OpenID connect integration with Opensearch

we are keep on trying things and now we got the following error message.

Can you please suggest how to proceed.? Thank you in advance!

opensearch-node1         | [2022-09-28T10:59:25,680][WARN ][o.o.s.a.BackendRegistry  ] [opensearch-node1] Authentication finally failed for null from 172.21.0.1:53910
opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-28T10:59:25Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}
opensearch-node1         | [2022-09-28T10:59:28,183][WARN ][o.o.s.a.BackendRegistry  ] [opensearch-node1] Authentication finally failed for null from 172.21.0.1:53910
opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-28T10:59:28Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}
opensearch-node1         | [2022-09-28T10:59:30,683][WARN ][o.o.s.a.BackendRegistry  ] [opensearch-node1] Authentication finally failed for null from 172.21.0.1:53910
opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-28T10:59:30Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}
opensearch-node1         | [2022-09-28T10:59:33,187][WARN ][o.o.s.a.BackendRegistry  ] [opensearch-node1] Authentication finally failed for null from 172.21.0.1:53910
opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-28T10:59:33Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}

Opensearch-dashboard error message

["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: Client network socket disconnected before secure TLS connection was established"}

Hello @pablo and @cwperks ,

Any suggestion/assistance would be really appreciated…

Thanks.

Hey @sabil, make sure you also have HTTP Basic authentication setup in the authc section of the config as well.

See this section on the documentation website: Redirecting…

Because OpenSearch Dashboards requires that the internal OpenSearch Dashboards server user can authenticate through HTTP basic authentication, you must configure two authentication domains. For OpenID Connect, the HTTP basic domain has to be placed first in the chain. Make sure you set the challenge flag to false .

Hope this helps!

updated the order 0 and 1 for basic and openid respectively… seems like error has gone…

However, still getting the other errors. such as

{"type":"log","@timestamp":"2022-09-30T15:57:20Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: Client network socket disconnected before secure TLS connection was established"}
{"type":"log","@timestamp":"2022-09-30T15:57:20Z","tags":["error","savedobjects-service"],"pid":1,"message":"Unable to retrieve version information from OpenSearch nodes."}
{"type":"log","@timestamp":"2022-09-30T15:57:22Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: Client network socket disconnected before secure TLS connection was established"}
{"type":"log","@timestamp":"2022-09-30T15:57:25Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: Client network socket disconnected before secure TLS connection was established"}

opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-30T16:01:20Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}
opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-30T16:01:22Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}
opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-30T16:01:25Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}
opensearch-dashboards    | {"type":"log","@timestamp":"2022-09-30T16:01:27Z","tags":["error","opensearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}

Thanks.

@sabil Can you confirm that config.yml file mapping is working? Could you compare config.yml from the host filesystem and the one in the container?

You’ve set the following in the environment section of OpenSearch Dashboards.

- 'OPENSEARCH_HOSTS=["https://localhost:9200"]'

This won’t work as this localhost points to OpenSearch Dashboards container and not the docker host.
Try to use the below instead.

- 'OPENSEARCH_HOSTS=["https://opensearch-node1:9200"]'

Docker will use internal DNS to resolve opensearch-node1.

Hello @pablo ,

Thank you so much for your response.

Yes I have compared the host and docker config.yml and it is same.

Second thing about opensearch_hosts. I am actually using IP address of the host.

- 'OPENSEARCH_HOSTS=["https://localhost:9200"]'

Kindly suggest. Thank you.

@sabil Could you share an output of the following command?

curl --insecure -u admin:admin -XGET https://<opensearch_node>:9200

@pablo,

We are getting following error message.

Kindly suggest

opensearch-node1         | [2022-10-04T14:16:25,452][INFO ][o.o.s.s.ConfigHelper     ] [opensearch-node1] Doc with id 'nodesdn' and version 2 is updated in .opendistro_security index.
opensearch-node1         | [2022-10-04T14:16:25,452][INFO ][o.o.s.s.ConfigHelper     ] [opensearch-node1] Will update 'whitelist' with /usr/share/opensearch/config/opensearch-security/whitelist.yml and populate it with empty doc if file missing and populateEmptyIfFileMissing=true
opensearch-node1         | [2022-10-04T14:16:25,454][ERROR][o.o.s.c.ConfigurationRepository] [opensearch-node1] Cannot apply default config (this is maybe not an error!)
opensearch-node1         | com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while scanning a simple key
opensearch-node1         |  in 'reader', line 24, column 5:
opensearch-node1         |         /
opensearch-node1         |         ^
opensearch-node1         | could not find expected ':'
opensearch-node1         |  in 'reader', line 26, column 1:
opensearch-node1         |
opensearch-node1         |     ^
opensearch-node1         |
opensearch-node1         |  at [Source: (FileReader); line: 23, column: 12]
opensearch-node1         |      at com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException.from(MarkedYAMLException.java:28) ~[jackson-dataformat-yaml-2.13.3.jar:2.13.3]
opensearch-node1         |      at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:407) ~[jackson-dataformat-yaml-2.13.3.jar:2.13.3]

javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS server authentication
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
        at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:947)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:332)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
        at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:462)
        at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:159)
Caused by: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS server authentication
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)

@sabil As per the error message, you’re missing :.
Try the below.

config:
  enabled: true
  requests:
    /_cluster/settings:
      - GET
    /_cat/nodes:
      - GET
    /:
      - GET

Is there any reason why you would need whitelisting?

Hello @pablo

Because I have received an error message that / API is not whitelisted… I have posted that error message above as well in discuss topic.

"GET / API not whitelisted","status":"FORBIDDEN"}

Thanks.

@pablo ,

We are getting the “GET / API not whitelisted” error after executing the curl command provided by you.

root# curl --insecure -u admin:admin -XGET https://192.168.132.3:9200
{"error":"GET / API not whitelisted","status":"FORBIDDEN"}
root#

We have added the following entry in whiltelist.yml. However, still getting the error message “Response timeout”

config:
  enabled: true
  requests:
    /_cluster/settings:
      - GET
    /_cat/nodes:
      - GET
    /:
      - GET

Just for testing purpose we have removed ( from the / from whitelist.yml and we are able to access the dashboard using basic authentication which admin:admin.

config:
  enabled: true
  requests:
    /_cluster/settings:
      - GET
    /_cat/nodes:
      - GET
    /
      - GET

Can you please suggest where to make the changes so that opensearch should authenticate through the OpenID connect primarly and basic authetication should be secondry?

Kindly suggest.

Thanks.

@sabil Could you set enabled to false and upload the config?
The reason why I asked about that file is the fact that the enabled is set to false by default.

Hello @pablo ,

We have changed enabled value to false and ran the docker-compose. Not it is not complaining about the API.

But still the worry is that opensearch dashboard is using basic authentication instead of openid connect.

Kindly suggest.

Thanks.

@sabil Also, please do the same in the allowlist.yml.
Starting from version 2.0.0, whitelist.yml has been replaced with allowlist.yml but it is still required when you update config with securityadmin.sh script.

@pablo ,

I have updated in both the files…

Still getting an error message that dashbaord is not coming up

@sabil Could you share again your current docker-compose.yml file?

@sabil Your main issue is with the opensearch-dashboards container configuration.
OpenSearch Dashboards ignores all the security plugin settings set as environmental variables. That’s why your basic authentication works and you’re not redirected to the OpenID login screen.

You must configure all the security options in the opensearch_dashboards.yml and mount it in the volume section.

You should leave only OPENSEARCH_HOSTS as the environment variable.
As per my previous comment, the value of the OPENSEARCH_HOSTS should point to your container and not the localhost.

Also, the default value of opensearch.username: and opensearch.password: value is kibanaserver.

If your OpenID IDP runs with the self-signed certificate, you must add opensearch_security.openid.root_ca in the opensearch_dashboards.yml and use IDP’s SSL cert.

Hey @sabil, the file name and mount location are incorrect for the dashboards config file. The volume mount should be

- ./opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml

You need an s after opensearch_dashboard in the config file name and update the path in the container.

Hey @cwperks ,

Thank you so much for your response.

Sure, let me try this out and update you.

Thank you.

Hello @cwperks / @pablo,

I am getting the fatal error while running the docker compose.

opensearch-dashboards    |  FATAL  Error: [config validation of [opensearch].url]: definition for this key is missing

Following is the entry of opensearch.url in opensearch_dashboards.yml file.

# Use HTTPS instead of HTTP
opensearch.url: ["https://opensearch-dashboards:5601"]

Tried with opensearch url as well. But no luck.

# Use HTTPS instead of HTTP
opensearch.url: ["https://opensearch-dashboards:9200"]

Can you please suggest?

Thanks.