That would be in the config section for the Dashboard: OpenID Connect - OpenSearch Documentation
Normally these setting are only made in the security configuration file.
mmorg:/usr/share/opensearch/config/security/config.yml
Those options don’t seem to be available in that config file: OpenID Connect - OpenSearch Documentation
Then you run…
./securityadmin.sh
So I found a few mistakes I had made. I fixed those and ran that command a bunch of times, now I’m getting a 401, which is a step at least.
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
Updates:
API
Wrong directory
/usr/share/opensearch/config/security/internal_users.yml
=> /usr/share/opensearch/config/opensearch-security/internal_users.yml
Wrong directory and missing keys, the YML here threw my off because it doesn’t contain the config.dynamic.authc
keys.
/usr/share/opensearch/config/security/config.yml
=> /usr/share/opensearch/config/opensearch-security/config.yml
_meta:
type: "config"
config_version: 2
# these keys are needed
config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
# this is the last thing I tried, but it didn't work
pemtrustedcas_filepath: /usr/share/opensearch/config/certificates/authentik.pem
roles_key: roles
openid_connect_url: https://auth.my-domain.com/application/o/opensearch/.well-known/openid-configuration
authentication_backend:
type: noop
Docker Compose
Fixed wrong paths and added every single certificate I could think of
services:
opensearch-api:
image: opensearchproject/opensearch:2.12.0
environment:
- "bootstrap.memory_lock=true"
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "TZ=Europe/Amsterdam"
volumes:
- data:/usr/share/opensearch/data
- ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
## certs
- ./certs/authentik.pem:/usr/share/opensearch/config/authentik.pem
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
- ./certs/admin.pem:/usr/share/opensearch/config/admin.pem
- ./certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
- ./certs/node.pem:/usr/share/opensearch/config/node.pem
- ./certs/node-key.pem:/usr/share/opensearch/config/node-key.pem
## security
- ./opensearch_security_config.yml:/usr/share/opensearch/config/opensearch-security/config.yml
- ./opensearch_security_internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml
opensearch-dashboard:
image: opensearchproject/opensearch-dashboards:2.12.0
environment:
- "TZ=Europe/Amsterdam"
volumes:
- ./opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
- ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/root-ca.pem
/usr/share/opensearch/config/opensearch.yml
network:
host: 0.0.0.0
discovery:
type: single-node
plugins:
security:
authcz:
# needed to be a list
admin_dn:
- "CN=admin,OU=SSL,O=Test,L=Test,C=NL"
nodes_dn:
- "CN=node,OU=SSL,O=Test,L=Test,C=NL"
enable_snapshot_restore_privilege: true
check_snapshot_restore_write_privileges: true
audit:
type: internal_opensearch
restapi:
# added probably not needed
roles_enabled:
["all_access", "admin", "kibanauser", "security_rest_api_access"]
ssl:
transport:
enabled: true
pemcert_filepath: admin.pem
pemkey_filepath: admin-key.pem
pemtrustedcas_filepath: root-ca.pem
enforce_hostname_verification: false
resolve_hostname: false
# enabled this and generated certs for it with the guide on the website
http:
enabled: true
pemcert_filepath: node.pem
pemkey_filepath: node-key.pem
pemtrustedcas_filepath: root-ca.pem
opendistro_security:
audit:
config:
disabled_rest_categories: NONE
disabled_transport_categories: NONE
/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
server:
host: "0.0.0.0"
name: "opensearch.my-domain.com"
opensearch_security:
auth:
type: "openid"
openid:
connect_url: "https://auth.my-domain.com/application/o/opensearch/.well-known/openid-configuration"
client_id: "SNIP"
client_secret: "SNAP"
# added roles here and added a property mapping in authentik, added admin role to my user
scope: "openid profile email roles"
logout_url: "https://auth.my-domain.com/application/o/opensearch/end-session/"
base_redirect_url: "https://opensearch.my-domain.com"
# verify_hostnames: false
opensearch:
hosts:
- "https://opensearch-api:9200"
ssl:
# added ssl root ca for opensearch https connection
verificationMode: certificate
certificateAuthorities:
- "/usr/share/opensearch-dashboards/config/root-ca.pem"
username: "kibanaserver"
password: "SNOOP"
With all this I’m stuck with a 401 error message when trying to login with Authentik OIDC. Basic auth works to get to the OpenSearch api with the kibanaserver username and password.
Last thing I did: I thought it had to do with the certificate of my IDP. It was using a letsencrypt signed certificate. I changed that to a self signed certificate, and added the cert to the opensearch container and in /usr/share/opensearch/config/opensearch-security/config.yml
. Then ran:
bash plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security -icl -nhnv -cacert config/root-ca.pem -cert config/admin.pem -key config/admin-key.pem -h localhost
But still getting 401 unfortunately. Feel like I’m close but missing something