Wrong default credentials for Opensearch Dashboard and Error after Disabling security

Versions - Opensearch 2.11, Opensearch-dashboards - 2.11

Describe the issue:

Hi I’m having a multinode opensearch cluster. All of them were working properly. I tried to install dashboards as well and i left the default config. But then a problem appeared. Im not able to login to the dashboard with the default username and password (admin:admin or kibanaserver:kibanaserver). Tried to find some solution through the forums for changing the password but didn’t work. Then i decided to Disable the security of both dashboard and the opensearch following this link Disabling security - OpenSearch Documentation. But after i try to restart the service it is timing out.

And the error in the logs is: unknown setting [plugins.security.disabled] please check that any required plugins are installed, or check the breaking changes documentation for removed settings.

Can someone please help me to find a solution of this problem

Configuration:

opensearch.yml

--------------------------------------------
######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.disabled: true
#plugins.security.ssl.transport.pemcert_filepath: esnode.pem
#plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
#plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
#plugins.security.ssl.transport.enforce_hostname_verification: false
#plugins.security.ssl.http.enabled: true
#plugins.security.ssl.http.pemcert_filepath: esnode.pem
#plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
#plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
#plugins.security.allow_unsafe_democertificates: true
#plugins.security.allow_default_init_securityindex: true
#plugins.security.authcz.admin_dn:
#  - CN=kirk,OU=client,O=client,L=test, C=de

#plugins.security.audit.type: internal_opensearch
#plugins.security.enable_snapshot_restore_privilege: true
#plugins.security.check_snapshot_restore_write_privileges: true
#plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
#plugins.security.system_indices.enabled: true
#plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task",>
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########
action.auto_create_index: false

--------------------------------------------

opensearch-dashboards.yml

--------------------------------------------
server.port: 5601
server.host: 0.0.0.0
opensearch.hosts: [http://localhost:9200]
--------------------------------------------

Hey @andrea.petrenko

How did you deploy OpenSearch cluster? Have you tried to change admin’s password using hash.sh tool?

1 Like

Also, please make sure that you change the following value:
plugins.security.disabled: false

The cluster is deployed as it is said in the OpenSearch documentation. There are three machines. One of them is master:

---------------- Master OpenSearch ------------------------
cluster.name: Graylog
node.name: OpenSearch1
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: ["192.168.x.x", "192.168.x.x", "192.168.x.x"]
node.roles: [master]
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access                                                                                                             "]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-con                                                                                                             nector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".p                                                                                                             lugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendis                                                                                                             tro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-result                                                                                                             s*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opend                                                                                                             istro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notificati                                                                                                             ons-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources",                                                                                                              ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".o                                                                                                             pensearch-knn-models", ".geospatial-ip2geo-data*"]
node.max_local_storage_nodes: 3
action.auto_create_index: false
plugins.security.disabled: true
-----------------------------------------------------------------------------------

And two data nodes:

------------------------- Data node 1 --------------------------
cluster.name: Graylog
node.name: OpenSearch2
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: ["192.168.x.x", "192.168.x.x", "192.168.x.x"]
node.roles: [data]
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access                                                                                                             "]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-con                                                                                                             nector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".p                                                                                                             lugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendis                                                                                                             tro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-result                                                                                                             s*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opend                                                                                                             istro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notificati                                                                                                             ons-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources",                                                                                                              ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".o                                                                                                             pensearch-knn-models", ".geospatial-ip2geo-data*"]
node.max_local_storage_nodes: 3
action.auto_create_index: false
plugins.security.disabled: true
--------------------------------------------------------------------------------------------------
---------------------- Data node 2 ------------------------------------------------
cluster.name: Graylog
node.name: OpenSearch2
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: ["192.168.x.x", "192.168.x.x", "192.168.x.x"]
node.roles: [data]
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access                                                                                                             "]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-con                                                                                                             nector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".p                                                                                                             lugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendis                                                                                                             tro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-result                                                                                                             s*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opend                                                                                                             istro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notificati                                                                                                             ons-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources",                                                                                                              ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".o                                                                                                             pensearch-knn-models", ".geospatial-ip2geo-data*"]
node.max_local_storage_nodes: 3
action.auto_create_index: false
plugins.security.disabled: true

---------------------------------------------------------------------------------------------------

I tried to change the default dashboard password using this guide - How to Change the Admin Password in OpenSearch (opster.com) but after adding the configuration in step 4 in the config file I received a fatal error with description - ValidationError: [config validation of [opensearch_security].auth.type]: types that failed validation. Is it a problem that I don’t have HTTPS set up for the cluster?

