OpenID connect in Opensearch dashboard: too_many_redirects

OpenDistro
1

opensearch_security:
auth:
type: “openid”
openid:
connect_url: “xxxxxx.well-known/openid-configuration”
client_id: “xxx”
client_secret: “xxxxx”
scope: “openid”
#base_redirect_url:http://xxxxhost:5601
multitenancy:
enabled: true
tenants:
preferred:

  • Private
  • Global
    readonly_mode:
    roles:
  • kibana_read_only
    cookie:
    secure: true
    opensearch:
    hosts:
  • https://xxxxxhost:9200
    ssl:
    verificationMode: none
    username: “kibanaserver”
    password: “kibanaserver”
    requestHeadersWhitelist:
  • authorization
  • securitytenant

Able to authenticate with user and pwd , but after that its throws too_many_directs…kindly help me on this issue please.

2

hello,

Cookie secure a false please ? and tell me

3

Hi GnarlyCapricorne, Thanks for the reply . please find the below error after set secure: false

“tags”:[“info”,“plugins-service”],“pid”:1,“message”:“Plugin "visTypeXy" is disabled.”}
{“type”:“log”,“@timestamp”:“2021-11-17T06:26:56Z”,“tags”:[“warning”,“config”,“deprecation”],“pid”:1,“message”:“"cpu.cgroup.path.override" is deprecated and has been replaced by "ops.cGroupOverrides.cpuPath"”}
{“type”:“log”,“@timestamp”:“2021-11-17T06:26:56Z”,“tags”:[“warning”,“config”,“deprecation”],“pid”:1,“message”:“"cpuacct.cgroup.path.override" is deprecated and has been replaced by "ops.cGroupOverrides.cpuAcctPath"”}
{“type”:“log”,“@timestamp”:“2021-11-17T06:26:57Z”,“tags”:[“info”,“plugins-system”],“pid”:1,“message”:“Setting up [45] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,indexManagementDashboards,anomalyDetectionDashboards,dashboard,notebooksDashboards,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,traceAnalyticsDashboards,reportsDashboards,queryWorkbenchDashboards,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,bfetch]”}
{“type”:“log”,“@timestamp”:“2021-11-17T06,“tags”:[“fatal”,“root”],“pid”:1,“message”:“Error: "SameSite: None" requires Secure connection\n at validateOptions (/usr/share/opensearch-dashboards/src/core/server/http/cookie_session_storage.js:92:11)\n at createCookieSessionStorageFactory (/usr/share/opensearch-dashboards/src/core/server/http/cookie_session_storage.js:107:3)\n at HttpServer.createCookieSessionStorageFactory (/usr/share/opensearch-dashboards/src/core/server/http/http_server.js:409:103)\n at Object.createCookieSessionStorageFactory (/usr/share/opensearch-dashboards/src/core/server/http/http_server.js:110:64)\n at SecurityPlugin.setup (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/plugin.ts:97:105)”}
{“type”:“log”,”@timestamp":“2021-11-17T06:26:59Z”,“tags”:[“info”,“plugins-system”],“pid”:1,“message”:“Stopping all plugins.”}

4

Hi @skopen
I have the same problem (too_many_redirects) with OpenDistro + Kibana. Here is the thread: OpenID Connect in Kibana Open Distro: too_many_redirects
I see that you are testing with OpenSearch. Let’s see if you can make it work for you.

5

config:
# There are multiple ways to define the configuration here:
# * If you define anything under data, the chart will automatically create
# a secret and mount it.
# * If you define securityConfigSecret, the chart will assume this secret is
# created externally and mount it.
# * It is an error to define both data and securityConfigSecret.
#securityConfigSecret:
data:
config.yml: |-
dynamic:
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order:
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: xxxx
skip_users:
- kibanaro
- kibanaserver
- logstash
- adminp
- admin
- filebeat_internal
- kibanauser
authentication_backend:
type: noop

  # internal_users.yml: |-

Its mandatory to mention internal user and role mapping ?
And also authc mentioned above yaml is correct. please find log as well

[2021-11-29T07:22:30,795][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Node started, try to initialize it. Wait for at least yellow cluster state…
[2021-11-29T07:22:33,335][INFO ][o.o.s.s.ConfigHelper ] [opensearch-cluster-master-0] Will update ‘config’ with /usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml and populate it with empty doc if file missing and populateEmptyIfFileMissing=false
[2021-11-29T07:22:33,388][ERROR][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Cannot apply default config (this is maybe not an error!)
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “authc” (class org.opensearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: “dynamic”])
at [Source: (String)"{“dynamic”:{“authc”:{“basic_internal_auth_domain”:{“description”:“Authenticate via HTTP Basic against internal users database”,“http_enabled”:true,“transport_enabled”:true,“order”:null,“http_authenticator”:{“type”:“basic”,“challenge”:false},“authentication_backend”:{“type”:“internal”}},“openid_auth_domain”:{“http_enabled”:true,“transport_enabled”:true,“order”:1,“http_authenticator”:{“type”:“openid”,“challenge”:false,“config”:{“subject_key”:“preferred_username”,“roles_key”:“roles”,“openid_connect”[truncated 265 chars]; line: 1, column: 22] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration[“dynamic”]->org.opensearch.security.securityconf.impl.v7.ConfigV7[“authc”])
at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61) ~[jackson-databind-2.11.2.jar:2.11.2]
at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:855) ~[jackson-databind-2.11.2.jar:2.11.2]
at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:1212) ~[jackson-databind-2.11.2.jar:2.11.2]

6

Hi @igonzalez
please find the below config
config:

Default OpenSearch Dashboards configuration from docker image of Dashboards

opensearch_dashboards.yml:
server:
name: kibana
host: xxxxxx.com
port: 5601

Dashboards TLS Config (Ensure the cert files are present before enabling SSL

  ssl:
    enabled: true
    key: /usr/share/opensearch-dashboards/config/test-key.pem
    certificate: /usr/share/opensearch-dashboards/config/test.pem

# determines how dashboards will verify certificates (needs to be none for default opensearch certificates to work)
opensearch_security:
  auth:
    type: "openid"
  openid:
    connect_url: "https://login.microsoftonline.com/xxxxxx/v2.0/.well-known/openid-configuration"
    client_id: "xxx"
    client_secret: "x"
    scope: "openid"
    base_redirect_url: "https://xxxxx.com/"
  multitenancy:
    enabled: true
    tenants:
      preferred:
        - Private
        - Global
  readonly_mode:
    roles:
      - kibana_read_only
  cookie:
    secure: false
opensearch:
  hosts: "https://localhost:9200"
  ssl:
    verificationMode: none
    #certificateAuthorities: ["/usr/share/opensearch/config/root-ca.pem"]
  username: "kibanaserver"
  password: "kibanaserver"
  requestHeadersWhitelist:
    - Authorization
    - security_tenant
    - securitytenant
  logQueries: true
logging:
  verbose: true

If i enable the #certificateAuthorities: [“/usr/share/opensearch/config/root-ca.pem”] , getting directory not found even pem file is there.
With above configuration,able to access the dns url but its ends up with TOO_many redirects.

7

Thanks to all for the help.
We finally got it to work :-).
In some changes, although we rebooted the system, we did not execute “securityadmin.sh” and the changes had no effect.

Perhaps the same thing is happening to many people …