Gets 401 when trying to use workspace API with kibanaserver user

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

3.1.0/Debian 12

Describe the issue:

Hi,

I am trying to create opensearch workspaces throught the workspace API (https://docs.opensearch.org/docs/3.1/dashboards/workspace/apis/).

The proxy authentication is used.

kibanaserver is correctly authenticated with opensearch server (port 9200).

When trying to create workspace or index-patterns through dashboards (port 5601), I get 401 error unauthorized.

I have tried with Basic Atuehtnication and proxy authent.

Thanks for any help

Configuration:

opensearch_dashboards.yml:

## BEGIN OpenSearch Security plugin security ##
server.host: dev-odash01-r1.xxx
server.basePath: "/protected"
server.rewriteBasePath: true

opensearch.hosts: ['https://dev-om01-r1-vlp.xxx:9200', 'https://dev-om02-r1-vlp.xxxx:9200', 'https://dev-om03-r1-vlp.xxx:9200', 'https://dev-oc01-r1-vlp.xxx:9200', 'https://dev-oi01-r1-vlp.xxx:9200', 'https://dev-odh01-r1-vlp.xxx:9200', 'https://dev-odh02-r1-vlp.xxx:9200', 'https://dev-odh03-r1-vlp.xxx:9200', 'https://dev-odw01-r1-vlp.xxx:9200']
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "****"
opensearch.requestHeadersAllowlist: [ "securitytenant", "Authorization", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/dev-odash01-r1.mce.minint.fr.pem
server.ssl.key: /etc/opensearch-dashboards/dev-odash01-r1.mce.minint.fr.key
server.ssl.certificateAuthorities: [ "/etc/opensearch-dashboards/root-ca.pem" ]
opensearch.ssl.certificateAuthorities: [ "/etc/opensearch-dashboards/root-ca.pem" ]
opensearch_security.multitenancy.enabled: false
#opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: false

workspace.enabled: true
uiSettings:
  overrides:
    "home:useNewHomePage": true

opensearch_security.auth.type: "proxy"

opensearch_security.proxycache.user_header: "x-proxy-user"
opensearch_security.proxycache.roles_header: "x-proxy-roles"

opensearchDashboards.dashboardAdmin.users: ["*"]
opensearchDashboards.dashboardAdmin.groups: ["*"]
savedObjects.permission.enabled: true
data_importer.enabled: true
application_config.enabled: true
csp_handler.enabled: true
csp.rules: ["worker-src blob: 'self'; style-src 'unsafe-inline' 'self';"]
## END OpenSearch Security plugin security ##


**Relevant Logs or Screenshots**:

@simelbaz can you share the command you are using to try to create workspace using basic auth?

I have tested locally using the following basic OSD config:

server.name: kibana
server.host: "0.0.0.0"
server.customResponseHeaders : { "Access-Control-Allow-Credentials" : "true" }
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/opensearch_dashboards.crt
server.ssl.key: /usr/share/opensearch-dashboards/config/opensearch_dashboards.key

opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opensearch_security.multitenancy.enabled: false
#opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]

workspace.enabled: true
uiSettings:
  overrides:
    "home:useNewHomePage": true

and using the following command, able to create a workspace:

curl -k -XPOST "https://localhost:5601/api/workspaces" \
  -u admin:admin \
  -H "Content-Type: application/json" \
  -H "osd-xsrf: true" \
  -d '{
    "attributes": {
      "name": "test4",
      "description": "test4",
      "features": ["use-case-all"]
    }
  }'

Perhaps would be best to get this working using basicauth before moving on to proxy, just to narrow down the possible issues.

You’re right.

when I switch to basic authent by commenting:

#opensearch_security.auth.type: "proxy"

#opensearch_security.proxycache.user_header: "x-proxy-user"
#opensearch_security.proxycache.roles_header: "x-proxy-roles"

I get:

* TLSv1.3 (IN), TLS handshake, CERT verify (15):                                                                                                             [295/1952]
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: xxx
*  start date: Jul 19 21:48:49 2025 GMT
*  expire date: Jul 18 21:48:49 2035 GMT
*  subjectAltName: host "dev-odash01-r1-vlp.xxx" matched cert's "dev-odash01-r1-vlp.xxx"
*  issuer: C=FR;xxx
*  SSL certificate verify ok.
* Server auth using Basic with user 'admin'
> POST /protected/api/workspaces HTTP/1.1
> Host: dev-odash01-r1-vlp.mce.minint.fr:5601
> Authorization: xxx
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Type: application/json
> osd-xsrf: true
> Content-Length: 119                                                                                                                                                  >                                                                                                                                                                      * upload completely sent off: 119 out of 119 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< osd-name: dev-odash01-r1
< content-type: application/json; charset=utf-8
< cache-control: private, no-cache, no-store, must-revalidate
< set-cookie:  security_authentication=Fe26.2**0a8001762cf12696aefbee8cc1fbae47ae03ba04e6464308c3d34faed7dc63bf*N1LPmSe8U2_csLbmW6V4GQ*enAkVMKn0ON6qO2Q4FmgyMVJYaIeWnHT9
HYU5QdnxN2hOFutWNHsAi3Rnbb4VI7CJlHoE3y9SfD43cioFNQaRmgS1HJbxILs5ugpHMuHzpn5s_iEk8hKCe_WRTJQdp6QIB3s-IID67kBRpEHmNpd4rgs1XJre9n2Hh6mbK97cRzuSrl7equk-KhBlRiThKUfg4x4IEP3
sVWdGr20yKJmgw**65feb28b216ce53514ac6690ebfcd2b716733a465e2f223d7edd02cee11fc34b*35kaH7wXrL0IbLMt4QlwmwQMHuSs8G5zyiqu9i6sE7o; HttpOnly; Path=/protected
< content-length: 41
< Date: Mon, 21 Jul 2025 16:07:20 GMT
< Connection: keep-alive
< Keep-Alive: timeout=120
<
* Connection #0 to host dev-odash01-r1-vlp.xxx left intact
{"success":true,"result":{"id":"4J-xbA"}}

The proxy authentication seems to break the basic authentication to OSD.
What I can say is that now security_authentication cookie is filled.
Whereas it is not the case with proxy authent.

Thanks for any help

Finally, it is OK. I was mixing basic authent and proxy authent in the same curl command (to be sure to be authenticated).

Thanks for your help. I have been able to narrow down my mistake and separate the 2 authent.