nik23
November 13, 2023, 12:34pm
1
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: AWS OpenSearch Service 2.9.0
Dashboard: 2.9.0
Browser: Firefox
Describe the issue :
I am using AWS OpenSearch Service to run my cluster. So I have a cluster url like this: https://vpc-xxx-xxxxxxxx.eu-central-1.es.amazonaws.com .
I didn’t enable Fine-grained access control in AWS. So my assumption is that there is no auth for this cluster.
The cluster is not public, it is inside a private vpc.
Next, I deployed the opensearch-dashboard in EKS. I am able to get to the login page but the standard logins - admin/admin, kibanaserver/kibanaserver - don’t work. I get incorrect credentials error message.
I stumbled upon this
I deployed OpenSearch Dashboards based on the helm tutorial .
Based on the doc , the default username admin and password admin.
However, I got error:
[image]
What would be the correct default username admin and password admin? Thanks!
and added extra env variables: OPENSEARCH_USERNAME, OPENSEARCH_PASSWORD. But as soon as I add this, the dashboard stops working.
I assume because the cluster is setup with no authentication enabled.
So my question is, how can I access the dashboard without having any authentication in place?
Configuration :
this is the helm chart I am using:
and the values:
opensearchHosts: 'https://{{ .Values | get "opensearch.host" }}'
image:
repository: "opensearchproject/opensearch-dashboards"
tag: 2.9.0
config:
opensearch_dashboards.yml: |
opensearch:
hosts: [https://{{ .Values | get "opensearch.host" }}]
ssl:
verificationMode: none
requestHeadersAllowlist: [authorization, securitytenant]
opensearchDashboardsYml:
defaultMode: 0777
extraEnvs:
- name: "OPENSEARCH_USERNAME"
value: "XXX"
- name: "OPENSEARCH_PASSWORD"
value: "XXX"
service:
type: ClusterIP
port: 5601
loadBalancerIP: ""
nodePort: ""
labels: {}
annotations:
alb.ingress.kubernetes.io/healthcheck-path: '/app/kibana'
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/healthcheck-port: http
httpPortName: http
ingress:
enabled: true
ingressClassName: alb
annotations:
{{ toYaml .Values.ingress.alb.opensearch.annotations | indent 4 }}
hosts:
- host: 'opensearch.{{ .Values | get "domain.public" }}'
paths:
- path: /
backend:
serviceName: opensearch-dashboard-opensearch-dashboards
servicePort: 5601
resources:
requests:
cpu: "100m"
memory: "512M"
limits:
cpu: "100m"
memory: "512M"
Relevant Logs or Screenshots :
Eugene7
November 13, 2023, 1:46pm
2
Hi @nik23
Have you tried to change user password in the internal_users.yml
file?
Could you share your /config/opensearch-security/config.yml
file?
nik23
November 13, 2023, 2:09pm
3
Hi @Eugene7
I cannot find the opensearch-security/config.yml in /config.
[opensearch-dashboards@opensearch-dashboard-opensearch-dashboards-86b7564647-p9qfd config]$ ls
node.options opensearch.example.org.cert opensearch.example.org.key opensearch_dashboards.yml
This is what I have in config.
Eugene7
November 13, 2023, 2:44pm
4
Please try to find it in the directory with OpenSearch configurations.
The documentation for those configurations:
nik23
November 13, 2023, 2:47pm
5
As I mentioned in my post, the OpenSearch backend/cluster for me is the AWS OpenSearch Service.
I do not have config files from the service, all I have is the config that I see on the AWS Dashboard.
Eugene7
November 13, 2023, 3:00pm
6
Could you share securityConfig section from values.yml
in opensearch charts?
nik23
November 13, 2023, 6:10pm
7
I don’t see that config here https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/values.yaml
I can only configure values opensearch-dashboard which is running in EKS and deployed through helm charts.
I am not hosting opensearch backend. I am using the AWS OpenSearchService
Eugene7
November 14, 2023, 11:40am
8
@nik23
A user password for internal users can be changed in the OpenSearch configurations or in the OpenSearch Dashboards UI. But you can’t change a password for the internal user in the OpenSearch Dashboards configurations.
Please send your values.yaml
file which you can find in the OpenSearch directory:
---
clusterName: "opensearch-cluster"
nodeGroup: "master"
# If discovery.type in the opensearch configuration is set to "single-node",
# this should be set to "true"
# If "true", replicas will be forced to 1
singleNode: false
# The service that non master groups will try to connect to when joining the cluster
# This should be set to clusterName + "-" + nodeGroup for your master group
masterService: "opensearch-cluster-master"
# OpenSearch roles that will be applied to this nodeGroup
# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client
roles:
- master
- ingest
- data
- remote_cluster_client
This file has been truncated. show original
nik23
November 14, 2023, 12:15pm
9
As I mentioned above twice - I am not using OpenSearch helm charts. I am using AWS OpenSearch Service. Specifically - Open Source Search Engine - Amazon OpenSearch Service - AWS
And my problem is that if the AWS OpenSearch Service doesn’t have any authentication, can the OpenSearch Dashboard not connect to it without the authentication?
The only thing I have deployed manually is OpenSearch Dashboard, for which I used this helm chart. https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/values.yaml
If this is still not understood, please let me know and I will try to be more elaborate.
Eugene7
November 14, 2023, 1:14pm
10
OpenSearch Dashboards doesn’t hold any users. This is part of OpenSearch. If the authentication fails then it is because the security plugin in OpenSearch can’t find the valid credentials and not the OpenSearch Dashboards.
What type of authentication did you use in OpenSearch?
if this is an internal user or LDAP, you can use the below curl to test the credentials directly with OpenSearch:
curl --insecure <username>:<password> -XGET https://<OpenSearch_node>:9200
nik23
November 14, 2023, 1:24pm
11
Can I not use Dashboard without the authentication?
Because I have no authentication set in OpenSearch.
Eugene7
November 14, 2023, 2:17pm
12
It is possible if the security plugin is disabled, or if there are default configurations for the authentication backend.
Eugene7
November 15, 2023, 12:52pm
13
You can find more information on how to disable the security plugin at the link below:
nik23
November 20, 2023, 8:27am
14
Going through https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/index.ts , I figured out that you can disable the plugin in the opensearch_dashboard yaml.
opensearch_security:
enabled: false
Also make sure to disable the security in the server/cluster.
sandip
June 23, 2025, 7:52am
15
Came here after visiting the Github thread :
I’m using the TARBALL setup.
For Opensearch
Stop running the OpenSearch if any by CTRL + C
.
Uninstall the Security plugin
./bin/opensearch-plugin remove opensearch-security
Start OpenSearch
./bin/opensearch
For OpenSearch Dashboard
Stop running the OpenSearch Dashboards if any
Uninstall the Security plugin
./bin/opensearch-dashboards-plugin remove securityDashboards
Start Opensearch Dashboard
./bin/opensearch-dashboards
The above steps will remove/uninstall the security from OpenSearch and the OpenSearch dashboard, intended only for the local environment .