Opendashboard, Keycloak and Google - TOO MANY REDIRECTIONS

Security
1

Does anyone have a tutorial on how to configure it?

Steps:
Opensearch (1) → Keycloak (2) → Google Authenticatio (openid) (3) → Keycloak (4) - Opensearch (5) ?
I mean, I having the step 1, 2 and 3 workings, but the step 4 and 5 I having “Too many Redirection”. Which is the right callback URL ?

config.yml

    authc:
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://keycloak.mycompany.com/auth/realms/RealmGoogle/.well-known/openid-configuration
            openid_connect_idp.enable_ssl: true
            openid_connect_idp.verify_hostnames: false
            skip_users:
              - kibanaro
              - kibanaserver
              - admin
        authentication_backend:
            type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal

opensearch_dashboard.yml

server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]


# Auth
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://keycloak.mycompany.com/auth/realms/RealmGoogle/.well-known/openid-configuration"
#opensearch_security.openid.client_id: "REDACT.apps.googleusercontent.com"
#opensearch_security.openid.client_secret: "REDACT"
opensearch_security.openid.client_id: "osearch"
opensearch_security.openid.client_secret: "REDACT"

opensearch_security.openid.base_redirect_url: "https://osearch.mycompany.com/app/login/"
opensearch_security.openid.logout_url: "https://keycloak.mycompany/auth/realms/RealmGoogle/protocol/openid-connect/logout"
opensearch_security.openid.header: "Authorization"
opensearch_security.openid.scope: "openid profile email"

Thanks

2

@aamarques
I just got the keycloak working with google auth and have a question,

base_redirect_url → in my case since I’m redirecting back to OSDashboards my config line reads:
opensearch_security.openid.base_redirect_url: "http://opensearchdashboards.com:5601"

In your case I see you are pointing to /app/login/ and without the port, I’m assuming you are running behind a LB of some kind, directing the traffic from 80 to 5601?

3

Hi @Anthony, Yes I was behind a GCP LB and directing traffic to 5601 but now I turn off this configuration and I’m using HTTP with 5601 port and I have the same.

server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]


# Auth
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://keycloak.mycompany.com/auth/realms/Google/.well-known/openid-configuration"
opensearch_security.openid.client_id: "osearch"
opensearch_security.openid.client_secret: "REDACT"

opensearch_security.openid.base_redirect_url: "http://osearch.mycompany.com:5601"
opensearch_security.openid.logout_url: "https://keycloak.mycompany.com/auth/realms/Google/protocol/openid-connect/logout"
opensearch_security.openid.header: "Authorization"

Could you send me your keycloak Client configuration? I think this is misconfigured and I have a little bit of experience with it.

Here’s my config :man_facepalming:

image
image1056×724 28.6 KB

Thanks again

4

Just in case: I have configured Keycloak Identity Providers using Social Google provider and after google login, my user is imported to Keycloak (Sync Mode = Import in IDP config)

Also, I have noticed that after login the redirect is appended with /auth/openid/login?.... Tried to use http://osearch.mycompany.com:5601/api/security/oidc/callback endpoint but /auth/openid/login is added.

http://osearch.mycompany.com.cc:5601/api/security/oidc/callback/auth/openid/login?state=9bb.....U&code=e1f.....-7...4#

Using the callback endpoint stop the infinite loop but I got Unauthorized

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

.

5

@aamarques
My keycloak looks similar to yours:

Screenshot 2021-09-28 at 13.29.58
Screenshot 2021-09-28 at 13.29.58411×783 35.7 KB

and the google IDP set up is the basic one:

Screenshot 2021-09-28 at 13.30.29
Screenshot 2021-09-28 at 13.30.29350×984 43.3 KB

On the google side, I went with test mode and manually added the test user and added the authorised domain as opensearchdashboards.com

Screenshot 2021-09-28 at 13.41.45
Screenshot 2021-09-28 at 13.41.45191×973 44.1 KB

6

Hi @Anthony. Thanks for your time.

