@pablo @jennyglidewell I’m having the same problem. I’m using OpenSearch 2.5.0. I installed OpenSearch using the helm chart. These are my configuration files:
opensearch-security/config.yml
_meta:
type: "config"
config_version: 2
config:
dynamic:
authz: {}
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca/root.ca.crt
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://host.docker.internal/auth/realms/pantry/.well-known/openid-configuration
authentication_backend:
type: noop
opensearch.yml
cluster:
name: opensearch-cluster
routing:
allocation:
disk:
threshold_enabled: false
network.host: 0.0.0.0
plugins:
security:
ssl:
transport:
pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt
pemkey_filepath: /usr/share/opensearch/config/certs/tls.key
pemtrustedcas_filepath: /usr/share/opensearch/config/certs/ca.crt
enforce_hostname_verification: false
http:
enabled: true
pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt
pemkey_filepath: /usr/share/opensearch/config/certs/tls.key
pemtrustedcas_filepath: /usr/share/opensearch/config/certs/ca.crt
allow_default_init_securityindex: true
audit.type: internal_opensearch
authcz.admin_dn:
- CN=admin,OU=SSL,O=haus
enable_snapshot_restore_privilege: true
check_snapshot_restore_write_privileges: true
restapi:
roles_enabled: ["all_access", "security_rest_api_access"]
system_indices:
enabled: true
indices:
[
".opendistro-alerting-config",
".opendistro-alerting-alert*",
".opendistro-anomaly-results*",
".opendistro-anomaly-detector*",
".opendistro-anomaly-checkpoints",
".opendistro-anomaly-detection-state",
".opendistro-reports-*",
".opendistro-notifications-*",
".opendistro-notebooks",
".opendistro-asynchronous-search-response*",
]
opensearch-dashboards.yml
logging:
dest: stdout
verbose: true
server:
name: dashboards
host: 0.0.0.0
ssl:
enabled: true
key: /usr/share/dashboards/certs/tls.key
certificate: /usr/share/dashboards/certs/tls.crt
opensearch_security:
auth:
type: ["basicauth", "openid"]
multiple_auth_enabled: true
openid:
connect_url: https://host.docker.internal/auth/realms/pantry/.well-known/openid-configuration
base_redirect_url: https://localhost:5601
client_id: opensearch-dashboards
client_secret: REDACTED
scope: openid profile email
header: Authorization
root_ca: /usr/share/dashboards/root-ca/root.ca.crt
verify_hostnames: "false"
trust_dynamic_headers: true
opensearch:
requestHeadersAllowlist: ["Authorization", "security_tenant"]
hosts: [ "opensearch-cluster-master" ]
username: "kibanaserver"
password: "kibanaserver"
ssl:
certificateAuthorities:
- /usr/share/dashboards/root-ca/root.ca.crt
- /usr/share/dashboards/certs/ca.crt
I’ve also attempted to hit the opensearch root URL with an auth token generated by keycloak:
curl --location --request GET 'https://opensearch-cluster-master:9200' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer REDACTED'
I get the same error from OpenSearch:
[2023-02-12T00:05:02,088][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-cluster-master-0] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2023-02-12T00:05:02,092][WARN ][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
I don’t think the issue is Opensearch not receiving authentication details from Dashboards.
I’ve CURL’d my keycloak endpoint from the container and I’m able to get a response:
curl -kv https://host.docker.internal/auth/realms/pantry/.well-known/openid-configuration
* Trying 192.168.65.2:443...
* Connected to host.docker.internal (192.168.65.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: [NONE]
* start date: Feb 11 00:10:02 2023 GMT
* expire date: May 12 00:10:02 2023 GMT
* issuer: CN=root-ca
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x6042410)
> GET /auth/realms/pantry/.well-known/openid-configuration HTTP/2
> Host: host.docker.internal
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sun, 12 Feb 2023 00:28:48 GMT
< content-type: application/json
< content-length: 5833
< cache-control: no-cache, must-revalidate, no-transform, no-store
< x-xss-protection: 1; mode=block
< x-frame-options: SAMEORIGIN
< referrer-policy: no-referrer
< strict-transport-security: max-age=15724800; includeSubDomains
< x-content-type-options: nosniff
<
{"issuer":"https://host.docker.internal/auth/realms/pantry","authorization_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/auth","token_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/token","introspection_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/userinfo","end_session_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/certs","check_session_iframe":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://host.docker.internal/auth/realms/pantry/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","microprofile-jwt","web-origins","address","profile","roles","offline_access","email","phone"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll","ping"],"backchannel_authentication_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/ext/ciba/auth","backchannel_authentication_request_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512"],"require_pushed_authorization_requests":false,"pushed_authorization_request_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/ext/par/request","mtls_endpoint_aliases":{"token_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/token","revocation_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/* Connection #0 to host host.docker.internal left intact
revoke","introspection_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/token/introspect","device_authorization_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/auth/device","registration_endpoint":"https://host.docker.internal/auth/realms/pantry/clients-registrations/openid-connect","userinfo_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/userinfo","pushed_authorization_request_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/ext/par/request","backchannel_authentication_endpoint":"https://host.docker.internal/auth/realms/pantry/protocol/openid-connect/ext/ciba/auth"}}