Incorrect JWT documentation?

iamthealex-es · May 23, 2022, 10:07pm

If I use the JWT config here: Backend configuration - OpenSearch documentation

Here is my security-config:

--

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:

    http:
      anonymous_auth_enabled: false

    authc:

      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

      jwt_auth_domain:
        description: "Authenticate via JWT"

        enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            subject_key: null
            roles_key: null

        authentication_backend:
          type: noop

    authz:

I get the following when I try to run securityadmin.sh:

17:53:49 es-master:~/opensearch$ sudo docker container exec -it opensearch-node1 /bin/sh

sh-4.2$ /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -nhnv -icl -cd /usr/share/opensearch/config/opensearch-security -cacert /usr/share/opensearch/config/root-ca.pem -cert /usr/share/opensearch/config/kirk.pem -key /usr/share/opensearch/config/kirk-key.pem
Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
OpenSearch Version: 1.3.2
OpenSearch Security Version: 1.3.2.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/opensearch/config/opensearch-security/
ERR: Seems /usr/share/opensearch/config/opensearch-security/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "enabled" (class org.opensearch.security.securityconf.impl.v7.ConfigV7$AuthcDomain), not marked as ignorable (6 known properties: "http_enabled", "transport_enabled", "http_authenticator", "authentication_backend", "order", "description"])
 at [Source: (String)"{"_meta":{"type":"config","config_version":2},"config":{"dynamic":{"http":{"anonymous_auth_enabled":false},"authc":{"basic_internal_auth_domain":{"description":"Authenticate via HTTP Basic against internal users database","http_enabled":true,"transport_enabled":true,"order":4,"http_authenticator":{"type":"basic","challenge":true},"authentication_backend":{"type":"intern"}},"jwt_auth_domain":{"description":"Authenticate via JWT","enabled":true,"http_enabled":false,"transport_enabled":false,"order"[truncated 252 chars]; line: 1, column: 447] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["config"]->org.opensearch.security.securityconf.impl.v7.ConfigV7["dynamic"]->org.opensearch.security.securityconf.impl.v7.ConfigV7$Dynamic["authc"]->org.opensearch.security.securityconf.impl.v7.ConfigV7$Authc["jwt_auth_domain"]->org.opensearch.security.securityconf.impl.v7.ConfigV7$AuthcDomain["enabled"])
Will update '_doc/roles' with /usr/share/opensearch/config/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/opensearch/config/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/opensearch/config/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/opensearch/config/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/opensearch/config/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/opensearch/config/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/opensearch/config/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
ERR: cannot upload configuration, see errors above
sh-4.2$ exit
exit

I think I’m supposed to use spell the fields as “http_enabled” instead of “enabled” ?
When I change the spelling to http_enabled, I can successfully run securityadmin.sh (though unfortunately, I am unable to get JWT tokens to work.

I’m using the latest docker image for opensearch and connection to opensearch using Basic Auth yields:

es-master:~/opensearch$ curl -k -u admin:admin https://localhost:9200/
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "jY8qm053R6-Gh95YZXK2Mg",
  "version" : {
    "distribution" : "opensearch",
    "number" : "1.3.2",
    "build_type" : "tar",
    "build_hash" : "6febcf7b53ff189de767e460e905e9e5aeecc8cb",
    "build_date" : "2022-05-04T03:58:48.328641Z",
    "build_snapshot" : false,
    "lucene_version" : "8.10.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

pablo · June 21, 2022, 6:02pm

This issue has been resolved in Unable to get JWT to work

Topic		Replies	Views
Unable to get JWT to work Security	32	4333	May 27, 2022
Error while configuring JWT Authentication Security troubleshoot , configure	2	524	June 19, 2023
OpenSearch JWT authentication Security	1	905	September 7, 2022
Configuration of JWT in URL for authentication Security configure	7	1704	June 19, 2023
OpenSearch JWT authentication Security	1	395	September 6, 2022

Incorrect JWT documentation?

Related topics