How to see Security Dashboard in OpenSearch Dashboards on Docker

ejsarge · April 8, 2024, 4:49pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.13.0

Describe the issue:
I cannot find the Security Dashboard in OpenSearch Dashboards. I also don’t know where it should appear so I’m not even convinced I’m looking in the right place.

Configuration:
I have a Docker compose config with self-signed certs that has 2 OpenSearch nodes starting up and finding each other just fine. OpenSearch Dashboards is also starting and I can login with the default admin credentials.
I’m currently using securityadmin.sh to modify the security config but there’s a auth issue I can’t figure out. I was hoping to work in the Security Plugin to understand it but I can’t find it.

In case it’s relevant, I do have an admin certificate defined but I haven’t told OpenSearch Dashboards about it because I don’t see where. I don’t understand how OpenSearch Dashboards would be able to modify the security index without it?

Because it’s annoying when somebody only talks about what they think the problem is and not the actual problem:
My actual problem is getting the Jaeger Collector to talk to OpenSearch with minimal enough permissions.
My logs have:

opensearch-node1       | [2024-04-08T16:44:28,875][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] No cluster-level perm match for User [name=jaeger-collector, backend_roles=[jaeger-write], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/template/put]] [RolesChecked [own_index, cross_cluster_search_remote_full_access, alerting_full_access]]. No permissions for [indices:admin/template/put]
jaeger-collector-1     | {"level":"fatal","ts":1712594668.8759506,"caller":"collector/main.go:87","msg":"Failed to create span writer","error":"failed to create template \"jaeger-span\": elastic: Error 403 (Forbidden): no permissions for [indices:admin/template/put] and User [name=jaeger-collector, backend_roles=[jaeger-write], requestedTenant=null] [type=security_exception]","stacktrace":"main.main.func1\n\tgithub.com/jaegertracing/jaeger/cmd/collector/main.go:87\ngithub.com/spf13/cobra.(*Command).execute\n\tgithub.com/spf13/cobra@v1.8.0/command.go:983\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tgithub.com/spf13/cobra@v1.8.0/command.go:1115\ngithub.com/spf13/cobra.(*Command).Execute\n\tgithub.com/spf13/cobra@v1.8.0/command.go:1039\nmain.main\n\tgithub.com/jaegertracing/jaeger/cmd/collector/main.go:157\nruntime.main\n\truntime/proc.go:271"}

internal_users.yml has:

jaeger-collector:
  hash: "[redacted]"
  reserved: false
  hidden: false
  opendistro_security_roles:
    - "jaeger-write"
    - "alerting_full_access"
    - "cross_cluster_search_remote_full_access"
  backend_roles:
    - "jaeger-write"
  static: false

roles.yml is the default and has the following added:

jaeger-write:
  reserved: false
  hidden: false
  cluster_permissions:
    "cluster:monitor/main",
    "indices:data/write/bulk"
    "indices:data/read/msearch"
    "indices:admin/template/put"
    "cluster:admin/component_template/put"
    "cluster:admin/template/put"
  index_permissions:
    - index_patterns:
      - *
      allowed_actions:
        indices:data/read/search*
        indices:admin/template/put

To my understanding both the cluster_permissions and the index_permissions have indices:admin/template/put so this should work.

If I add admin as a backend_role then it auths just fine.

Gsmitt · April 10, 2024, 12:33am

Hey @ejsarge

Correct me if I’m wrong but if you haven’t executed the securityadmin.sh then that where you issue might be. I see that you created role/s and added the permissions but the log shows it don’t have those permission. That’s what brings me to my conclusion about securityadmin.sh script.

Something like this…

./securityadmin.sh -h opensearch.domain.com  -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

As for Docker I’m unsure.

Mantas · April 10, 2024, 10:28am

Hi @ejsarge,

Could you please run the below and share the output?
curl --insecure -u admin:<admin_password> -XGET https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/roles/jaeger-write?pretty

note then sharing the output please use “Preformatted text (Ctrl+e)” or as per below:

thanks,
mj

ejsarge · April 10, 2024, 3:29pm

Hi @Gsmitt and @Mantas,
Thanks for the replies.

I started running the API commands for the roles and users and eventually figured out that I wasn’t mounting my roles.yml into my docker instance. securityadmin.sh was running just fine and reporting success - just not on the file I thought it was.

To help folks who might google and find this here’s that part of my docker-compose.yml.

    volumes:
      - "./opensearch.yml:/usr/share/opensearch/config/opensearch.yml"
      - opensearch-data1:/usr/share/opensearch/data 
      - "./certs:/usr/share/opensearch/config/certificates:ro"
      - "./internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml"
      - "./roles.yml:/usr/share/opensearch/config/opensearch-security/roles.yml"

Topic		Replies	Views
Security does not appear in "Opensearch Plugins" Security	3	1083	December 30, 2022
Permissions required for user to see "Security" tab in OpenSearch Dashboards Security troubleshoot	6	1405	June 22, 2022
Need help in setting up anonymous auth for opensearch and opensearch-dashboards OpenSearch configure , install	2	904	December 12, 2022
Opensearch-Dashboard directing to login page even though security is disabled OpenDistro	1	4343	November 19, 2021
Opensearch Dashboards cannot connect to Opensearch Security	8	8247	April 7, 2023

How to see Security Dashboard in OpenSearch Dashboards on Docker

Related topics