I’m running Keycloak 11.0.0 and upgrade to 15.0.2 and still the same.
I have the same keycloak configuration as yours (besides the URL of course).
The only difference between our configurations is that I generate the google ID and Secret in the console.google.com (API & Services → OAuth 2.0 Cli IDs).

There has a URI pointing to the Google IP that I have configured in keycloak and where is the Client ID and the Client Secret. https://keycloak.mycompany.com/auth/realms/Google/broker/google/endpoint
This part IMO is ok.

image
image842×642 31.9 KB

Here is the login page:

image
image625×565 20.7 KB

The google authentication process is ok and validate my account, pass and mfa. The problems begins after this step.

image
image624×715 19.8 KB

Then appears this URL :https://accounts.google.pt/accounts/SetSID

and finally I still getting TOO MANY REDIRECTIONS :frowning:
image

No more ideas.

7

@aamarques Have you tried increasing the logging in case there is some insight, using:

PUT /_cluster/settings
{"transient":{"logger._root":"DEBUG"}}

Also, are there any logs from keycloak side when the redirection is taking place?

8

No… I can’t login into opensearch :slight_smile:

But there’s something strange and may be the path to discover the problem.

I have alter in config.yml the anonymous access to true
anonymous_auth_enabled: true

And after I have finish the google login I get anonymous access. Maybe this is related to claim in google JWT ?

thanks for not forgot me :slight_smile:

9

@aamarques but you don’t need access to opensearch, you can run the command via normal curl.

It would look something like this:
curl -u admin:admin --insecure -X PUT "https://localhost:9200/_cluster/settings" -H "Content-Type:application/json" -d '{"transient":{"logger._root":"TRACE"}}'

I’d recommend using DEBUG first, as TRACE is extremely verbose.

also, can you comment out below from config.yml, in case it’s not present in JWT:

subject_key: preferred_username
roles_key: roles

Do you have access to keycloak logs?

10

@Anthony Yep this curl works (My Bad! :pleading_face: ) and yes I have access to keycloak log but there’s nothing there interesting (only when I have tried to log with wrong credentials using the built-in login fields.

I have commented out subject_key and roles_key but stills the same.
preferred_username is not in keycloak configuration (well-known)

 "claims_supported": [
    "aud",
    "sub",
    "iss",
    "auth_time",
    "name",
    "given_name",
    "family_name",
    "preferred_username",
    "email",
    "acr"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": true,
  "scopes_supported": [
    "openid",
    "roles",
    "microprofile-jwt",
    "web-origins",
    "address",
    "profile",
    "phone",
    "offline_access",
    "email"
  ],

Some logs after DEGUG enabled

opensearch-node1         | WARNING: An illegal reflective access operation has occurred
opensearch-node1         | WARNING: Illegal reflective access by org.opensearch.security.support.Base64Helper$DescriptorNameSetter (file:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-1.0.1.0.jar) to field java.io.ObjectStreamClass.name
opensearch-node1         | WARNING: Please consider reporting this to the maintainers of org.opensearch.security.support.Base64Helper$DescriptorNameSetter
opensearch-node1         | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
opensearch-node1         | WARNING: All illegal access operations will be denied in a future release


opensearch-node2         | [2021-10-01T15:18:02,255][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node2] Check authdomain for rest internal/4 or 1 in total
opensearch-node2         | [2021-10-01T15:18:02,256][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-node2] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
opensearch-dashboards    | {"type":"log","@timestamp":"2021-10-01T15:18:02Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
opensearch-dashboards    | {"type":"response","@timestamp":"2021-10-01T15:18:02Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?state=b8AanfxHtIhtv2iqjt1a98&session_state=f4d9a2bb-46da-4309-aafa-d63eab10c0f0&code=cfd836be-b04a-4c07-8072-f9e49bc88d71.f4d9a2bb-46da-4309-aafa-d63eab10c0f0.203be349-2a60-4a8d-8165-7348fcc4bc84","method":"get","headers":{"host":"osearch.mycompany.com:5601","connection":"keep-alive","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.9"},"remoteAddress":"2.82.205.34","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36"},"res":{"statusCode":302,"responseTime":39,"contentLength":9},"message":"GET /auth/openid/login?state=b8AanfxHtIhtv2iqjt1a98&session_state=f4d9a2bb-46da-4309-aafa-d63eab10c0f0&code=cfd836be-b04a-4c07-8072-f9e49bc88d71.f4d9a2bb-46da-4309-aafa-d63eab10c0f0.203be349-2a60-4a8d-8165-7348fcc4bc84 302 39ms - 9.0B"}


