I have been trying to set Azure openid autentication to work with opensearch helm deploymnet. But upon accessing opensearch dashbord on web browser it ends up in redirect loop error " too many redirects "
Hello,
I have shared the configuration that I’m testing with. In the logs all I can see is the error “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”
Could anyone please review and comment what wrong with the config ? or how I can troubleshoot it further.
======= helm chart value========
config:
securityConfigSecret: “”
data:
config.yml: |-
_meta:
type: “config”
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_idp:
enable_ssl: true
verify_hostnames: true
openid_connect_url: “https://login.microsoftonline.com/3abcd-1234-1234-1234-abcd12345/v2.0/.well-known/openid-configuration”
jwks_uri: “https://login.microsoftonline.com/3abcd-1234-1234-1234-abcd12345/discovery/v2.0/keys”
skip_users:
- kibanaro
- kibanaserver
- admin
authentication_backend:
type: noop
roles.yml: |-
_meta:
type: "roles"
config_version: 2
# Restrict users
all_access:
reserved: true
roles_mapping.yml: |-
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
===========================
Error on Logs -
[2021-11-23T11:57:55,822][INFO ][o.o.s.s.ConfigHelper ] Will update ‘roles’ with /usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml and populate it with empty doc if file missing and populateEmptyIfFileMissing=false
[2021-11-23T11:57:55,823][ERROR][o.o.s.c.ConfigurationRepository] Cannot apply default config (this is maybe not an error!)
java.lang.NullPointerException: Cannot invoke “org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration.get_meta()” because “sdc” is null
at org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration.validate(SecurityDynamicConfiguration.java:108) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration.fromJson(SecurityDynamicConfiguration.java:89) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration.fromJson(SecurityDynamicConfiguration.java:74) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration.fromNode(SecurityDynamicConfiguration.java:123) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.support.ConfigHelper.fromYamlReader(ConfigHelper.java:142) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.support.ConfigHelper.fromYamlFile(ConfigHelper.java:151) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.support.ConfigHelper.uploadFile(ConfigHelper.java:73) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.support.ConfigHelper.uploadFile(ConfigHelper.java:65) ~[opensearch-security-1.1.0.0.jar:1.1.0.0]
at org.opensearch.security.configuration.ConfigurationRepository$1.run(ConfigurationRepository.java:138) [opensearch-security-1.1.0.0.jar:1.1.0.0]
at java.lang.Thread.run(Thread.java:832) [?:?]
[2021-11-23T11:57:56,191][INFO ][stdout ] [FINE] No subscribers registered for event class org.opensearch.security.securityconf.DynamicConfigFactory$NodesDnModelImpl
[2021-11-23T11:57:56,192][INFO ][stdout ] [FINE] No subscribers registered for event class org.greenrobot.eventbus.NoSubscriberEvent
[2021-11-23T11:57:56,193][INFO ][o.o.s.a.i.AuditLogImpl ] Auditing on REST API is enabled.
[2021-11-23T11:57:56,193][INFO ][o.o.s.a.i.AuditLogImpl ] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing.
[2021-11-23T11:57:56,193][INFO ][o.o.s.a.i.AuditLogImpl ] Auditing on Transport API is enabled.
[2021-11-23T11:57:56,194][INFO ][o.o.s.a.i.AuditLogImpl ] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from Transport API auditing.
[2021-11-23T11:57:56,194][INFO ][o.o.s.a.i.AuditLogImpl ] Auditing of request body is enabled.
[2021-11-23T11:57:56,209][WARN ][o.o.s.a.r.AuditMessageRouter] No endpoint configured for categories [BAD_HEADERS, FAILED_LOGIN, MISSING_PRIVILEGES, GRANTED_PRIVILEGES, OPENDISTRO_SECURITY_INDEX_ATTEMPT, SSL_EXCEPTION, AUTHENTICATED, INDEX_EVENT, COMPLIANCE_DOC_READ, COMPLIANCE_DOC_WRITE, COMPLIANCE_EXTERNAL_CONFIG, COMPLIANCE_INTERNAL_CONFIG_READ, COMPLIANCE_INTERNAL_CONFIG_WRITE], using default endpoint
[2021-11-23T11:57:56,218][INFO ][o.o.s.a.i.AuditLogImpl ] .opendistro_security is used as internal security index.
[2021-11-23T11:57:56,219][INFO ][o.o.s.a.i.AuditLogImpl ] Internal index used for posting audit logs is null
[2021-11-23T11:57:56,220][INFO ][o.o.s.c.ConfigurationRepository] Hot-reloading of audit configuration is enabled
[2021-11-23T11:57:56,220][INFO ][o.o.s.c.ConfigurationRepository] Node ‘opensearch-cluster-master-2’ initialized
[2021-11-23T11:59:42,387][WARN ][o.o.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’
[2021-11-23T11:59:43,782][WARN ][o.o.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’
[2021-11-23T11:59:45,093][WARN ][o.o.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’
===============