Using environmental variables in Open Distro security plugin configuration

Security
1

Initially I put something like that in my plugins/opendistro_security/securityconfig/config.yml:

ldap:
        http_enabled: true
        transport_enabled: true
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: false
            hosts:
              - ldap.domain.com:3268
            bind_dn: ${LDAP_BIND_DN}
            password: ${LDAP_BIND_PASSWORD}
            usersearch: '(sAMAccountName={0})'
            userbase: 'OU=Accounts and Groups,DC=domain,DC=com'
            username_attribute: 'sAMAccountName'

But even though I set those variables in ES environment, I got errors on LDAP connection with error 49, implying that credentials are not valid. When I replace the variables with actual values, it works. That’s not bad, but I want to commit this config to Git, and having secrets there is, of course, extremely undesirable. Is there any workaround?

2

You have to execute securityadmin.sh with the parameter --resolve-env-vars and change config.yml to

...
            bind_dn: ${env.LDAP_BIND_DN}
            password: ${env.LDAP_BIND_PASSWORD}
...
1 Like
3

Sorry for bumping up the topic but I have similar question but that regards configuration of security plugin in OpenSearch Dashboard - I’d like to store my client id/secret in K8S secret and then bind them to env variables of OpenSearch Dashboard pod.

I tried the answer suggested here:

opensearch_security:
    open_id:
        client_id: ${env.CLIENT_ID}

but that send a literal value “${env.CLIENT_ID}” to my OpenID provider.

I also tried to remove the property from opensearch_dashboard.yml and set env variable with key OPENSEARCH_SECURITY_OPENID_CLIENT_ID hoping that maybe it would be found to match the key from config file but in this case the dashboard redirects to OpenID provider without any clientId query param.

Is there another way to do it? Or are there plans to support something like this?

4

I have exported the required LDAP credentials as environment variable, but the --resolve-env-vars parameter doesn’t resolve the environment variables during the script run

Here is how I’m running the securityadmin.sh passing all the required params, but no luck, encountered with below error

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563]

config.yaml:

bind_dn: "cn=${env.LDAP_USERNAME},OU=Service Accounts,DC=co,DC=nz"
password: ${env.LDAP_PASSWORD}

Script Run:

/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-f /tmp/config.yaml -t config \
-cert certs/admin/tls.crt \
-key certs/admin/tls.key \
-cacert certs/ca.pem \
-h opensearch-0.co.nz \
--resolve-env-vars --accept-red-cluster
5

@saikiran.dusari Could you open a new thread?
In the meantime try escaping the variable in bind_dn.

i.e.

bind_dn: "cn=\$\{env.LDAP_USERNAME\},OU=Service Accounts,DC=co,DC=nz"
password: ${env.LDAP_PASSWORD}
6

Hi @pablo Thank you very much for the reply. I have redeployed the OpenSerach from scratch and it is all looking good. Very weird why this was failing in the first place.

Do we have any example or pattern where the securityadmin.sh gets executed soon after the OpenSearch deployment. I have tried using postStart lifecycle hook but no luck, getting into crashloop error?

Thanks
Sai