2 Factor Authentication

keks · October 20, 2021, 1:28pm

Hello OpenSearch Community!

Does anybody have a clue on the possible options for 2-Factor-Auth with OpenSearch ideally with Google’s 2FA?

It seems to me that I need to deploy some plugin for Dashboards, like:

At this point, I have 2 questions:

Is there any other applicable solution for Opensearch Dashboards 2FA?
Is there any documentation on plugin development for opensearch?

Thank you and have a nice day.

Anthony · October 21, 2021, 9:03am

@keks
Maybe I misunderstand the question,
But have you tried to configure Google as OpenID authentication in OS?
When this is set up it “should” be straight forward to enable 2FA from Google Cloud Console. Therefore I do not see a need for any additional plugin.
I have previously got it working with google using OpenID and test users, have yet to try MFA, but there is an article here that might help
Maybe I missed some requirement though, let me know

keks · October 21, 2021, 12:09pm

@Anthony
Thank you for your response.
I am deploying OpenSearch on my own infrastructure, not using any AWS or GCP etc. Can I still use Google for authentication? If so, how would I configure Google as OpenID authentication in OS?

I know in OpenDistro people also used Keycloak as authentication provider, but is there a plugin for this for opensearch?

Anthony · October 21, 2021, 12:35pm

@keks I had it working using local running instance of OS, therefore it’s definitely possible.
The configuration is the same as any other openID config, the part in config.yml would look something like this:

openid:
  http_enabled: true
  order: 1
  http_authenticator:
    type: openid
    challenge: true
    config:
      openid_connect_url: "https://accounts.google.com/.well-known/openid-configuration"
      subject_key: "name"
      roles_key: "" # can't retrieve roles from Google
   authentication_backend:
     type: noop

OpensearchDashboard.yml:

opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://accounts.google.com/.well-known/openid-configuration"
opensearch_security.openid.client_id: ".....apps.googleusercontent.com"
opensearch_security.openid.client_secret: "...."
opensearch_security.openid.base_redirect_url: "https://localhost:5601"

Regarding the actual google side, there are various tutorials out there, not sure which one is the most updated one, you will need to have a look.

Hope this helps

keks · October 23, 2021, 9:20am

Aah, so it is really possible to use some openid connector. Cool cool! So this I cannot do from docker-compose.yml, can I? Instead I should be using the distributions from the opensearch website, am I correct?
Also in your response above you mentioned the config.yml. Is this config from the openid connector, or from opensearch? it is definately not from dashbords, i guess… Sorry for noob questions

Anthony · October 24, 2021, 8:12pm

@keks You can use docker-compose yes, in fact this is how I had it running.

The config.yml file I mentioned is the security config located in /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ if you are using docker.

Hope this helps

Topic		Replies	Views
Opensearch Dashboards Returning 500 when logout using Dex OpenSearch Dashboards discuss , troubleshoot	0	640	May 12, 2022
OpenID(keycloak) 401 Unauthorized Security	10	1573	January 10, 2023
Opensearch-dashboard + keycloak Security	1	364	July 12, 2022
Basic authentication only for OpenSearch Dashboards Security configure , install , security-issue	5	1132	March 1, 2023
Kibana jwt authentication Security	3	424	September 2, 2021

2 Factor Authentication

Related Topics