How can i authenticate my Opensearch users with client certificate

Hi,

Can i configure Opensearch Dashboards to use client cert auth ? I don’t know if i have understand the documentation, because no certificate is required on the Opensearch dashboard and no user works.

Configurations:

Opensearch Dashbord config.yml

server.host: "0.0.0.0"
server.port: 5601
server.name: "os-node-02"
opensearch.hosts: ["https://os-node-03:9200", "https://os-node-01:9200", "https://os-node-02:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "XXX"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/node.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/node-key.pem
opensearch.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
opensearch.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true

Opensearch Node config.yml

network.bind_host: 0.0.0.0
network.publish_host: 192.168.0.4
cluster.name: os-cluster
node.name: os-node-01
discovery.seed_hosts: ["192.168.0.5", "192.168.0.7", "192.168.0.4"]
cluster.initial_master_nodes: ["os-node-01", "os-node-02", "os-node-03"]
bootstrap.memory_lock: true # along with the memlock settings below, disables swapping
action.auto_create_index: true
compatibility.override_main_response_version: true

### Security
plugins.security.allow_default_init_securityindex: true
plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.clientauth_mode: REQUIRE
plugins.security.ssl.http.pemcert_filepath: node.pem
plugins.security.ssl.http.pemkey_filepath: node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,O=Org,L=Paris,ST=Ile de France,C=FR'
plugins.security.nodes_dn:
  - 'CN=os-node-01,O=Org,L=Paris,ST=Ile de France,C=FR'
  - 'CN=os-node-02,O=Org,L=Paris,ST=Ile de France,C=FR'
  - 'CN=os-node-03,O=Org,L=Paris,ST=Ile de France,C=FR'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
###

Opensearch securityplugin config.yml

---

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn
          challenge: false
        authentication_backend:
          type: noop
    authz:

Moved to security category.

@acamilleri
What errors are you seeing?
There are a couple of things to note here:
I see you disabled basic_auth in config.yml, yet listed username and password in Dashboard.yml, which wouldn’t be necessary if you are using client_auth.

Have you mapped the client cn to appropriate security role via roles_mapping.yml file?

Also, since basic_auth is disabled which way will users sign in once the opensearchDashboards is up and running?
I would recommend to enable basic_auth to enable users to login and be assigned the relevant permissions.

Once you share the errors you are seeing, will be clearer where to go next.

Hello @Anthony,

I haven’t got any errors, i juste want to configure Opensearch Dashboard to authenticate User with client certificate like PKI user authentication | Elasticsearch Guide [8.4] | Elastic but i don’t know if it possible.

I already enabled mTLS authentication between Elasticsearch and Kibana.

When i set server.ssl.clientAuthentication to true, the request is cancelled and nothing works.

When i set opensearch.ssl.alwaysPresentCertificate to true, opensearch dashboard accept any login/password and authenticate User with certificate defined in variable opensearch.ssl.certificate but this is the same variable use to communicate with Elasticsearch and is not possible to overridden this variable by the browser.

Do you understand what i want to do ? But i’m not sure it was possible.

Thanks!

@acamilleri This does not seem to be currently supported by opensearch. The users can directly connect to elasticsearch using certificates, or opensearchDashboards can authenticate via certificate with opensearch.

I would recommend to raise a feature request

Hope this helps

Ok, thank you for your help :wink:

I opened a feature request : https://github.com/opensearch-project/security/issues/1470

Have a nice day !