opensearch-node1         | [2021-10-01T15:18:09,832][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:09,833][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:09,833][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:09,834][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:09,834][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:09,834][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:09,834][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:09,834][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:09,835][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:09,835][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:09,835][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:09,835][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:09,836][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:09,837][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:09,840][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:09,845][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:12,334][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:12,335][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:12,335][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:12,336][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:12,336][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:12,336][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:12,336][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:12,337][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:12,337][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:12,337][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:12,337][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:12,338][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:12,341][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:12,343][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:12,344][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:12,347][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:14,835][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:14,836][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:14,836][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:14,837][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:14,837][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:14,837][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:14,837][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:14,837][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:14,838][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:14,838][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:14,838][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:14,838][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:14,840][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:14,840][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:14,843][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:14,845][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:17,337][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:17,339][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:17,339][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:17,341][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:17,341][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:17,341][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:17,342][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:17,343][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:17,343][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:17,343][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:17,343][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:17,344][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:17,345][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:17,346][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:17,348][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:17,354][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:19,837][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:19,839][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:19,839][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:19,840][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:19,840][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:19,841][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:19,841][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:19,841][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:19,842][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:19,843][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:19,843][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:19,843][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:19,845][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:19,846][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:19,849][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:19,853][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:21,176][DEBUG][o.o.i.s.ReplicationTracker] [opensearch-node2] [.opendistro_security][0] no retention leases are expired from current retention leases [RetentionLeases{primaryTerm=1, version=4, leases={peer_recovery/jASAb7LhR4SJ6gRvUcXMzg=RetentionLease{id='peer_recovery/jASAb7LhR4SJ6gRvUcXMzg', retainingSequenceNumber=9, timestamp=1633101381001, source='peer recovery'}, peer_recovery/lkgW0Ft1TniZ0yKUKMbtWQ=RetentionLease{id='peer_recovery/lkgW0Ft1TniZ0yKUKMbtWQ', retainingSequenceNumber=9, timestamp=1633101381001, source='peer recovery'}}}]
opensearch-node1         | [2021-10-01T15:18:22,340][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:22,341][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:22,341][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:22,342][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:22,342][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:22,342][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:22,342][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:22,343][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:22,343][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:22,343][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:22,343][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:22,343][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:22,345][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:22,346][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:22,346][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:22,349][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:24,841][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