cerebro icon indicating copy to clipboard operation
cerebro copied to clipboard

Published 20 hours ago verified publisher icon lmenezes

Error connecting to OpenSearch server with selective anonymous access permitted

Open jgough opened this issue 2 years ago • 5 comments

I don't know if OpenSearch is officially supporte by Cerebro but it seems to be 100% compatible. I am having an issue though when anonymous access is enabled. I suspect the same error below would also be present on Elasticsearch given the similarity.

To reproduce:

  1. Set up an OpenSearch cluster with anonymous access permitted where the anonymous user does not have full permissions
  2. Try to connect via Cerebro:

Result: Cerebro tries to connect anonymously without authentication and returns the error Unexpected response status: [403] This is because the server can be accessed but the anonymous user is not allowed to monitor the health of the cluster - that requires a user with the correct permissions image

OpenSearch itself is returns a 403 response to the request with the message no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]

In this situation I would expect cerebro to present me with a login to allow me to enter credentials for access, since the anonymous access didn't have sufficient permissions.

This seems to be because the code is not expecting a 403 response and will only treat a 401 as the situation to ask for credentials: https://github.com/lmenezes/cerebro/blob/main/public/js/app.js#L606

I've experimented with the source code and it seems if I add case 403: here then it seems to fix this issue and presents me with the typical login screen.

jgough avatar Apr 28 '22 15:04 jgough

Looks like the 403 response is probably a bug in OpenSearch and it should be returning a 401. I have filed an issue here https://github.com/opensearch-project/security/issues/1825

jgough avatar May 05 '22 06:05 jgough

@jgough This might not apply to you. But I'm running OpenSearch with an Nginx proxy in front of it. Nginx is configured with basic auth. This works flawlessly.

jonkerw85 avatar May 06 '22 07:05 jonkerw85

@wjonkerhulst I believe this is specifically related to the anonymous auth (setting anonymous_auth_enabled: true) so may not actually be a bug in Cerebro. Without anonymous auth enabled it works 100%.

jgough avatar May 06 '22 07:05 jgough

I don't know about anonymous auth, but I found this error when I connected cerebro up to my OpenSearch cluster. I can view the nodes, but the overview page simply won't load:

{
  "error": "Failure for [_stats/docs,store?ignore_unavailable=true]"
}

Note I'm currently running OpenSearch 1.3.2 and connected to the cluster using my admin user and password with basic auth.

bkimbrough88 avatar Jul 12 '22 19:07 bkimbrough88

@bkimbrough88 That issue seems unrelated to this issue which is specifically around the HTTP response code 403 when anonymous_auth_enable is set to true. I have no issues with OpenSearch 1.3.2 and Cerebro when this is not set and can open the Overview page with no problem.

As an aside, try making a curl request to your database and check the user you are using to log in has permission to access e.g. curl -u "username:password" http://myserver/_stats/docs,store?ignore_unavailable=true. If you get an error with a security exception then you may need to check the permissions of the user you are using.

jgough avatar Jul 13 '22 07:07 jgough