Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.17.1
Dashboards 2.17.1
Ubuntu Server 24.04 LTS

Describe the issue:
I’ve been running OpenSearch for a while and it’s been great. I installed Dashboards on the same VM as OpenSearch, but cannot get past the Dashboards login screen. No matter which username/password I use, I get an invalid username/password error message.

OpenSearch has the security plugin disabled, and I can access OpenSearch using curl -X GET http://localhost:9200 -u ‘kibanaserver:kibanaserver’ --insecure. I can also access the plugins via curl. The curl commands also work with the Admin username and password.

I uninstalled the Dashboards security plugin. I am accessing Dashboards using HTTP.

I would appreciate any help in getting past the Dashboards login screen.

Configuration (Dashboards):

server.host: 0.0.0.0
opensearch.hosts: [http://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]

Use this setting if you are running opensearch-dashboards without https

opensearch_security.cookie.secure: false

Relevant Logs or Screenshots:

Hi @julsssark, have you set the environmental variable OPENSEARCH_INITIAL_ADMIN_PASSWORD when deploying your OpenSearch Dashboards?

Here’s a bit more information about the default password: Enhancing security in OpenSearch 2.12.0: The end of the default admin password · OpenSearch

Best,
mj

Hi Mantas. Thanks for the link. I did set the initial admin password when I installed OpenSearch and I can access OpenSearch just fine using the admin user/password. Do I need to do something similar for Dashboards?

@julsssark, Could you run the below and share the output (the admin user you set for OpenSearch):

curl --insecure -u admin:<admin_password> -XGET https://localhost:9200/_plugins/_security/authinfo?pretty

thanks,
mj

If I run it with https, I get “curl: (35) error:0A00010B:SSL routines::wrong version number”. If I run it with http I get “error” : “no handler found for uri [/_plugins/_security/authinfo] and method [GET]”

Ok I see, is the security plugin enabled? can you share your opensearch.yml?

Best,
mj

The security plugin in OpenSearch is disabled.

# WARNING: revise all the lines below before you go into production
plugins.security.disabled: true
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

In this case, you will have to disable/remove it from your OpenSearch Dashboards as well: Disabling and enabling the Security plugin - OpenSearch Documentation

NOTE: “Remove all Security plugin configuration settings from opensearch_dashboards.yml…”

Best,
mj

Commented those rows out but I still can’t login. I saw that in the instructions but I didn’t think those rows were plugin related because they didn’t have “plugins” in the variable name.

great it helps!

@julsssark, If you disable the security plugin in your OpenSearch cluster you will have to disable it on your OpenSearch Dashboards as well, if the plugin is disabled correctly you will have no “login” page.

Please make sure you have double-checked the: Disabling and enabling the Security plugin - OpenSearch Documentation (make sure the cluster is restarted after the config update to ensure that the changes were applied)

And please feel free to share all your config files for me to have a look at.

best,
mj

Thanks for sticking with me Mantas. I ran the remove Dashboards plugin (again) and rebooted. I still get the login screen displayed. I also tried on a different browser in case it was a cache issue. Is there another way to confirm that the Dashboard security plugin is removed? I ran the removal script as both root and non-root. Which config files would be helpful?

I figured it out. Previously, I used the command from the documentation to remove the plugin:

./bin/opensearch-dashboards-plugin remove securityDashboards

The command said it completed successfully. I went back and listed the installed plugins and “securityAnalyticsDashboards” was still listed. I needed to use the following command to get it to actually remove:

Blockquote
sudo ./bin/opensearch-dashboards-plugin remove securityDashboards --allow-root

After restarting dashboards with systemctl, and making sure the URL was the base URL (no /app/login?), the dashboards loaded correctly.

Thanks Mantas for helping.

@julsssark, glad to hear you solved it! thanks for sharing the solution.