:24,842][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:24,842][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:24,843][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:24,844][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:24,844][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:24,845][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:24,845][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:24,845][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:24,846][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:24,846][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:24,846][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:24,848][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:24,849][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:24,850][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:24,853][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:27,344][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:27,344][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:27,345][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:27,346][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=kibanaserver, backend_roles=[], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:27,346][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/nodes/info (NodesInfoRequest)
opensearch-node1         | [2021-10-01T15:18:27,347][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, kibana_server]
opensearch-node1         | [2021-10-01T15:18:27,347][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from NodesInfoRequest
opensearch-node1         | [2021-10-01T15:18:27,347][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:27,348][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:27,348][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:27,348][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/nodes/info
opensearch-node1         | [2021-10-01T15:18:27,349][DEBUG][o.o.s.f.SecurityFilter   ] [opensearch-node1] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]
opensearch-node1         | [2021-10-01T15:18:27,351][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:27,353][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replacing descriptor name from [org.opensearch.security.user.User] to [com.amazon.opendistroforelasticsearch.security.user.User]
opensearch-node1         | [2021-10-01T15:18:27,354][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node1] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:27,356][DEBUG][o.o.s.s.Base64Helper     ] [opensearch-node2] replaced descriptor name from [com.amazon.opendistroforelasticsearch.security.user.User] to [org.opensearch.security.user.User]
opensearch-node2         | [2021-10-01T15:18:28,225][DEBUG][o.o.i.s.ReplicationTracker] [opensearch-node2] [security-auditlog-2021.10.01][0] no retention leases are expired from current retention leases [RetentionLeases{primaryTerm=1, version=4, leases={peer_recovery/jASAb7LhR4SJ6gRvUcXMzg=RetentionLease{id='peer_recovery/jASAb7LhR4SJ6gRvUcXMzg', retainingSequenceNumber=19, timestamp=1633101508108, source='peer recovery'}, peer_recovery/lkgW0Ft1TniZ0yKUKMbtWQ=RetentionLease{id='peer_recovery/lkgW0Ft1TniZ0yKUKMbtWQ', retainingSequenceNumber=19, timestamp=1633101508108, source='peer recovery'}}}]
opensearch-node2         | [2021-10-01T15:18:28,439][DEBUG][o.o.i.s.ReplicationTracker] [opensearch-node2] [.kibana_1][0] no retention leases are expired from current retention leases [RetentionLeases{primaryTerm=1, version=2, leases={peer_recovery/jASAb7LhR4SJ6gRvUcXMzg=RetentionLease{id='peer_recovery/jASAb7LhR4SJ6gRvUcXMzg', retainingSequenceNumber=0, timestamp=1633101358576, source='peer recovery'}, peer_recovery/lkgW0Ft1TniZ0yKUKMbtWQ=RetentionLease{id='peer_recovery/lkgW0Ft1TniZ0yKUKMbtWQ', retainingSequenceNumber=0, timestamp=1633101358576, source='peer recovery'}}}]
opensearch-node1         | [2021-10-01T15:18:29,165][DEBUG][i.n.h.s.SslHandler       ] [opensearch-node1] [id: 0xa44cd948, L:/127.0.0.1:9200 - R:/127.0.0.1:52372] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
opensearch-node1         | [2021-10-01T15:18:29,167][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Check authdomain for rest internal/4 or 1 in total
opensearch-node1         | [2021-10-01T15:18:29,168][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] Rest user 'User [name=admin, backend_roles=[admin], requestedTenant=null]' is authenticated
opensearch-node1         | [2021-10-01T15:18:29,168][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-node1] securitytenant 'null'
opensearch-node1         | [2021-10-01T15:18:29,170][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Evaluate permissions for User [name=admin, backend_roles=[admin], requestedTenant=null] on opensearch-node1
opensearch-node1         | [2021-10-01T15:18:29,171][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Action: cluster:monitor/health (ClusterHealthRequest)
opensearch-node1         | [2021-10-01T15:18:29,171][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Mapped roles: [own_index, all_access]
opensearch-node1         | [2021-10-01T15:18:29,171][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-node1] Resolve aliases, indices and types from ClusterHealthRequest
opensearch-node1         | [2021-10-01T15:18:29,172][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] RequestedResolved : Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]
opensearch-node1         | [2021-10-01T15:18:29,173][DEBUG][o.o.s.c.PrivilegesInterceptorImpl] [opensearch-node1] raw requestedTenant: 'null'
opensearch-node1         | [2021-10-01T15:18:29,173][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Result from privileges interceptor for cluster perm: org.opensearch.security.privileges.PrivilegesInterceptor$ReplaceResult@6504d877
opensearch-node1         | [2021-10-01T15:18:29,173][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] Allowed because we have cluster permissions for cluster:monitor/health

I need to run securityadmin after did these modifications ?

11

Yes, securityadmin.sh needs to be used to load the new config into security index.

12

This makes difference… I do not need to recreate my docker everytime.
I think the authentication is working but need to map the user to a role in opensearch I think. That’s why when I enable anonymous login, I can authenticate with a valid google user and enter as anonymous in OSD.
Mor reading next week.
Thanks for your time @Anthony
Have a great weekend

13

I can’t map a google user to an opensearch role :frowning: