Background:
I am running OpenSearch v 1.2.4 and OpenSearch Dashboards v 1.2.0 using both Docker Swarm and Docker Compose (the behavior described below is identical, regardless of whether I am using swarm or compose). I am using OpenSearch’s docker images (both versions are the “latest” at the time I am writing this post) and copying my configuration files and certificates into the images.
I have configured OpenSearch and OpenSearch Dashboards to use OpenID Connect (Keycloak) for authentication and I have multitenancy enabled. I have no problem logging in using OpenID Connect, and my user is granted “all_access” rights based on my “admin” backend role.
Problem
I am able to log in and create dashboards; however, I am seeing some odd behavior:
- When I attempt to generate reports in the Global Tenant, I see an error in my console that says “no such index ‘.kibana’”. If I create an index alias to point the alias “.kibana” to “.opensearch_dashboards*”, it resolves this issue
- Even after applying the alias above, I cannot generate reports from a Private tenant. In my console, I see an error that says “no such index ‘.kibana_129834-myusername’”
A couple of additional things that I tried (I completely rebuilt images after each chang before testing) that did not resolve the issue:
- Changing the name of the configuration field in config.yml from “kibana” to either “opensearch-dashboards” or “opensearch_dashboards” results in an UnrecognizedPropertyException when I start up opensearch
- Leaving the configuration field as “kibana” and changing the lower “index” field from “.kibana” to “.opensearch_dashboards” still results in errors in the console that say “no such index ‘.kibana’”, even when I don’t have “.kibana” anywhere in any of my configuration files. Furthermore, if I set “index” to “.opensearch_dashboards”, I receive the same errors in the console but cannot even apply the alias fix to point “.kibana” to “.opensearch_dashboards” as described above.
Below is my security config.yml
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
kibana: # Changing this to "opensearch-dashboards" or "opensearch_dashboards" results in UnrecognizedPropertyException
# Kibana multitenancy
multitenancy_enabled: true
server_username: kibanaserver
index: '.kibana' # Changing this to ".opensearch_dashboards" does not resolve issue and prevents ".kibana" index alias workaround described above
http:
anonymous_auth_enabled: false
xff:
enabled: true
#internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
internalProxies: '.*' # trust all internal proxies, regex pattern
remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: http://keycloak:8100/auth/realms/poc/.well-known/openid-configuration
jwks_uri: http://keycloak:8100/auth/realms/poc/protocol/openid-connect/certs
openid_connect_idp.enable_ssl: false
openid_connect_idp.verify_hostnames: false
skip_users:
- kibanaro
- kibanaserver
- logstash
- adminp
- kibanauser
- filebeat_internal
authentication_backend:
type: noop
Questions
- Is there a configuration key other than “kibana” that I should be setting in my security config.yml?
- Is there another value for “index” that I should be setting in my security config.yml?
- Any ideas why Opensearch Dashboards is looking for “.kibana” indices even in the cases when the string “.kibana” doesn’t appear anywhere in any of my configuration files?