Question: Are the authc authentication domain names used in the security plugins config.yml arbitrary strings?

jaimie.livingston · October 23, 2024, 8:38pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Any

Describe the issue:

General Question:

Are the authc authentication domain names used in the security plugins config.yml arbitrary strings?
The documentation is not clear. I suspect these are arbitrary strings, but I don’t want to make the assumption.

We’ve been using the domain name internal_users_domain in the authc configuration since since v2.0, but the v2.17 example configuration in github uses basic_internal_auth_domain where I would expect to see internal_users_domain. (Yes, I’m just noticing this. The config I’m using has been working for a good long while, and I haven’t had need to revisit it until now.)

github.com

opensearch-project/security/blob/main/config/config.yml#L101


      
            http_authenticator:
              type: kerberos
              challenge: true
              config:
                # If true a lot of kerberos/security related debugging output will be logged to standard out
                krb_debug: false
                # If true then the realm will be stripped from the user name
                strip_realm_from_principal: true
            authentication_backend:
              type: noop
          basic_internal_auth_domain:
            description: "Authenticate via HTTP Basic against internal users database"
            http_enabled: true
            transport_enabled: true
            order: 4
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          proxy_auth_domain:

Configuration:
security plugin, config.yml, authc section.

Relevant Logs or Screenshots:
not applicable

Mantas · October 24, 2024, 12:18pm

Hi @jaimie.livingston,

I would assume so - you can call it whatever you want as long as the type is correct, to illustrate here is the setup from my lab:

Best,
mj

jaimie.livingston · October 24, 2024, 3:56pm

Thanks for the confirmation.
I suspected as much, but didn’t have an immediate way of testing this.

~Jaimie

Topic		Replies	Views
OpenSearch JWT authentication Security	1	873	September 7, 2022
Opensearch Security Plugin config ignoring openId setting Security configure	3	906	February 10, 2022
Proxy_auth login failure Security	6	684	December 16, 2021
LDAP integration with OPENSEARCH Security security-issue	14	663	May 9, 2024
Incorrect JWT documentation? Security	1	545	June 21, 2022

Question: Are the authc authentication domain names used in the security plugins config.yml arbitrary strings?

Related Topics