Dashboard not showing login page with openid and keycloak on AWS

Security
,
1

Hi,
Sorry, I have a new issue while deploying Opensearch, Dashboards to AWS. I have configured OpenSearch (Dashboard) 2.1.0 on several nodes on AWS (Docker container) and I have a Keycloak available on https://access.$DOMAIN (Somewhere in other nodes and region). Configured a realm and a openid client.

When I access https://monitoring.$DOMAIN I am redirected to https://monitoring.$DOMAIN/auth/openid/login? and immediately returns a {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}, I did not get any login form, from either Keycloak or Dashboard itself.

This is my nginx config:

  location / {
    set_real_ip_from x.x.x.x/24;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_intercept_errors on;
      proxy_pass http://dashboard/;
      proxy_ssl_verify off;
      proxy_buffer_size          128k;
      proxy_buffers              4 256k;
      proxy_busy_buffers_size    256k;
  }
}

The opensearch_dashboards.yml:

server.name: ip-x-x-x-x
server.port: 5601
server.host: "0.0.0.0"
opensearch.hosts: ["https://ip-x-x-x.x:9200","https://ip-x-x-x.x:9200","https://ip-x-x-x.x:9200"]
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "myawesomepassword"
opensearch.requestHeadersWhitelist: ["securitytenant", "Authorization"]

opensearch_security.auth.type: openid
opensearch_security.openid.base_redirect_url: https://monitoring.$DOMAIN
opensearch_security.openid.client_id: myclientid
opensearch_security.openid.client_secret: MyVerySecreTMesSage
opensearch_security.openid.connect_url: https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration
opensearch_security.openid.header: Authorization
opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/root-ca-amz.pem
opensearch_security.openid.verify_hostnames: false

opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
# Use this setting if you are running dashboards without https
opensearch_security.cookie.secure: false

Dashboard can access the Opensearch cluster:

$ curl -ks -u "kibanaserver:myawesomepassword" "https://ip-x.x.x.x:9200"
{
  "name" : "ip-x.x.x.x",
  "cluster_name" : "mycluster",
  "cluster_uuid" : "Lob5PZZEQqW1O5r4idkC5A",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.1.0",
    "build_type" : "tar",
    "build_hash" : "388c80ad94529b1d9aad0a735c4740dce2932a32",
    "build_date" : "2022-06-30T21:31:04.823801692Z",
    "build_snapshot" : false,
    "lucene_version" : "9.2.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

I probably do something wrong.

The config from the OpenSearch cluster:

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal

      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca-amz.pem
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration
        authentication_backend:
          type: noop

The root-ca-amz.pem is the CA root certificate of Amazon, which is used by ACM. So I hope I downloaded the correct one. :slight_smile:

Any one has an idea or a pointer for me?

2

I see this in the log when starting Dashboard:

{"type":"log","@timestamp":"2022-08-05T11:43:58Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Error: unable to get issuer certificate\n    at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket._finishInit (_tls_wrap.js:937:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12) {\n  code: 'UNABLE_TO_GET_ISSUER_CERT',\n  trace: [\n    {\n      method: 'GET',\n      url: 'https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration'\n    }\n  ],\n  isBoom: true,\n  isServer: true,\n  data: null,\n  output: {\n    statusCode: 502,\n    payload: {\n      message: 'Client request error: unable to get issuer certificate',\n      statusCode: 502,\n      error: 'Bad Gateway'\n    },\n    headers: {}\n  }\n}"}

But I can curl https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration anytime and I always get a response. Did I then make an issue with the

opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/root-ca-amz.pem

line? Not sure How I get the CA crt from Amazon.

3

Yes, it was related to the ca certificate. Is working now better, but when loggedin, I am in a redirect loop between Dashboard and Keycloak.

4

Sorry, my bad again! I though I had correctly configured a secret, was using a completely different one. Well, have learned a few things. :slight_smile:

5

Hello! I’m following your questions very closely as I try to step through the config steps from this topic and this one

But I still get 401 errors all the time, could you tell me in more detail what exactly you decided with the token?

6

My problem was this file. The Keycloak is running on AWS and had a TLS Certificate that AWS generated. My problem was that I used the wrong CA certificate from AWS. After a bit of googling I found the correct one. (To long ago to remember the page.)

7

Thanks for the quick response. Please tell me after changing the config.yml did you run the securityadmin.sh script inside the container to apply the settings?

8

Yes, to be sure I always executed the securityadmin script.