Error while configuring JWT Authentication

davelago · June 18, 2023, 12:23pm

Moved from GitHub issue #2872

I am trying to configure JWT Authentication for my Opensearch docker container which is on V2.7.0

How can one reproduce the bug?
Steps to reproduce the behavior:

Config file updated as follows:

jwt_auth_domain:
  http_enabled: true
  transport_enabled: true
  order: 0
  http_authenticator:
    type: jwt
    challenge: false
    config:
      signing_key: "VGhpc0lzQVRlc3ROYXRUb0JlVXNlZEFudGh3YXJl"
      jwt_header: "Authorization"
      jwt_url_parameter: null
      subject_key: "sub"
      roles_key: "roles"
      jwt_clock_skew_tolerance_seconds: 20
  authentication_backend:
    type: noop

What is the expected behavior?

[opensearch@59901e2344d3 tools]$ ./securityadmin.sh -cd …/securityconfig/ -icl -nhnv -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/kirk.pem -key …/…/…/config/kirk-key.pem

Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=kirk,OU=client,O=client,L=test,C=de”
OpenSearch Version: 2.7.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: opensearch-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/opensearch/plugins/opensearch-security/securityconfig
ERR: Seems …/securityconfig/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “http_enabled” (class org.opensearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: “dynamic”])
at [Source: (String)“{”_meta":{“type”:“config”,“config_version”:2},“config”:{“dynamic”:{“http”:{“anonymous_auth_enabled”:false,“xff”:{“enabled”:false,“internalProxies”:“192.168.0.10|192.168.0.11”}},“authc”:null}},“jwt_auth_domain”:{“http_enabled”:true,“transport_enabled”:true,“order”:0,“http_authenticator”:{“type”:“jwt”,“challenge”:false,“config”:{“signing_key”:“VGhpc0lzQVRlc3ROYXRUb0JlVXNlZEFudGh3YXJl”,“jwt_header”:“Authorization”,“jwt_url_parameter”:null,“subject_key”:“sub”,“roles_key”:“roles”,“jwt_clo”[truncated 816 chars]; line: 1, column: 243] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration[“jwt_auth_domain”]->org.opensearch.security.securityconf.impl.v7.ConfigV7[“http_enabled”])
ERR: Seems …/securityconfig/roles.yml is not in OpenSearch Security 7 format: java.io.FileNotFoundException: …/securityconfig/roles.yml (No such file or directory)
ERR: Seems …/securityconfig/roles_mapping.yml is not in OpenSearch Security 7 format: java.io.FileNotFoundException: …/securityconfig/roles_mapping.yml (No such file or directory)
ERR: Seems …/securityconfig/internal_users.yml is not in OpenSearch Security 7 format: java.io.FileNotFoundException: …/securityconfig/internal_users.yml (No such file or directory)
ERR: Seems …/securityconfig/action_groups.yml is not in OpenSearch Security 7 format: java.io.FileNotFoundException: …/securityconfig/action_groups.yml (No such file or directory)
ERR: Seems …/securityconfig/tenants.yml is not in OpenSearch Security 7 format: java.io.FileNotFoundException: …/securityconfig/tenants.yml (No such file or directory)
ERR: Seems …/securityconfig/nodes_dn.yml is not in OpenSearch Security 7 format: java.io.FileNotFoundException: …/securityconfig/nodes_dn.yml (No such file or directory)
ERR: Seems …/securityconfig/whitelist.yml is not in OpenSearch Security 7 format: java.io.FileNotFoundException: …/securityconfig/whitelist.yml (No such file or directory)

What is your host/environment?

OS: Ubuntu 20.04.5 LTS
Version 20.04.5
Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.

davelago · June 18, 2023, 12:25pm

To the original issue’s author, gvsrini:

Could you please attach your complete config.yml here (redacted for privacy if needed of course)? It seems like there might be some sort of miss in where fields are and where they are expected.

Eugene7 · June 19, 2023, 10:46am

At the link below, you can find an example of config.yml file:

github.com

opensearch-project/security/blob/main/config/config.yml

---

# This is the main OpenSearch Security configuration file where authentication
# and authorization is defined.
#
# You need to configure at least one authentication domain in the authc of this file.
# An authentication domain is responsible for extracting the user credentials from
# the request and for validating them against an authentication backend like Active Directory for example.
#
# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
#        http_enabled: true
#        transport_enabled: true
#

This file has been truncated. show original

Topic		Replies	Views
Incorrect JWT documentation? Security	1	553	June 21, 2022
Unable to get JWT to work Security	32	4192	May 27, 2022
Configuration of JWT in URL for authentication Security configure	7	1661	June 19, 2023
OpenSearch JWT authentication Security	1	891	September 7, 2022
JWT RSA Public Key - ERR: while scanning a simple key Security	3	2904	March 11, 2020

Error while configuring JWT Authentication

Related topics