Status code 401 Unauthorized Authentication required

Daniyal · July 30, 2024, 9:52am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch version: 2.15.0

Describe the issue:
I am running OpenSearch containers on managed hosts. I can access my OpenSearch dashboard directly using the URL: http://fqdn:5601. But, when I try to access it using a separate VM set up to proxy my request using URL-based routing, I get the above error.

This is how I am rewriting the path. I can access my other containers like this, but not the OpenSearch dashboard
http://fqdn/node-1/opensearch

If i change the port to 5601 to 9200 in HAproxy I can access that as well.

Any help would be greatly appreciated.

Configuration:

---

opensearch.hosts: [https://opensearch-node1.insta-ng_mirror:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: ${PASSWORD}
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false
server.host: '0.0.0.0'

Relevant Logs or Screenshots:

Mantas · July 30, 2024, 10:17am

Hi @Daniyal,

Could you share the output of the below:



curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty

best,
mj

Daniyal · July 30, 2024, 10:35am

Hi @Mantas,

Thank you for your response. This is the requested output.

{
  "config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "private_tenant_enabled" : true,
        "default_tenant" : "",
        "server_username" : "kibanaserver",
        "index" : ".kibana",
        "sign_in_options" : [
          "BASIC"
        ]
      },
      "http" : {
        "anonymous_auth_enabled" : false,
        "xff" : {
          "enabled" : false,
          "internalProxies" : "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
          "remoteIpHeader" : "X-Forwarded-For"
        }
      },
      "authc" : {
        "jwt_auth_domain" : {
          "http_enabled" : false,
          "order" : 0,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "jwt",
            "config" : {
              "signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key",
              "jwt_header" : "Authorization",
              "jwt_clock_skew_tolerance_seconds" : 30
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via Json Web Token"
        },
        "ldap" : {
          "http_enabled" : false,
          "order" : 5,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : false,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "localhost:8389"
              ],
              "userbase" : "ou=people,dc=example,dc=com",
              "usersearch" : "(sAMAccountName={0})"
            }
          },
          "description" : "Authenticate via LDAP or Active Directory"
        },
        "basic_internal_auth_domain" : {
          "http_enabled" : true,
          "order" : 4,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "intern",
            "config" : { }
          },
          "description" : "Authenticate via HTTP Basic against internal users database"
        },
        "proxy_auth_domain" : {
          "http_enabled" : false,
          "order" : 3,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "proxy",
            "config" : {
              "user_header" : "x-proxy-user",
              "roles_header" : "x-proxy-roles"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via proxy"
        },
        "clientcert_auth_domain" : {
          "http_enabled" : false,
          "order" : 2,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "clientcert",
            "config" : {
              "username_attribute" : "cn"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via SSL client certificates"
        },
        "kerberos_auth_domain" : {
          "http_enabled" : false,
          "order" : 6,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "kerberos",
            "config" : {
              "krb_debug" : false,
              "strip_realm_from_principal" : true
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          }
        }
      },
      "authz" : {
        "roles_from_another_ldap" : {
          "http_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : { }
          },
          "description" : "Authorize via another Active Directory"
        },
        "roles_from_myldap" : {
          "http_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : false,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "localhost:8389"
              ],
              "rolebase" : "ou=groups,dc=example,dc=com",
              "rolesearch" : "(member={0})",
              "userrolename" : "disabled",
              "rolename" : "cn",
              "resolve_nested_roles" : true,
              "userbase" : "ou=people,dc=example,dc=com",
              "usersearch" : "(uid={0})"
            }
          },
          "description" : "Authorize via LDAP or Active Directory"
        }
      },
      "auth_failure_listeners" : { },
      "do_not_fail_on_forbidden" : false,
      "multi_rolespan_enabled" : true,
      "hosts_resolver_mode" : "ip-only",
      "do_not_fail_on_forbidden_empty" : false,
      "on_behalf_of" : {
        "enabled" : false
      }
    }
  }
}

Mantas · July 30, 2024, 2:43pm

@Daniyal, you are only using internal user authentication, correct?
Are there any headers added or striped by the proxy?

best,
mj

Daniyal · July 30, 2024, 3:11pm

Hi @Mantas,

Yes, I am not adding or deleting ay headers.

I am just manipulating the path.

 use_backend opensearch if { path /node-1/opensearch } || { path_beg /node-1/opensearch/ }


backend opensearch
    http-request replace-path /node-1/opensearch/(/)?(.*) /\2
    server opensearch_node1 fqdn:5601 check

Mantas · August 1, 2024, 12:16pm

@Daniyal, are there any errors in OpenSearch logs or HAproxy (more than 401 i.e: permissions missing or similar)?

Thanks,
mj

Daniyal · August 1, 2024, 1:43pm

Hi @Mantas,

I don’t see any error in the OpenSearch logs but i see this in the HAproxy logs.

 https_frontend/1: SSL handshake failure
 https_frontend/1: SSL handshake failure
 https_frontend~ opensearch_backend/opensearch_node1 0/0/2/2/4 401 413 - - ---- 1/1/0/0/0 0/0 "GET /node-1/opensearch HTTP/1.1"
 https_frontend~ default/<NOSRV> 0/-1/-1/-1/0 403 192 - - PR-- 1/1/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"
 https_frontend~ opensearch_backend/opensearch_node1 0/0/2/2/4 401 413 - - ---- 1/1/0/0/0 0/0 "GET /node-1/opensearch HTTP/1.1"
 https_frontend/1: SSL handshake failure
 https_frontend~ default/<NOSRV> 0/-1/-1/-1/0 403 192 - - PR-- 1/1/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"

Just before the earlier snippet provided

I am doing this

frontend http_frontend
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

frontend https_frontend
    bind *:443 ssl crt /etc/ssl/private/haproxy.pem

I am able to access one of the other service in the same way.
I have generated a self-signed certificate and using that. If i comment out the https_frontend and certificate still i cannot’t access and ERR_CONNECTION_REFUSED. The opensearch-dashboard is accessible on http.

I am not sure if this could be a problem?

Mantas · August 13, 2024, 9:48am

Hi @Daniyal,

Could you please share your full opensearch_dashboards.yml (when SSL is enabled)?

Thanks,
mj

Daniyal · August 14, 2024, 7:47am

Hi @Mantas,

The one i have shared is what i am using. can you pls tell me the steps to setup ssl for this?

Thank you

Mantas · August 14, 2024, 10:15am

@Daniyal,

You can find a good example of how to set it up here: Configure TLS - OpenSearch Documentation

Let me know if you need any further help setting it up.

best,
mj

Topic		Replies	Views
OpenID(keycloak) 401 Unauthorized Security	10	2177	January 10, 2023
An Error Is Reported When opensearch-dashboards Is Connected to the OpenSearch Cluster OpenSearch Dashboards install	2	167	June 6, 2024
OpenSearch Dashboards 401 Unauthorized using OIDC with Keycloak Security	12	6349	February 15, 2023
Missing `security_authentication` cookie kibana page will fail with 401 Security troubleshoot	13	1157	November 28, 2022
Unable to login through Dashboards, API works OpenSearch Dashboards	15	510	June 21, 2024

Status code 401 Unauthorized Authentication required

Related topics