Is Kerberos only supported for OpenSearch, not OpenSearch Dashboards?

Hi,

I am a bit confused by the documentation because it states that Kerberos is supported. But unlike for e.g. OpenID or SAML there is no documentation how to configure OpenSearch Dashboards to support it. Specifically there is no mention for the setting “plugins.security.auth.type” in opensearch_dashboards.yml.

I got it working for OpenSearch and can use curl or even the browser to authenticate with it directly. But I cannot get OpenSearch Dashboards to use Kerberos negotiation for authentication. Basic auth is working fine for direct connections and OpenSearch Dashboards.

Regards,
Carl

Hi @cburger

According to OpenSearch-Dashboards response, it is not supported.

{“type”:“log”,“@timestamp”:“2021-07-30T16:06:50Z”,“tags”:[“fatal”,“root”],“pid”:1,“message”:“Error: Unsupported authentication type: kerberos\n
at getAuthenticationHandler (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:75:13)\n
at SecurityPlugin.setup (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/plugin.ts:110:39)”}
{“type”:“log”,“@timestamp”:“2021-07-30T16:06:50Z”,“tags”:[“info”,“plugins-system”],“pid”:1,“message”:“Stopping all plugins.”}

FATAL Error: Unsupported authentication type: kerberos

0 exited with code 1

I know that you get this response if you try to put “kerberos” into the config file, you get this response for every string you put there apart from “basicauth”, “openid”, “proxy”, “jwt” or “saml”. But it used to work in the past (I think up until OpenDistro 1.3). You can still find remnants of this in the code of the security dashboard plugin. And wheneever there is communication about OpenSearch Kerberos is mentioned as one of the supported authentication methods. It does not really make sense to support it only on OpenSearch but not OpenSearch Dashboards like the other ones.

I really would like to read some official statement about this. It is driving me nuts!

@cburger

I’ve found version 1.10 as the first one reporting unsupported status.
If you’re looking for the official statement from the Dev team, I think GitHub would be the best place to ask.