Hi all,
I’m evaluating OpenSearch and trying to get proxy authentication working.
My Setup:
- OpenSearch version:
1.2.0
- Deployment method: kubernetes
- 1 dedicated Coordinator node
- 1 dedicated Master node
- 1 dedicated Data node
I have the following config.yml for the security plugin:
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: '.*' # regex pattern
remoteIpHeader: 'x-forwarded-for'
authc:
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: proxy-uid
roles_header: proxy-roles
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
authz:
<unmodified>
The following commands fail:
$ curl -k https://opensearch -H 'proxy-uid: myUser' -H 'proxy-roles: admin'
Unauthorized
$ curl -k https://opensearch -H 'proxy-uid: myUser' -H 'proxy-roles: all_access'
Unauthorized
But this command succeeds:
$ curl -k https://opensearch -u admin:admin
{
"name" : "opensearch-coordinator-0",
"cluster_name" : "my-cluster",
"cluster_uuid" : "...",
"version" : {
"distribution" : "opensearch",
"number" : "1.2.0",
"build_type" : "tar",
"build_hash" : "c459282fd67ddb17dcc545ec9bcdc805880bcbec",
"build_date" : "2021-11-22T16:57:18.360386Z",
"build_snapshot" : false,
"lucene_version" : "8.10.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
When I check via the Dashboard I see:
If I check the audit log I see entries for my failed request with audit_category
set to FAILED_LOGIN
. The audit log lists the proxy-user
and proxy-roles
headers as well. Neither the coordinator, master, or data nodes log anything to their logs.
Using the dashboard I added a backend role for myUser
to role all_access
but that didn’t seem to help either.
Any help as to what might be wrong or how I can debug this would be appreciated.