How to see Security Dashboard in OpenSearch Dashboards on Docker

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.13.0

Describe the issue:
I cannot find the Security Dashboard in OpenSearch Dashboards. I also don’t know where it should appear so I’m not even convinced I’m looking in the right place.

Configuration:
I have a Docker compose config with self-signed certs that has 2 OpenSearch nodes starting up and finding each other just fine. OpenSearch Dashboards is also starting and I can login with the default admin credentials.
I’m currently using securityadmin.sh to modify the security config but there’s a auth issue I can’t figure out. I was hoping to work in the Security Plugin to understand it but I can’t find it.

In case it’s relevant, I do have an admin certificate defined but I haven’t told OpenSearch Dashboards about it because I don’t see where. I don’t understand how OpenSearch Dashboards would be able to modify the security index without it?

Because it’s annoying when somebody only talks about what they think the problem is and not the actual problem:
My actual problem is getting the Jaeger Collector to talk to OpenSearch with minimal enough permissions.
My logs have:

opensearch-node1       | [2024-04-08T16:44:28,875][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] No cluster-level perm match for User [name=jaeger-collector, backend_roles=[jaeger-write], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/template/put]] [RolesChecked [own_index, cross_cluster_search_remote_full_access, alerting_full_access]]. No permissions for [indices:admin/template/put]
jaeger-collector-1     | {"level":"fatal","ts":1712594668.8759506,"caller":"collector/main.go:87","msg":"Failed to create span writer","error":"failed to create template \"jaeger-span\": elastic: Error 403 (Forbidden): no permissions for [indices:admin/template/put] and User [name=jaeger-collector, backend_roles=[jaeger-write], requestedTenant=null] [type=security_exception]","stacktrace":"main.main.func1\n\tgithub.com/jaegertracing/jaeger/cmd/collector/main.go:87\ngithub.com/spf13/cobra.(*Command).execute\n\tgithub.com/spf13/cobra@v1.8.0/command.go:983\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tgithub.com/spf13/cobra@v1.8.0/command.go:1115\ngithub.com/spf13/cobra.(*Command).Execute\n\tgithub.com/spf13/cobra@v1.8.0/command.go:1039\nmain.main\n\tgithub.com/jaegertracing/jaeger/cmd/collector/main.go:157\nruntime.main\n\truntime/proc.go:271"}

internal_users.yml has:

jaeger-collector:
  hash: "[redacted]"
  reserved: false
  hidden: false
  opendistro_security_roles:
    - "jaeger-write"
    - "alerting_full_access"
    - "cross_cluster_search_remote_full_access"
  backend_roles:
    - "jaeger-write"
  static: false

roles.yml is the default and has the following added:

jaeger-write:
  reserved: false
  hidden: false
  cluster_permissions:
    "cluster:monitor/main",
    "indices:data/write/bulk"
    "indices:data/read/msearch"
    "indices:admin/template/put"
    "cluster:admin/component_template/put"
    "cluster:admin/template/put"
  index_permissions:
    - index_patterns:
      - *
      allowed_actions:
        indices:data/read/search*
        indices:admin/template/put

To my understanding both the cluster_permissions and the index_permissions have indices:admin/template/put so this should work.

If I add admin as a backend_role then it auths just fine.

2

Hey @ejsarge

Correct me if I’m wrong but if you haven’t executed the securityadmin.sh then that where you issue might be. I see that you created role/s and added the permissions but the log shows it don’t have those permission. That’s what brings me to my conclusion about securityadmin.sh script.

Something like this…

./securityadmin.sh -h opensearch.domain.com  -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

As for Docker I’m unsure.

3

Hi @ejsarge,

Could you please run the below and share the output?
curl --insecure -u admin:<admin_password> -XGET https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/roles/jaeger-write?pretty

note then sharing the output please use “Preformatted text (Ctrl+e)” or as per below:
image

thanks,
mj

4

Hi @Gsmitt and @Mantas,
Thanks for the replies.

I started running the API commands for the roles and users and eventually figured out that I wasn’t mounting my roles.yml into my docker instance. securityadmin.sh was running just fine and reporting success - just not on the file I thought it was.

To help folks who might google and find this here’s that part of my docker-compose.yml.

    volumes:
      - "./opensearch.yml:/usr/share/opensearch/config/opensearch.yml"
      - opensearch-data1:/usr/share/opensearch/data 
      - "./certs:/usr/share/opensearch/config/certificates:ro"
      - "./internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml"
      - "./roles.yml:/usr/share/opensearch/config/opensearch-security/roles.yml"
2 Likes