How can i authenticate my Opensearch users with client certificate

Hi,

Can i configure Opensearch Dashboards to use client cert auth ? I don’t know if i have understand the documentation, because no certificate is required on the Opensearch dashboard and no user works.

Configurations:

Opensearch Dashbord config.yml

server.host: "0.0.0.0"
server.port: 5601
server.name: "os-node-02"
opensearch.hosts: ["https://os-node-03:9200", "https://os-node-01:9200", "https://os-node-02:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "XXX"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/node.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/node-key.pem
opensearch.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
opensearch.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true

Opensearch Node config.yml

network.bind_host: 0.0.0.0
network.publish_host: 192.168.0.4
cluster.name: os-cluster
node.name: os-node-01
discovery.seed_hosts: ["192.168.0.5", "192.168.0.7", "192.168.0.4"]
cluster.initial_master_nodes: ["os-node-01", "os-node-02", "os-node-03"]
bootstrap.memory_lock: true # along with the memlock settings below, disables swapping
action.auto_create_index: true
compatibility.override_main_response_version: true

### Security
plugins.security.allow_default_init_securityindex: true
plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.clientauth_mode: REQUIRE
plugins.security.ssl.http.pemcert_filepath: node.pem
plugins.security.ssl.http.pemkey_filepath: node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,O=Org,L=Paris,ST=Ile de France,C=FR'
plugins.security.nodes_dn:
  - 'CN=os-node-01,O=Org,L=Paris,ST=Ile de France,C=FR'
  - 'CN=os-node-02,O=Org,L=Paris,ST=Ile de France,C=FR'
  - 'CN=os-node-03,O=Org,L=Paris,ST=Ile de France,C=FR'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
###

Opensearch securityplugin config.yml

---

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn
          challenge: false
        authentication_backend:
          type: noop
    authz:

Moved to security category.

@acamilleri
What errors are you seeing?
There are a couple of things to note here:
I see you disabled basic_auth in config.yml, yet listed username and password in Dashboard.yml, which wouldn’t be necessary if you are using client_auth.

Have you mapped the client cn to appropriate security role via roles_mapping.yml file?

Also, since basic_auth is disabled which way will users sign in once the opensearchDashboards is up and running?
I would recommend to enable basic_auth to enable users to login and be assigned the relevant permissions.

Once you share the errors you are seeing, will be clearer where to go next.