openID IDP integration with Opensearch

OpenSearch
1

Hello All,

Hope you all are doing good.

I am trying to do the integration of my OpenSearch with OpenID (IDP) for authentication.

I have the information about the IDP and following is the config.yaml.

openid_auth_domain:
  http_enabled: true
  transport_enabled: true
  order: 0
  http_authenticator:
    type: openid
    challenge: false
    config:
      subject_key: preferred_username
      roles_key: admin_role
      openid_connect_url: https://xxworkingURLxx/.well-known/openid-configuration
  authentication_backend:
    type: noop

I wanted to know where the above config.yaml file will be placed and is there any other configuration needs to be inorder to achieve the integration.

Please do let me know in case of any questions.

I am using the latest version of Opensearch and OS is ubutu 20.4.

Thank you.

2

Hi @sabil - I believe the file you’re looking for is config.yml -

The main configuration file for authentication and authorization backends is config/opensearch-security/config.yml. It defines how the security plugin retrieves the user credentials, how it verifies these credentials, and how to fetch additional roles from backend systems (optional).

Check this page out here: Backend configuration - OpenSearch documentation

Hope that helps!

Nate

3

Hi @sabil, please follow the steps in below to setup OpenSearch Dashboard with OIDC:
Step1: Modify config.yml

openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: email
roles_key: email
openid_connect_url: https://*****/.well-known/openid-configuration
authentication_backend:
type: noop

config.yml should be placed under Location: /config/opensearch-security/config.yml

Step2: Modify opensearch-dashboard.yml:

opensearch_security.auth.type: 'openid'
opensearch_security.openid.connect_url: 'https://***/.well-known/openid-configuration'
opensearch_security.openid.client_id: '<OpenSearch_App_Client_ID>'
opensearch_security.openid.client_secret: '<OpenSearch_App_Client_Secret>'
opensearch_security.openid.base_redirect_url: "http://localhost:5601"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant, security_tenant]
opensearch_security.openid.scope: 'openid profile email address phone offline_access'
opensearch_security.openid.verify_hostnames: false
opensearch_security.openid.refresh_tokens: false

Hope it can help you resolve the issue! :smiling_face:

1 Like
4

@aoguan @nateynate

Thank you so much guys for your inputs…

The thing is that I am using Docker container for opensearch and opensearch-dashboard using Ansible role.

Can you please suggest how can I setup/adjust the config.yaml ? During the deployment only all the authentication method needs to be update.

Thanks.

5

Hi @sabil,

You can always load config files from volumes in docker-compse.yml file, please check the sample in below:

opensearch-node1:
    image: opensearchproject/opensearch:2.0.0
    container_name: opensearch-node1
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node1
      - discovery.seed_hosts=opensearch-node1,opensearch-node2
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
      - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
      - network.host=0.0.0.0 # required if not using the demo security configuration
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
        hard: 65536
    volumes:
      - opensearch-data1:/usr/share/opensearch/data
      - ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
      - ./config.yml:/usr/share/opensearch/config/opensearch-security/config.yml
     
    ports:
      - 9200:9200
      - 9600:9600 # required for Performance Analyzer
    networks:
      - opensearch-net


 opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:2.0.0
    container_name: opensearch-dashboards
    ports:
      - 5601:5601
    expose:
      - "5601"
    environment:
      OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # must be a string with no spaces when specified as an environment variable
    volumes:
      - ./opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
    networks:
      - opensearch-net

Enjoy! :smiling_face:

2 Likes
6

@aoguan Thank you so much for the information. Let me try this out and let you know in with the results.

7

@aoguan Thank you so much for the information.

I am getting following error message while executing through the “openid”

opensearch-node1         | [2022-08-12T09:47:11,392][WARN ][o.o.h.AbstractHttpServerTransport] [opensearch-node1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/172.19.0.2:9200, remoteAddress=/112.123.4.5:44598}
opensearch-node1         | io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

What I have done is I have added the following to opensearch-dashboard.

  • opensearch_security.auth.type: ‘openid’
  • opensearch_security.openid.connect_url: ‘https://xyz.com/.well-known/openid-configuration
  • opensearch_security.openid.client_id: ‘xxxxxxxxxxxxxx’
  • opensearch_security.openid.client_secret: ‘xxxxxxxxx’

config.yml

openid_auth_domain:
  http_enabled: true
  transport_enabled: true
  order: 0
  http_authenticator:
    type: openid
    challenge: false
    config:
      subject_key: preferred_username
      roles_key: admin_role
      openid_connect_url: https://xyz.com/.well-known/openid-configuration
  authentication_backend:
    type: noop

I am also trying to search for the solution… Meanwhile, just thought sharing with you also so that if you can provide some hint/suggestions on this.

Thank you so much in advance!

8

Getting following error messages as well.

opensearch-node1         | [2022-08-12T12:31:13,176][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-node1] Not yet initialized (you may need to run securityadmin)
opensearch-node1         | [2022-08-12T12:31:13,178][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-node1] Not yet initialized (you may need to run securityadmin)
opensearch-node1         | [2022-08-12T12:31:13,180][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-node1] Not yet initialized (you may need to run securityadmin)
opensearch-node1         | [2022-08-12T12:31:13,182][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-node1] Not yet initialized (you may need to run securityadmin)

opensearch-node1         | [2022-08-12T12:31:05,611][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for internalusers while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT]  (index=.opendistro_security)
opensearch-node1         | [2022-08-12T12:31:05,612][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for actiongroups while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT]  (index=.opendistro_security)
opensearch-node1         | [2022-08-12T12:31:05,612][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for config while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT]  (index=.opendistro_security)
opensearch-node1         | [2022-08-12T12:31:05,612][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for roles while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT]  (index=.opendistro_security)
opensearch-node1         | [2022-08-12T12:31:05,612][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for rolesmapping while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT]  (index=.opendistro_security)
opensearch-node1         | [2022-08-12T12:31:05,612][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for tenants while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT]  (index=.opendistro_security)
9

Hello @aoguan @nateynate,

May I know how to run a securityadmin.sh script through the docker-compose.yml file?

Thank you in advance!

10

I am trying to run the securityadmin.sh manually from the the container…

If we want to run it through docker-compose, how can we do that?

We just wanted to know how/where to get the following certificate.

  -cacert /etc/opensearch/root-ca.pem \
  -cert /etc/opensearch/kirk.pem \
  -key /etc/opensearch/kirk-key.pem \

Thank you.

11

Hello All,

Just wanted to know do we have any alternative without running securityadmin.sh for IDP integration.

Does anyone aware that how to generate self signed Root-ca certficate?

Thank you.