The user’s credentials are part of the security plugin. If you disable the security plugin, you can send a request to the OpenSearch cluster without requiring any user’s credentials.
You need to enable the security plugin in order to use the admin’s credentials.

To do that, you can change the following parameter:
plugins.security.disabled: false

When i change the:
plugins.security.disabled: false

I still received an error for “ValidationError: [config validation of [opensearch_security].auth.type]: types that failed validation:\n- [config validation of [opensearch_security].auth.type.0]: could not parse array value from json in” when i leave the following settings in the opensearch-dashboard.yml:

------------------------------------------------------------------------------------------
opensearch_security.auth.type: "basic"
opensearch_security.auth.basic.username: "admin"
opensearch_security.auth.basic.password: "<new_password>"
------------------------------------------------------------------------------------------

After i remove them and try with the default ones. I’m receiving those error messages:
“[ConnectionError]: socket hang up” and “Unable to retrieve version information from OpenSearch nodes.” and this in the web browser
image

I updated to the last version so all of the nodes are using Opensearch 2.12, Opensearch-dashboards - 2.12

And after I change the security plugins to false:
plugins.security.disabled: false
it is breaking the Graylog installed on the same machines

Hi @andrea.petrenko

As per the documentation, you need to use basicauth instead of basic.

Please try to change configuration to the following:

opensearch_security.auth.type: "basicauth"

Could you please try to execute the following command?

curl --insecure -u your_username:your_password -XGET https://localhost:9200/_plugins/_security/authinfo

After the changes you mention previous I’m receiving this:

{“user”:“User [name=admin, backend_roles=[admin], requestedTenant=null]”,“user_name”:“admin”,“user_requested_tenant”:null,“remote_address”:“127.0.0.1:37306”,“backend_roles”:[“admin”],“custom_attribute_names”:,“roles”:[“own_index”,“all_access”],“tenants”:{“global_tenant”:true,“admin_tenant”:true,“admin”:true},“principal”:null,“peer_certificates”:“0”,“sso_logout_url”:null}

But still when I try to log in I have:

image

Could you please provide the OpenSearch and OpenSearch Dashboard logs that are generated after clicking on the Log in button?

The log is this:
opensearch01 opensearch-dashboards[228153]: {“type”:“log”,“@timestamp”:“2024-03-19T12:49:47Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:228153,“message”:“[ConnectionError]: socket hang up”}

Could you please share your current opensearch-dashboards.yml file?

server.host: 0.0.0.0
opensearch.hosts: [[http://192.168.х.х:9200](http://192.168.xn--u1a.xn--u1a:9200/), [http://192.168.х.х:9200](http://192.168.xn--u1a.xn--u1a:9200/), [http://192.168.х.х:9200](http://192.168.xn--u1a.xn--u1a:9200/)]
opensearch.ssl.verificationMode: none
#opensearch::category.username: kibanaserver
#opensearch::category.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]

opensearch_security.cookie.secure: false

opensearch_security.auth.type: “basicauth”
#opensearch_security.auth.basic.username: “admin”
#opensearch_security.auth.basic.password: “…”

Please change your OpenSearch host URLs. You should use https instead of http .

After changing the http with https i received this error:

Hi @andrea.petrenko
Please share your OpenSearch and OpenSearch Dashboards logs.

There are no logs for OpenSearch Dashboard

Hi @andrea.petrenko

Please try to execute the following command:

curl --insecure -u kibanaserver:kibanaserver -XGET https://localhost:9200/_plugins/_security/authinfo

Also, please double-check the OpenSearch Dashboard logs. The logs should be generated if you can see this text in the browser.

@andrea.petrenko

You missed some configurations. Please add the following lines to your opensearch_dashboards.yml file:

opensearch.username: kibanaserver
opensearch.password: kibanaserver