Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Hey , can someone provide me config of oidc through opensearch I am just setting values in config and dashboard not certificate nothing but getting unauthorised error
Can someone give me conf of
Describe the issue:
Configuration:
Relevant Logs or Screenshots:
Have you checked here:
Best,
mj
Thanks @Mantas
I have this conf for opensearch_dashboard
config:
# Default OpenSearch Dashboards configuration from docker image of Dashboards
opensearch_dashboards.yml: |
opensearch_security.auth.type: ["openid","basicauth"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch_security.auth.multiple_auth_enabled: true
# Disable SSL verification when using self-signed demo certificates
# allowlist basic headers and multi-tenancy header
opensearch.requestHeadersAllowlist: ["Authorization", "securitytenant"]
opensearch.ssl.verificationMode: none
opensearch_security.openid.base_redirect_url: https://test.opensearch.com
opensearch_security.openid.client_id: secrettt_id
opensearch_security.openid.client_secret: secrettt
opensearch_security.openid.scope: "openid email roles"
opensearch_security.openid.connect_url: myidp/.well-known/openid-configuration
for opensearch i have this
dataComplete: false
data:
config: |-
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: email
roles_key: roles
openid_connect_url: myidp/.well-known/openid-configuration
authentication_backend:
type: noop
# config.yml: |-
# internal_users.yml: |-
#roles.yml:
roles_mapping.yml: |-
custom_role:
reserved: false
users:
- "*"
but i am getting unauthorized while trying to access app via sso
even i requesting for roles claim checked
jwt looks like below
id{
“email":"test@example.com”,
“roles”:“admin”
}
tried with other roles “custome_role” as this key in role mapping
i am running opensearch behind the nginx reverse proxy
nginx is passing traffic to svc of dashboard
I tried with below conf as well
_meta:
type: "roles"
config_version: 2
admin:
reserved: false
hidden: false
cluster_permissions:
- "cluster_all"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "index_all"
user:
reserved: false
hidden: false
cluster_permissions:
- "cluster_composite_ops_ro"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "read"
- "search"
_meta:
type: "rolesmapping"
config_version: 2
admin:
reserved: false
hidden: false
backend_roles:
- "admin"
hosts: []
users:
- "admin"
but no luck
this is my token id
{
“email_verified”: true,
“iat”: 1733596079,
“iss”: “testidp”,
“aud”: “ad8fbebedd8400c6188eadde1db9a18b”,
“acr”: “1”,
“sid”: “_da_0fvqNh3AE8sXaQnrDLFx4e09cBAWp_TX13pu7DDhIc1eyUeyFnlTx0MxBkRDdizcCbrfvYLvDP8a4AhardBwT-lPu-fdfdsfdsfdsfs-AzCV4FsooHzWu9s”,
“at_hash”: “NDhH77aEmN_JBIs4W580SQ”,
“exp”: 1733596389,
“sub”: “29c9058f31c8bd06d6dcd497c7454545454563bb3ac77e9762e49a89f57a85”,
“email”: “onk@test.com”,
“roles”: “admin”
}
@ochavan, to confirm are you using charts or the operator?
Could you execute the below and share the output:
curl --insecure --cert <path/to/admin/cert.pem> --key <path/to/admin_key.pem> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty
admin cert as per plugins.security.authcz.admin_dn:
Best,
mj