Default password for opensearch-dashboard with opensearch cluster deployed using AWS OpenSearch Service

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: AWS OpenSearch Service 2.9.0
Dashboard: 2.9.0
Browser: Firefox

Describe the issue:
I am using AWS OpenSearch Service to run my cluster. So I have a cluster url like this: https://vpc-xxx-xxxxxxxx.eu-central-1.es.amazonaws.com.

I didn’t enable Fine-grained access control in AWS. So my assumption is that there is no auth for this cluster.
The cluster is not public, it is inside a private vpc.

Next, I deployed the opensearch-dashboard in EKS. I am able to get to the login page but the standard logins - admin/admin, kibanaserver/kibanaserver - don’t work. I get incorrect credentials error message.

I stumbled upon this

and added extra env variables: OPENSEARCH_USERNAME, OPENSEARCH_PASSWORD. But as soon as I add this, the dashboard stops working.
I assume because the cluster is setup with no authentication enabled.

So my question is, how can I access the dashboard without having any authentication in place?

Configuration:
this is the helm chart I am using:

and the values:

opensearchHosts: 'https://{{ .Values | get "opensearch.host" }}'
image:
  repository: "opensearchproject/opensearch-dashboards"
  tag: 2.9.0

config:
  opensearch_dashboards.yml: |
    opensearch:
      hosts: [https://{{ .Values | get "opensearch.host" }}]
      ssl: 
        verificationMode: none
      requestHeadersAllowlist: [authorization, securitytenant]

opensearchDashboardsYml:
  defaultMode: 0777

extraEnvs:
  - name: "OPENSEARCH_USERNAME"
    value: "XXX"
  - name: "OPENSEARCH_PASSWORD"
    value: "XXX"

service:
  type: ClusterIP
  port: 5601
  loadBalancerIP: ""
  nodePort: ""
  labels: {}
  annotations:
    alb.ingress.kubernetes.io/healthcheck-path: '/app/kibana'
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/healthcheck-port: http
  httpPortName: http

ingress:
  enabled: true
  ingressClassName: alb
  annotations:
{{ toYaml .Values.ingress.alb.opensearch.annotations | indent 4 }}
  hosts:
    - host: 'opensearch.{{ .Values | get "domain.public" }}'
      paths:
        - path: /
          backend:
            serviceName: opensearch-dashboard-opensearch-dashboards
            servicePort: 5601

resources:
  requests:
    cpu: "100m"
    memory: "512M"
  limits:
    cpu: "100m"
    memory: "512M"

Relevant Logs or Screenshots:

Hi @nik23
Have you tried to change user password in the internal_users.yml file?
Could you share your /config/opensearch-security/config.yml file?

Hi @Eugene7

I cannot find the opensearch-security/config.yml in /config.

[opensearch-dashboards@opensearch-dashboard-opensearch-dashboards-86b7564647-p9qfd config]$ ls
node.options  opensearch.example.org.cert  opensearch.example.org.key  opensearch_dashboards.yml

This is what I have in config.

Please try to find it in the directory with OpenSearch configurations.

The documentation for those configurations:

As I mentioned in my post, the OpenSearch backend/cluster for me is the AWS OpenSearch Service.
I do not have config files from the service, all I have is the config that I see on the AWS Dashboard.

Screenshot 2023-11-13 at 15.51.082488×512 45.2 KB

Could you share securityConfig section from values.yml in opensearch charts?

I don’t see that config here https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/values.yaml

I can only configure values opensearch-dashboard which is running in EKS and deployed through helm charts.

I am not hosting opensearch backend. I am using the AWS OpenSearchService

@nik23

A user password for internal users can be changed in the OpenSearch configurations or in the OpenSearch Dashboards UI. But you can’t change a password for the internal user in the OpenSearch Dashboards configurations.

Please send your values.yaml file which you can find in the OpenSearch directory:

As I mentioned above twice - I am not using OpenSearch helm charts. I am using AWS OpenSearch Service. Specifically - Open Source Search Engine - Amazon OpenSearch Service - AWS

And my problem is that if the AWS OpenSearch Service doesn’t have any authentication, can the OpenSearch Dashboard not connect to it without the authentication?

The only thing I have deployed manually is OpenSearch Dashboard, for which I used this helm chart. https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/values.yaml

If this is still not understood, please let me know and I will try to be more elaborate.

OpenSearch Dashboards doesn’t hold any users. This is part of OpenSearch. If the authentication fails then it is because the security plugin in OpenSearch can’t find the valid credentials and not the OpenSearch Dashboards.

What type of authentication did you use in OpenSearch?

if this is an internal user or LDAP, you can use the below curl to test the credentials directly with OpenSearch:

curl --insecure <username>:<password> -XGET https://<OpenSearch_node>:9200

Can I not use Dashboard without the authentication?

Because I have no authentication set in OpenSearch.

It is possible if the security plugin is disabled, or if there are default configurations for the authentication backend.

You can find more information on how to disable the security plugin at the link below:

Going through https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/index.ts, I figured out that you can disable the plugin in the opensearch_dashboard yaml.

    opensearch_security:
      enabled: false

Also make sure to disable the security in the server/cluster.