Giter Club home page Giter Club logo

Comments (12)

hjannasch avatar hjannasch commented on July 24, 2024 1

Hi @derek-ho opensearch_dashboards.yml is as follows. I detected a copy/paste issue where the client_secret is duplicated, but the second one is in comments. But I don't think that's an issue.

server.name: opensearch-dashboards
server.host: "0.0.0.0"
opensearch.hosts: ["ELASTICSEARCH_URL_PLACEHOLDER"]

# Enable OpenID authentication
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration"
opensearch_security.openid.client_id: "<CLIENT_ID>"
opensearch_security.openid.client_secret: CLIENT_SECRET
opensearch_security.openid.base_redirect_url: "https://logs-training.itbs.bs.ch"

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: [“kibana_read_only”]

# The client secret of the OpenID Connect client
#opensearch_security.openid.client_secret: "CLIENT_SECRET"

# Configure the Kibana internal server user
opensearch.username: kibanaserver
opensearch.password: elastic_kibanaserver_password_placeholder

# Disable SSL verification when using self-signed demo certificates
opensearch.ssl.verificationMode: none

# Whitelist basic headers and multi-tenancy header
opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]

from security-dashboards-plugin.

cwperks avatar cwperks commented on July 24, 2024

@hjannasch Thank you for filing this issue!

@derek-ho Could this be related to MDS changes in 2.14? There was no change related to OpenID in the 2.14 release: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/release-notes/opensearch-security-dashboards-plugin.release-notes-2.14.0.0.md

from security-dashboards-plugin.

derek-ho avatar derek-ho commented on July 24, 2024

@hjannasch Thank you for filing this issue!

@derek-ho Could this be related to MDS changes in 2.14? There was no change related to OpenID in the 2.14 release: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/release-notes/opensearch-security-dashboards-plugin.release-notes-2.14.0.0.md

I don't think that MDS should have affected this, but I may need to deep dive and try to reproduce. I think another issue that has come up regarding refresh tokens not being used indicates it is working for other users. @hjannasch do you have the flag data_source.enabled set as true?

from security-dashboards-plugin.

hjannasch avatar hjannasch commented on July 24, 2024

@derek-ho data_source.enabled is not set.

from security-dashboards-plugin.

hjannasch avatar hjannasch commented on July 24, 2024

@derek-ho Maybe the logs can help? I have removed the long code and session_state params. Can I enable more debug, trace logs for the security plugin?

{"type":"log","@timestamp":"2024-05-30T07:04:03Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
{"type":"response","@timestamp":"2024-05-30T07:04:03Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/auth/openid/login?code=...&session_state=...","method":"get","headers":{"host":"logs-training.itbs.bs.ch","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","referer":"https://logs-training.itbs.bs.ch/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=0, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/"},"res":{"statusCode":401,"responseTime":528,"contentLength":9},"message":"GET /auth/openid/login?code=...&session_state=abaa8de2-ab69-4622-9e7e-eff41f811428 401 528ms - 9.0B"}
{"type":"response","@timestamp":"2024-05-30T07:04:03Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&session_state=...","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=1, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&state=46y-bPw20ZvB-B-zAjtUnH&session_state=..."},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"GET /favicon.ico 401 3ms - 9.0B"}

from security-dashboards-plugin.

hjannasch avatar hjannasch commented on July 24, 2024

@derek-ho With logging.verbose: true there's not much more in the logs (one new debug log).

{"type":"response","@timestamp":"2024-05-31T09:25:54Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/auth/openid/captureUrlFragment.js","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=1","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/openid/captureUrlFragment.js 200 2ms - 9.0B"}
{"type":"response","@timestamp":"2024-05-31T09:25:54Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=0, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/"},"res":{"statusCode":302,"responseTime":4,"contentLength":9},"message":"GET /auth/openid/login?nextUrl=%2F&redirectHash=false 302 4ms - 9.0B"}
{"type":"log","@timestamp":"2024-05-31T09:25:55Z","tags":["debug","opensearch","opendistro_security","query"],"pid":1,"message":"401\nGET /_plugins/_security/authinfo\n"}
{"type":"log","@timestamp":"2024-05-31T09:25:55Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
{"type":"response","@timestamp":"2024-05-31T09:25:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/auth/openid/login?code=...&session_state=...","method":"get","headers":{"host":"logs-training.itbs.bs.ch","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","referer":"https://logs-training.itbs.bs.ch/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=0, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/"},"res":{"statusCode":401,"responseTime":439,"contentLength":9},"message":"GET /auth/openid/login?code=...&session_state=... 401 439ms - 9.0B"}
{"type":"response","@timestamp":"2024-05-31T09:25:55Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&state=...","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=1, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&state=...&session_state=..."},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"GET /favicon.ico 401 3ms - 9.0B"}

from security-dashboards-plugin.

scrawfor99 avatar scrawfor99 commented on July 24, 2024

[Triage] Hi @hjannasch thank you for filing this issue. This sounds like a regression and something we would not want to happen! Someone will go ahead and take a further look. It sounds like @derek-ho may be on the case.

from security-dashboards-plugin.

hjannasch avatar hjannasch commented on July 24, 2024

@derek-ho Any news concerning this issue?

from security-dashboards-plugin.

derek-ho avatar derek-ho commented on July 24, 2024

Hi @hjannasch just getting around to looking at this today. I am not able to reproduce this issue:

server  respons [15:00:41.357]  GET /auth/openid/captureUrlFragment?nextUrl=%2F 200 4ms - 9.0B
server  respons [15:00:41.383]  GET /auth/openid/captureUrlFragment.js 200 2ms - 9.0B
server  respons [15:00:41.406]  GET /auth/openid/login?redirectHash=false&nextUrl=%2F 302 3ms - 9.0B
server  respons [15:00:43.486]  GET /auth/openid/login?state=XXX&session_state=XXX 302 67ms - 9.0B

Since in you previous messages I also see no difference in configuration between 2.13 and 2.14 makes me feel like it is a regression in between 2.13 and 2.14 for your specific setup. Can you share your other opensearch_dashboards.yml config? It seems like the only change that was introduced in this timeframe is: #1899, which seems related to basepath settings. Did you have any other changes between the base path settings?

from security-dashboards-plugin.

hjannasch avatar hjannasch commented on July 24, 2024

Hi @derek-ho tried upgrading to 2.15, but same issue detected.

from security-dashboards-plugin.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.