml/opensearch-dashboards-2.3.0/config/root-ca.pem","/home/aiml/opensearch-dashboards-2.3.0/config/ca_intermediate.crt" ]
#opensearch_security.multitenancy.enabled: true
#opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
#opensearch_security.readonly_mode.roles: ["kibana_read_only"]
#opensearch_security.cookie.secure: true
opensearch_security.auth.anonymous_auth_enabled: true
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: true
opensearch_security.cookie.isSameSite: "None"
opensearch_security.auth.type: "jwt"
opensearch_security.jwt.url_param: "jwtToken"

Using this iframe is giving 401 error unauthorized

<iframe src="https://0.0.0.0:5601/goto/2c596fa0-bc14-11ed-aee2-8b288182ed4d?jwtToken=eyJhbGciOiJIUzI1NiJ9.eyJyb2xlcyI6ImFkbWluIiwiaXNzIjoiaHR0cHM6Ly8xNzIuMTguMi45Iiwic3ViIjoiYWRtaW4ifQ.Q4FuJmEKUe7E8bovzKtpWvHn-ORJUYLGUOJSrE8RLzc&security_tenant=global" height="600" width="800"></iframe>

image1509×214 14.2 KB

Run security_admin again.

plugins/opensearch-security/tools/securityadmin.sh

and then check the authorization order in opensearch dashboard and ensure JWT is enabled.

temporarily comment

opensearch_security.auth.type: "jwt"

finally in opensearch dashboard configuration ensure you have added

opensearch_security.auth.type: "jwt"
opensearch_security.jwt.url_param: 'jwtToken'

@Bindu Did you remove basic authentication from the config.yml?
You still have a basic authentication set in OpenSearch Dashboards.