Comments (12)
Hi @derek-ho opensearch_dashboards.yml is as follows. I detected a copy/paste issue where the client_secret is duplicated, but the second one is in comments. But I don't think that's an issue.
server.name: opensearch-dashboards
server.host: "0.0.0.0"
opensearch.hosts: ["ELASTICSEARCH_URL_PLACEHOLDER"]
# Enable OpenID authentication
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration"
opensearch_security.openid.client_id: "<CLIENT_ID>"
opensearch_security.openid.client_secret: CLIENT_SECRET
opensearch_security.openid.base_redirect_url: "https://logs-training.itbs.bs.ch"
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: [“kibana_read_only”]
# The client secret of the OpenID Connect client
#opensearch_security.openid.client_secret: "CLIENT_SECRET"
# Configure the Kibana internal server user
opensearch.username: kibanaserver
opensearch.password: elastic_kibanaserver_password_placeholder
# Disable SSL verification when using self-signed demo certificates
opensearch.ssl.verificationMode: none
# Whitelist basic headers and multi-tenancy header
opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]
from security-dashboards-plugin.
@hjannasch Thank you for filing this issue!
@derek-ho Could this be related to MDS changes in 2.14? There was no change related to OpenID in the 2.14 release: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/release-notes/opensearch-security-dashboards-plugin.release-notes-2.14.0.0.md
from security-dashboards-plugin.
@hjannasch Thank you for filing this issue!
@derek-ho Could this be related to MDS changes in 2.14? There was no change related to OpenID in the 2.14 release: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/release-notes/opensearch-security-dashboards-plugin.release-notes-2.14.0.0.md
I don't think that MDS should have affected this, but I may need to deep dive and try to reproduce. I think another issue that has come up regarding refresh tokens not being used indicates it is working for other users. @hjannasch do you have the flag data_source.enabled
set as true
?
from security-dashboards-plugin.
@derek-ho data_source.enabled
is not set.
from security-dashboards-plugin.
@derek-ho Maybe the logs can help? I have removed the long code
and session_state
params. Can I enable more debug, trace logs for the security plugin?
{"type":"log","@timestamp":"2024-05-30T07:04:03Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
{"type":"response","@timestamp":"2024-05-30T07:04:03Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/auth/openid/login?code=...&session_state=...","method":"get","headers":{"host":"logs-training.itbs.bs.ch","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","referer":"https://logs-training.itbs.bs.ch/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=0, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/"},"res":{"statusCode":401,"responseTime":528,"contentLength":9},"message":"GET /auth/openid/login?code=...&session_state=abaa8de2-ab69-4622-9e7e-eff41f811428 401 528ms - 9.0B"}
{"type":"response","@timestamp":"2024-05-30T07:04:03Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&session_state=...","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=1, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&state=46y-bPw20ZvB-B-zAjtUnH&session_state=..."},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"GET /favicon.ico 401 3ms - 9.0B"}
from security-dashboards-plugin.
@derek-ho With logging.verbose: true
there's not much more in the logs (one new debug log).
{"type":"response","@timestamp":"2024-05-31T09:25:54Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/auth/openid/captureUrlFragment.js","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=1","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/openid/captureUrlFragment.js 200 2ms - 9.0B"}
{"type":"response","@timestamp":"2024-05-31T09:25:54Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=0, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/captureUrlFragment?nextUrl=/"},"res":{"statusCode":302,"responseTime":4,"contentLength":9},"message":"GET /auth/openid/login?nextUrl=%2F&redirectHash=false 302 4ms - 9.0B"}
{"type":"log","@timestamp":"2024-05-31T09:25:55Z","tags":["debug","opensearch","opendistro_security","query"],"pid":1,"message":"401\nGET /_plugins/_security/authinfo\n"}
{"type":"log","@timestamp":"2024-05-31T09:25:55Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
{"type":"response","@timestamp":"2024-05-31T09:25:54Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/auth/openid/login?code=...&session_state=...","method":"get","headers":{"host":"logs-training.itbs.bs.ch","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","referer":"https://logs-training.itbs.bs.ch/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=0, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/"},"res":{"statusCode":401,"responseTime":439,"contentLength":9},"message":"GET /auth/openid/login?code=...&session_state=... 401 439ms - 9.0B"}
{"type":"response","@timestamp":"2024-05-31T09:25:55Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"logs-training.itbs.bs.ch","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&state=...","accept-encoding":"gzip, deflate, br, zstd","accept-language":"de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6","priority":"u=1, i","x-forwarded-proto":"https"},"remoteAddress":"172.25.3.2","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://logs-training.itbs.bs.ch/auth/openid/login?code=...&state=...&session_state=..."},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"GET /favicon.ico 401 3ms - 9.0B"}
from security-dashboards-plugin.
[Triage] Hi @hjannasch thank you for filing this issue. This sounds like a regression and something we would not want to happen! Someone will go ahead and take a further look. It sounds like @derek-ho may be on the case.
from security-dashboards-plugin.
@derek-ho Any news concerning this issue?
from security-dashboards-plugin.
Hi @hjannasch just getting around to looking at this today. I am not able to reproduce this issue:
server respons [15:00:41.357] GET /auth/openid/captureUrlFragment?nextUrl=%2F 200 4ms - 9.0B
server respons [15:00:41.383] GET /auth/openid/captureUrlFragment.js 200 2ms - 9.0B
server respons [15:00:41.406] GET /auth/openid/login?redirectHash=false&nextUrl=%2F 302 3ms - 9.0B
server respons [15:00:43.486] GET /auth/openid/login?state=XXX&session_state=XXX 302 67ms - 9.0B
Since in you previous messages I also see no difference in configuration between 2.13 and 2.14 makes me feel like it is a regression in between 2.13 and 2.14 for your specific setup. Can you share your other opensearch_dashboards.yml config? It seems like the only change that was introduced in this timeframe is: #1899, which seems related to basepath settings. Did you have any other changes between the base path settings?
from security-dashboards-plugin.
Hi @derek-ho tried upgrading to 2.15, but same issue detected.
from security-dashboards-plugin.
Related Issues (20)
- Permissions on the UI are not displayed in the index permissions category [BUG] HOT 2
- [BUG] Add security_tenant parameter for short links HOT 3
- [FEATURE] Support Version Decoupling in Security Dashboards Plugin HOT 1
- Using Combobox for Backend Role Mapping HOT 2
- [AUTOCUT] Distribution Build Failed for securityDashboards-2.15.0 HOT 6
- [AUTOCUT] Integration Test failed for securityDashboards: 1.3.17 HOT 5
- [BUG] Tenancy should be automatically switched to user's default tenant when the user does not have access to the tenant read from a cookie HOT 1
- [BUG / CI] Investigate OIDC Cypress E2E test failures on 2.x CI runs HOT 1
- Different indexes are accessed depending on the tenant HOT 3
- [FEATURE] security_authentication cookie lacks SameSite attribute
- [RELEASE] Release version 2.15.0 HOT 2
- [AUTOCUT] Integration Test failed for securityDashboards: 2.15.0 HOT 9
- [RELEASE] Release version 2.16.0 HOT 2
- [Enhancement] Remove service account code in main HOT 2
- [FEATURE] Deprecate/remove aggregation view HOT 1
- [FEATURE] Support JDK 21 for main branch HOT 1
- [BUG] Remove AOSS data sources from the data source picker HOT 1
- [AUTOCUT] Integration Test failed for securityDashboards: 2.15.0 HOT 6
- [BUG] Missing OIDC refresh token calls in case of expired id token HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-dashboards-plugin.