Securitytenant header in api calls from kibana empty

OpenSearch Dashboards Reporting Plugin
1

Versions:

Opensearch and dashboards version 2.12.0

Problem:

Whenever I try to generate a report using the Opensearch dashboards I get the error:

Download error

There was an error generating this report.

And in the Opensearch dashboards logs i see:

“message”:“Failed input validation for create report Error: saved object with id search:3c043890-5975-11ef-a9a9-f31052f6849e does not exist”

“method”:“post”,“statusCode”:400,“req”:{“…,“accept-encoding”:“gzip, deflate, br, zstd”,“priority”:“u=1, i”,“securitytenant”:”"}

As you can see the securitytenant is empty, but i have selected the apropriate tenant in kibana, and i can see in saved objects that the object is present with that ID and is also created under that tenant.

Configuration:

Standard instalation of opensearch and dashboards with multitenancy enabled and openid connect

Relevant Logs or Screenshots:

image

2

@AWgod Could you share your config.yml and opensearch_dashboards.yml files?

3

yes, of course:

config.yml:

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    kibana:
      multitenancy_enabled: true
      private_tenant_enabled: true
      server_username: <user for kibana>
      index: '.kibana'
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11'
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: <openid connect url>
        authentication_backend:
          type: noop

opensearch_dashboards.yml :

server.host: "0.0.0.0"
opensearch.hosts: ["<opensearch host url"]
opensearch_security.auth.type: ["openid"]
opensearch_security.auth.multiple_auth_enabled: false
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.enable_filter: false
opensearch_security.multitenancy.enable_aggregation_view: true
opensearch.ssl.verificationMode: none
server.ssl.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.openid.connect_url: <open id connect url>
opensearch_security.openid.client_id: "<client id>"
opensearch_security.openid.client_secret: "<client secret>"
opensearch_security.openid.base_redirect_url: "<kibana redirect url>"
opensearch_security.openid.header: "Authorization"
opensearch.requestHeadersAllowlist: ["Authorization","securitytenant"]
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.openid.verify_hostnames: false
opensearch.username: <user for kibana>
opensearch.password: <user for kibana>
opensearchDashboards.index: ".kibana"
data_source.enabled: true
logging.verbose: true
4

Did you change the default kibana user ‘kibanaserver’ to a different one?
If so, what roles did you assign to that new user?

5

Hi,

No, it’s the default kibanaserver.

I also noticed that i only have .kibana_1 index and no other… As per documentation I saw that there should be segmented like: .kibana_<hash>_<tenant_name> .kibana_<hash>_<username>

And i looked inside the .kibana_1 index and there are the saved objects of all tenants.

6

@AWgod Out of the box there will be only .kibana_1 index. However, when you log in to OpenSearch Dashboards UI and switch to a different tenant (other than Global) you should see either .kibana_<hash>_<tenant_name> for a non-Global tenant or .kibana_<hash>_<username> for Private tenant.

Could you also execute the following command and share the output?

curl --insecure -u admin:<password> https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/securityconfig?pretty
7

@AWgod I’ve found the root cause.

opensearch_security.multitenancy.enable_aggregation_view: true

This option is causing lack of the separate indices for non-Global and Private tenants.
As per OpenSearch documentation this is an experimental option and shouldn’t be used in the production environment.

2 Likes
8

Thank you so much ! IT WORKED :smiley:

1 Like