Hi,
I’m working to build an OpenSearch cluster and have it currently setup with transport security and LDAP authentication. I still use the internal users to help with tests and the build. I’m currently working to build users and roles that will meet our requirements. It would be much easier to do this with the web UI. The documentation mentions a “Security” menu in OpenSearch Dashboards (Users and roles - OpenSearch documentation). I’m using the latest version of OpenSearch and OS Dashboards (2.0.1). When I log in with the default “admin/admin” account, I cannot see any “Security” menu.
Is there a specific security-related role that the admin user is missing that would be causing this? If there an option that must be enabled in a configuration file to make the “Security” menu appear? Anything else I might be missing?
Thanks!
David
@davidlag
The default admin:admin access should provide you with backend_role admin, which is then mapped via roles_mappings.yml to all_access.
This role should be enabled in opensearch.yml with below line:
plugins.security.restapi.roles_enabled: [ “all_access” ]
You can check which roles are assigned using the “View Roles and Identities” tab after selecting the avatar icon from top right
Hope this helps.
@Anthony
Checking “View Roles and Identities” shows:
What else could be hiding the “Security” menu when logged in as “admin” as I seem to have the proper permissions?
Thanks!
@davidlag can you share your opensearch.yml file please? also, can you confirm same version is on all the nodes?
@Anthony
I confirm we’re running the same version on all 4 nodes: 2.0.1
We’re running in Docker and this is the opensearch.yml for node opensearch-mgr1:
---
cluster.name: opensearch-cluster
node.name: opensearch-mgr1
node.roles: [ cluster_manager ]
# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0
discovery.seed_hosts: ["opensearch-mgr1", "opensearch-data1", "[redacted]", "[redacted]"]
transport.publish_host: [redacted]
transport.publish_port: 9310
# Security
plugins.security.ssl.transport.pemcert_filepath: mgr1.pem
plugins.security.ssl.transport.pemkey_filepath: mgr1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: mgr1.pem
plugins.security.ssl.http.pemkey_filepath: mgr1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- [redacted]
plugins.security.nodes_dn:
- [redacted]
- [redacted]
- [redacted]
- [redacted]
plugins.security.ssl.transport.truststore_filepath: root-ca.p12
plugins.security.ssl.transport.truststore_type: pkcs12
We also have nodes opensearch-data1, opensearch-mgr2 and opensearch-data2. 1 nodes are running on the same host and 2 nodes are running on a different host and thus why I redacted some hostnames above.
The opensearch.yml for node opensearch-data1 is essentially the same as above except for the node roles: node.roles: [ data, ingest ].
The docker-compose.yml file has these environment variables set:
environment:
- DISABLE_INSTALL_DEMO_CONFIG=true
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
4GB of RAM is provided to each data node and 2GB of RAM is provided to each manager node.
The container configuration for opensearch-dashboards is as follows:
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:2.0.1
container_name: opensearch-dashboards
ports:
- 5602:5601
environment:
OPENSEARCH_HOSTS: '["https://opensearch-mgr1:9200","https://[redacted]:9210"]'
OPENSEARCH_SSL_VERIFICATIONMODE: 'none'
The only other configuration file that is changed from the container defaults is config.yml for the user auth, which has our LDAP configuration.
Thank you!
@davidlag I can’t see the above line in opensearch.yml, was it excluded from the paste command?
@Anthony
That line was definitely not in opensearch.yml and I completely misunderstood it was not enabled by default. I just made the change to our cluster on all 4 nodes and the “Security” menu is now showing.
Thank you so much!