Hi @abhyankar,
The first thing to address is your OPENSEARCH_INITIAL_ADMIN_PASSWORD is too weak, I believe it is too short cannot find the exact parameters but it has to be a strong password you can find more info here: security/DEVELOPER_GUIDE.md at main · opensearch-project/security · GitHub
Moreover, you will need to specify the following (in your values.yml):
data: {}
# config.yml: |-
# internal_users.yml: |-
# roles.yml: |-
# roles_mapping.yml: |-
# action_groups.yml: |-
# tenants.yml: |-
Please see some guidance (demo) for the .yml files here: Modifying the YAML files - OpenSearch Documentation
Here is some sample data that I’ve used in the past if that helps:
data:
config.yml: |-
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
remoteIpHeader: 'x-forwarded-for'
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1 # Must set to 1 to prevent logs flooding with warnings
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0 # Must set to 0 to precede basic authentication or logs will flood with warnings
http_authenticator:
type: openid
challenge: false
config:
subject_key: email # Users will be able to login with email and show it as username
roles_key: roles # Use roles from App registrations, do not set to groups.
openid_connect_url: https://login.microsoftonline.com/tenantid/v2.0/.well-known/openid-configuration # App registration IDP metadata file URL
skip_users:
- admin
- kibanaserver
- kibanaro
- logstash
- readall
- snapshotrestore
authentication_backend:
type: noop # Here we disable authentication backend since we will be using Azure AD for that
internal_users.yml: |-
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
anomalyadmin:
hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
reserved: false
opendistro_security_roles:
- "anomaly_full_access"
description: "Demo anomaly admin user, using internal role"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo OpenSearch Dashboards user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo OpenSearch Dashboards read only user, using external role mapping"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user, using external role mapping"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user, using external role mapping"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user, using external role mapping"
roles.yml: |-
---
_meta:
type: "roles"
config_version: 2
alerting_ack_alerts:
reserved: true
cluster_permissions:
- "cluster:admin/opendistro/alerting/alerts/*"
alerting_full_access:
reserved: true
cluster_permissions:
- "cluster_monitor"
- "cluster:admin/opendistro/alerting/*"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "indices_monitor"
- "indices:admin/aliases/get"
- "indices:admin/mappings/get"
anomaly_read_access:
reserved: true
cluster_permissions:
- "cluster:admin/opendistro/ad/detector/info"
- "cluster:admin/opendistro/ad/detector/search"
- "cluster:admin/opendistro/ad/detectors/get"
- "cluster:admin/opendistro/ad/result/search"
anomaly_full_access:
reserved: true
cluster_permissions:
- "cluster_monitor"
- "cluster:admin/opendistro/ad/*"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "indices_monitor"
- "indices:admin/aliases/get"
- "indices:admin/mappings/get"
reports_instances_read_access:
reserved: true
cluster_permissions:
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/menu/download"
reports_read_access:
reserved: true
cluster_permissions:
- "cluster:admin/opendistro/reports/definition/get"
- "cluster:admin/opendistro/reports/definition/list"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/menu/download"
reports_full_access:
reserved: true
cluster_permissions:
- "cluster:admin/opendistro/reports/definition/create"
- "cluster:admin/opendistro/reports/definition/update"
- "cluster:admin/opendistro/reports/definition/on_demand"
- "cluster:admin/opendistro/reports/definition/delete"
- "cluster:admin/opendistro/reports/definition/get"
- "cluster:admin/opendistro/reports/definition/list"
- "cluster:admin/opendistro/reports/instance/list"
- "cluster:admin/opendistro/reports/instance/get"
- "cluster:admin/opendistro/reports/menu/download"
SYSTEME_ABC-XYZ:
reserved: false
hidden: false
cluster_permissions:
- 'cluster_composite_ops'
index_permissions:
- index_patterns:
- 'abc*logs-socles*'
fls: []
dls: ""
masked_fields: []
allowed_actions:
- 'read'
- 'kibana_all_read'
- index_patterns:
- 'abc*logs-2*'
fls: []
dls: ""
masked_fields: []
allowed_actions:
- 'read'
- 'kibana_all_read'
- index_patterns:
- '.kibana'
fls: []
dls: ""
masked_fields: []
allowed_actions:
- 'read'
- 'kibana_all_read'
roles_mapping.yml: |-
---
# In this file users, backendroles and hosts can be mapped to Security roles.
# Permissions for OpenSearch roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Demo roles mapping
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "kibanaserver"
action_groups.yml: |-
_meta:
type: "actiongroups"
config_version: 2
tenants.yml: |-
---
_meta:
type: "tenants"
config_version: 2
# Define your tenants here
## Demo tenants
admin_tenant:
reserved: false
description: "Demo tenant for admin user"
Best,
mj