Initial Setup Security Plugin Error

OpenSearch Dashboards
1

Versions : OpenSearch Dashboard 2.8.0 (tarball installation)

Describe the issue:
After setting up Opensearch Dashboard I got it to connect to my Opensearch Instance.
But during startup the following Error Message shows in the log:
error: 'no handler found for uri [/_plugins/_security/tenantinfo] and method [GET]

And of course if I try to authenticate on the webpage I get an error:
Invalid username or password. Please try again.
And in the log:
Failed authentication: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET]

Configuration:
opensearch_dashboards.yml:
server.port: 5601
server.host: “xxxxx”
server.name: “opensearch-dashboard-test”
opensearch.hosts: “http://xxxxx
server.ssl.enabled: false

opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false

Tried to find a solution in the forum and google, but found nothing that helped.

Do I have to setup TLS or is there a way without it? Or is there just an issue with my config?
I have not touched any other file so far.

2

@illi Did you disable the tenancy in config.yml?
Please share the config.yml file.

3

@illi Please also share the output of the below commands.

curl --insecure -u admin:admin -XGET https://<opensearch_node_IP_or_FQDN>:9200
curl --insecure -u admin:admin -XGET https://<opensearch_node_IP_or_FQDN>:9200/_cat/nodes
4

Hi Paplo thanks in advance for helping here.

Here are the outputs:

curl --insecure -u admin:admin -XGET http://172.28.110.135:9202
{
  "name" : "DBETEST2",
  "cluster_name" : "Test_Cluster",
  "cluster_uuid" : "MiJUx7f3Q0uOTnpitqoh_Q",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.8.0",
    "build_type" : "tar",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

curl --insecure -u admin:admin -XGET http://172.28.110.135:9202/_cat/nodes
172.28.110.135 43 94 10 0.51 0.37 0.30 dimr data,ingest,master,remote_cluster_client * DBETEST2

I’m not sure where the tenancy config.yml is. I tried finding it in the opensearch-dashboards-2.8.0 directory, but only found the following. Do I have to set it up somewhere?

find -name config.yml
./node_modules/@osd/apm-config-loader/__fixtures__/config.yml
./node_modules/@osd/config/__fixtures__/config.yml
./node_modules/nano-css/.circleci/config.yml
./plugins/anomalyDetectionDashboards/node_modules/react-plotly.js/.circleci/config.yml
./plugins/customImportMapDashboards/node_modules/@opensearch-dashboards-test/opensearch-dashboards-test-library/ISSUE_TEMPLATE/config.yml
./plugins/ganttChartDashboards/node_modules/react-plotly.js/.circleci/config.yml
./plugins/observabilityDashboards/node_modules/react-plotly.js/.circleci/config.yml

And if you mean in the opensearch_dashboards.yml it’s currently set.
If I set it like this:

opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: [Global]

I don’t get the first error message. but still can’t login due to:

Invalid username or password. Please try again.
And in the log:
{"type":"log","@timestamp":"2023-08-02T09:39:41Z","tags":["error","plugins","securityDashboards"],"pid":17071,"message":"Failed authentication: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET]"}

Current version of my opensearch_dashboards.yml

server.port: 5601
server.host: "145.228.243.125"
server.name: "opensearch-dashboard"
opensearch.hosts: "http://172.28.110.135:9202"
server.ssl.enabled: false

opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization]

opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: [Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false
5

@illi The config.yml file is located in the OpenSearch node at
/usr/share/opensearch/config/opensearch-security/

6

Also, please share opensearch.yml file.

7

Opensearch Node:
opensearch.yml

bootstrap:
  memory_lock: true
cluster:
  name: Test_Cluster
node:
  name: DBETEST2
  master: true
  data: true
path:
  logs: /DBA/nest/opensearch/DBETEST2/logs
  data: /DBD/elastic
network:
  host: 172.28.110.135
http:
 port: 9202
transport:
 tcp:
   port: 9302
   compress: true
discovery.type: single-node
gateway:
  recover_after_time: 1s
plugins.security.disabled: true

The config.yml in opensearch-security is completely untouched. If you want I can post it anyway.

So do I have to setup everything security related on the opensearch node itself?

8

@illi The security plugin in OpenSearch node is disabled, that’s why you get the reported errors.

9

Is there a way to enable the security plugin without the use of SSL?

10

@illi Yes and no. The SSL is mandatory at the transport layer (9300-9400) and it is optional at API layer (9200). However, to change the configuration of the security plugin after the cluster deployment, at least one OpenSearch node with secured API is required to use securityadmin.sh script.

11

Thanks for your help pablo.
From here I should be able to continue. I was hoping I could avoid all the TLS stuff, but it seems that I can no longer work around it.
Time to dive in that rabbit hole. :smile:

12

@illi One more thing. Initially, you reported that you can’t authenticate with OpenSearch Dashboards.
Please be aware that OpenSearch Dashboards doesn’t contain any users or roles. All security configuration is placed in the .opendistro_security index and managed by OpenSearch and its security plugin.
If you’d like to have authentication enabled in OpenSearch Dashboards, you must enable the security plugin in OpenSearch.

1 Like
13

@illi If you will have any issues related to the security plugin configuration, please open another thread in this category and the community will try to help you.

If this is a test environment, you might consider using install_demo_configuration.sh located at /usr/share/opensearch/plugins/opensearch-security/tools.
This will enable security in OpenSearch with demo configuration and demo certificates.

1 Like
14

i’m facing the same issue. i want to disable ssl to my local containerized opensearch api but i want to use the dashboard. have you been able to figure this out?

15

@afromobile Disabling SSL at API endpoint is not the same as disabling the security plugin.
You can use the security plugin and disable SSL at API endpoint by setting plugins.security.ssl.http.enabled to false in opensearch.yml.

In opensearch_dashboards.yml use HTTP instead of HTTPS to OpenSearch node.

opensearch.hosts: ["http://<OpenSearch_node>:9200"]