Can not start OSD with StatusCodeError: Authorization Exception

anh2001ht · May 13, 2024, 7:44am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.12.0

Describe the issue:
When I yarn start OSD I got this error (it work fine when I disable security plugin on Opensearch) :
StatusCodeError: Authorization Exception
at respond (/home/ntq/DemoPlugin/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/transport.js:349:15)
at checkRespForFailure (/home/ntq/DemoPlugin/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/transport.js:306:7)
at HttpConnector. (/home/ntq/DemoPlugin/OpenSearch-Dashboards/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
at IncomingMessage.wrapper (/home/ntq/DemoPlugin/OpenSearch-Dashboards/node_modules/lodash/lodash.js:4991:19)
at IncomingMessage.emit (events.js:412:35)
at IncomingMessage.emit (domain.js:475:12)
at endReadableNT (internal/streams/readable.js:1333:12)
at processTicksAndRejections (internal/process/task_queues.js:82:21) {
status: 403,
displayName: ‘AuthorizationException’,
path: ‘/_plugins/_security/tenantinfo’,
query: {},
body: undefined,
statusCode: 403,
response: ‘’,
toString: [Function (anonymous)],
toJSON: [Function (anonymous)]
}

Terminating process…
server crashed with status code 1

Configuration:
opensearch_dashboards.yml

server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "admin"
opensearch.password: "admin"
i18n.locale: "ja-JP"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: false

Relevant Logs or Screenshots:

Opensearch is working fine, this is the docker-compose file and conifg:
docker-compose.yaml :

version: '3'
services:
  opensearch:
    image: opensearchproject/opensearch:2.12.0
    container_name: opensearch
    environment:
      - discovery.type=single-node
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - compatibility.override_main_response_version=true
      - "OPENSEARCH_SECURITY_ENABLED=true"
      - "OPENSEARCH_SECURITY_AUDIT_ENABLED=true"
      # - "DISABLE_SECURITY_PLUGIN=true"
      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=mypasswordStrong123!"
    volumes:
      - ./data:/usr/share/opensearch/data
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
      - ./certs/node1.pem:/usr/share/opensearch/config/node1.pem
      - ./certs/node1-key.pem:/usr/share/opensearch/config/node1-key.pem
      #- ./certs/admin.pem:/usr/share/opensearch/config/admin.pem
      #- ./certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
      - ./logs/log.log:/usr/share/opensearch/logs/opensearch.log
    ports:
      - 9200:9200
    networks:
      - opensearch-net

opensearch.yml:

network.host: 0.0.0.0

plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: false
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.nodes_dn:
  - '{{ MY DN }}'

Please help me, I have try many solution in the forum but can not fix it. Thank you!

gaobinlong · May 13, 2024, 9:57am

You can try to update the setting opensearch.username and opensearch.password to kibanaserver in opensearch_dashboards.yml, that’s because kibanaserver is mapped to the kibana_server role which is used to perform OpenSearch operations for OpenSearch-Dashboards.

Mantas · May 13, 2024, 9:59am

Hi @anh2001ht ,

You need to provide a username and password for OSD to connect to your OS (opensearch.username, opensearch.password), it looks like you have chosen to use an admin user (as per your config), however, you set your admin password with OPENSEARCH_INITIAL_ADMIN_PASSWORD but you are using " mypasswordStrong123!" can you please adjust that and try again?

Best,
mj

anh2001ht · May 13, 2024, 10:06am

Thank you so much, it working now, you just save my life

anh2001ht · May 13, 2024, 10:21am

It’s working after I changed user and password, but I see the OSD has the less features than OSD run on docker-compose. can you explain this for me?
screen-shot when running with local project :

screen-shot when running with docker-compose:

Mantas · May 13, 2024, 10:49am

This is because the user you are logging in has less privileges.

best,
mj

anh2001ht · May 13, 2024, 10:53am

Thanks for reply, docker already installed all plugins for OSD but the OSD project on github is not, after I clone each plugins for OSD project it show fully plugins for me.

Topic		Replies	Views
OpenSearch Dashboard 2.4.0 unable to start OpenDistro	1	989	December 19, 2022
Get two times http code 403 at dashboards start OpenSearch Dashboards troubleshoot , configure	9	517	May 13, 2024
Opensearch Dashboard unable to start OpenSearch Dashboards	1	1393	May 30, 2022
Error 401 authorization required Reporting Plugin configure , install	3	4112	November 2, 2023
Opensearch Dashboards Fails to Start When Binding to 0.0.0.0 OpenSearch Dashboards troubleshoot , configure	4	211	August 18, 2024

Can not start OSD with StatusCodeError: Authorization Exception

Related topics