Hi all.
I successfully managed to set up an OpenSearch Cluster with SAML authc and LDAP authz.
Setup: OS 1.2.3 tarball installation on Debian buster.
config/opensearch.yml:
cluster.name: log
node.name: log1
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
path.repo: ["/var/lib/opensearch-snapshot"]
network.host: 0.0.0.0
discovery.seed_hosts: ['10.xx.3', '10.xx.4', '10.xx.5']
cluster.initial_master_nodes: ['log1', 'log2', 'log3']
plugins.security.ssl.transport.pemcert_filepath: my-esnode.pem
plugins.security.ssl.transport.pemkey_filepath: my-esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: my-root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.truststore_filepath: cacerts
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: my-esnode.pem
plugins.security.ssl.http.pemkey_filepath: my-esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: my-root-ca.pem
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- "CN=log...,C=DE"
plugins.security.nodes_dn:
- "CN=log2...,C=DE"
- "CN=log3...,C=DE"
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_storage_nodes: 3
plugins/opensearch-security/securityconfig/config.yml:
_meta:
type: "config"
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: saml_idp.xml
entity_id: "https://oauth.xxx"
sp:
entity_id: "https://log1.xxx"
signature_private_key_filepath: saml_sign.pem
signature_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
kibana_url: "https://kibana.xxx:5601"
roles_key: Role
exchange_key: "xxx"
authentication_backend:
type: noop
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- ldap....:636
bind_dn: cn=...,dc=com
password: xxx
rolebase: 'ou=...,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Roles as an attribute of the user entry
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: false
userbase: 'ou=xxx,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- kibanaserver
Everything was working. I was able to update the security config with my own signed certificates.
Somehow I locked myself out. Today I tried to change the LDAP bind user, but I am not able to write the config any more:
$ ./securityadmin.sh
Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=log...,C=DE
OpenSearch Version: 1.2.3
OpenSearch Security Version: 1.2.3.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name=CN=log...,C=DE, backend_roles=[], requestedTenant=null]. This is not an error, will keep on trying ...
Root cause: OpenSearchSecurityException[no permissions for [cluster:monitor/health] and User [name=CN=log...,C=DE, backend_roles=[], requestedTenant=null]] (org.opensearch.OpenSearchSecurityException/org.opensearch.OpenSearchSecurityException)
* Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
* Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml
* If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
* Add --accept-red-cluster to allow securityadmin to operate on a red cluster.
Dashboards & Openserach is still working.
$ curl -XGET https://log1:9200/_cluster/health -u 'admin' --insecure
Enter host password for user 'admin':
{"cluster_name":"log","status":"green","timed_out":false,"number_of_nodes":3,"number_of_data_nodes":3,"discovered_master":true,"active_primary_shards":21,"active_shards":44,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
How can I update my security config now?
Best regards,
Sebastian