I am using the last version of aws Opensearch.
I want to add a dashboard report in a html page using a tehnical user, so the user should not introduce the password.
I am thinking I should use a token.
/_security/oauth2/token or
/_plugins/_security/api/generateonbehalfoftoken
are not working in AWS (Google said : _security is likely related to X-Pack which is not available on AWS.)
/_opendistro/_security/api/authtoken is just returning ok, without a token.
How are you using JWT Token in opensearch AWS? Should I generate a token in backend and the token will be evaluated in Opensearch and login page is skipped?
Hi @constantin,
Have you configured your jwt_auth_domain in config.yml as per JSON Web Token - OpenSearch Documentation
would you mind running the following and sharing the output:
curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty
Best,
mj
thank you for your answer:
{
“config”: {
“dynamic”: {
“filtered_alias_mode”: “warn”,
“disable_rest_auth”: false,
“disable_intertransport_auth”: false,
“respect_request_indices_options”: false,
“kibana”: {
“multitenancy_enabled”: true,
“private_tenant_enabled”: true,
“default_tenant”: “”,
“server_username”: "Amazon…,
“index”: “.kibana”,
“sign_in_options”: [
“BASIC”
]
},
“http”: {
“anonymous_auth_enabled”: false,
“xff”: {
“enabled”: false,
“internalProxies”: "10\.\d{1,3}…
“remoteIpHeader”: “X-Forwarded-For”
}
},
“authc”: {
“jwt_auth_domain”: {
“http_enabled”: true,
“order”: 0,
“http_authenticator”: {
“challenge”: false,
“type”: “jwt”,
“config”: {
“signing_key”: “-----BEGIN PUBLIC KEY-----\nMIICIjAN…Q==-----END PUBLIC KEY-----”,
“jwt_header”: “Authorization”,
“jwt_clock_skew_tolerance_seconds”: 20,
“roles_key”: “roles”,
“subject_key”: “sub”
}
},
“authentication_backend”: {
“type”: “noop”,
“config”: {}
}
},
“basic_internal_auth_domain”: {
“http_enabled”: true,
“order”: 4,
“http_authenticator”: {
“challenge”: true,
“type”: “basic”,
“config”: {}
},
“authentication_backend”: {
“type”: “intern”,
“config”: {}
},
“description”: “Authenticate via HTTP Basic against internal users database”
}
},
“authz”: {},
“auth_failure_listeners”: {},
“do_not_fail_on_forbidden”: false,
“multi_rolespan_enabled”: true,
“hosts_resolver_mode”: “ip-only”,
“do_not_fail_on_forbidden_empty”: false,
“on_behalf_of”: {
“enabled”: false
}
}
}
}
should I use the key to generate the token?
no…
Have you considered using:
POST /_plugins/_security/api/generateonbehalfoftoken
Best,
mj
How are you using JWT Token in opensearch AWS?
In the Amazon OpenSearch Service, you need to generate your own JWT in whatever system you use that issues JWTs. The security plugin won’t issue a JWT in Amazon Managed Service.
In the AWS console, go to the Security Configuration tab and enter a verification key (public key) for a JWT. In another system issue a JWT and sign it with the private key that pairs with the public key and you can use that to authenticate requests against the search endpoint. Please note that the token can be used to make requests against the cluster, but cannot be used to log into dashboards.
Both /_security/oauth2/token and /_plugins/_security/api/generateonbehalfoftoken are not available to use in the Amazon Managed Service. These would be available in self-managed clusters.