Disable Rest Layer SSL with Security Plugin Enabled

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
app version: 2.15.0
chart version: 2.21.0

Describe the issue:
Failing to connect to Opensearch using HTTP

[opensearch@opensearch-cluster-master-0 ~]$ curl https://localhost:9200 -u "admin:Moto1sBe\$t" --insecure
{
  "name" : "opensearch-cluster-master-0",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "gfq4DF6kQIuydoV5BJOKLA",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.15.0",
    "build_type" : "tar",
    "build_hash" : "61dbcd0795c9bfe9b81e5762175414bc38bbcadf",
    "build_date" : "2024-06-20T03:26:49.193630411Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}
[opensearch@opensearch-cluster-master-0 ~]$ curl http://localhost:9200 -u "admin:Moto1sBe\$t"
curl: (52) Empty reply from server

Configuration:
values.yaml

opensearch:
  singleNode: true

  config:
    opensearch.yml: |
      plugins:
        security:
          ssl:
            transport:
              pemcert_filepath: esnode.pem
              pemkey_filepath: esnode-key.pem
              pemtrustedcas_filepath: root-ca.pem
              enforce_hostname_verification: false
            http:
              enabled: false
          allow_unsafe_democertificates: true
          allow_default_init_securityindex: true

  extraEnvs:
    - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
      value: "Moto1sBe$t"

  securityConfig:
    enabled: false
    path: "/usr/share/opensearch/config/opensearch-security"
    configSecret: opensearch-security-config
    rolesMappingSecret: opensearch-security-config
    rolesSecret: opensearch-security-config

  resources:
    requests:
      cpu: "1"
      memory: "4Gi"
    limits:
      cpu: "1"
      memory: "4Gi"

  persistence:
    enabled: false
    size: 2Gi

security config.yaml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: "email"
            roles_key: "groups"
            openid_connect_url: https://XXX/.well-known/openid-configuration
        authentication_backend:
          type: noop

Relevant Logs or Screenshots:

[2024-07-05T10:17:25,850][WARN ][o.o.h.AbstractHttpServerTransport] [opensearch-cluster-master-0] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/[0:0:0:0:0:0:0:1]:9200, remoteAddress=/[0:0:0:0:0:0:0:1]:59544}
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a393230300d0a417574686f72697a6174696f6e3a20426173696320595752746157343654573930627a467a516d556b64413d3d0d0a557365722d4167656e743a206375726c2f382e352e300d0a4163636570743a202a2f2a0d0a0d0a
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1407) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.110.Final.jar:4.1.110.Final]
        at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a393230300d0a417574686f72697a6174696f6e3a20426173696320595752746157343654573930627a467a516d556b64413d3d0d0a557365722d4167656e743a206375726c2f382e352e300d0a4163636570743a202a2f2a0d0a0d0a
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1314) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
        ... 16 more
2

Hi @motoBoto,

If you use the HTTP protocol, anyone can send a request to the cluster with admin permissions. Why do you need to disable Rest Layer?

3

Thanks for the reply, Eugene!

Some of the legacy systems we currently use only support plaintext connections. This isn’t a problem in our current Kubernetes cluster setup, as OpenSearch is inaccessible from outside the cluster. My approach would be to configure OpenSearch Dashboards to handle authentication for ext users.

If disabling SSL for the REST layer is not supported by OpenSearch, I understand the implications. Is that so?

4

The idea was to add an anonymous backend role with limited permissions.

5

Hi @motoBoto,

Please try adding the following environmental variable to values.yaml:

extraEnvs:
 - name: DISABLE_INSTALL_DEMO_CONFIG
   value: "true"

It is strongly recommended to use the REST layer. Otherwise, user credentials will be sent over the network as plain text.

6

Hi @motoBoto ,

Could you please share your opensearch-dashboards.yml file?