security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[Enhancement] Add proxy authentication support to multi-auth framework

Open samk-acw opened this issue 1 year ago • 6 comments

description

I've setup proxy authentication and it works fine, however I want to also allow basicauth as well to allow non-SSO users, but it doesn't seem to be supported. Multiple auth types is possible according to https://opensearch.org/docs/latest/security/configuration/multi-auth/ but this doesn't mention proxy auth. Attempting to configure both proxy and basicauth results in opensearch-dashboards not being able to start, showing "Error: Unsupported authentication type: proxy"

To Reproduce Steps to reproduce the behavior:

  1. set proxy and basicauth types and multiple_auth_enabled in opensearch-dashboards.yml:
opensearch_security.auth.type: ["proxy","basicauth"]
opensearch_security.auth.multiple_auth_enabled: true
  1. start opensearch-dashboards
  2. startup fails and logs the following:

Error: Unsupported authentication type: proxy at MultipleAuthentication.init (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/multiple/multi_auth.ts:97:17) at createAuthentication (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:46:3) at getAuthenticationHandler (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:91:37) at SecurityPlugin.setup (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/plugin.ts:119:39) at PluginsSystem.setupPlugins (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_system.js:101:24) at PluginsService.setup (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_service.js:117:19) at Server.setup (/usr/share/opensearch-dashboards/src/core/server/server.js:275:26) at Root.setup (/usr/share/opensearch-dashboards/src/core/server/root/index.js:70:14) at bootstrap (/usr/share/opensearch-dashboards/src/core/server/bootstrap.js:133:5) at Command. (/usr/share/opensearch-dashboards/src/cli/serve/serve.js:193:5)

Expected behavior dashboards should allow proxy auth in combination with other auth types - eg use proxy auth if the relevant headers are present and request is coming from an allowed proxy, otherwise go to the regular login page.

OpenSearch Version 2.11.1

Dashboards Version 2.11.1

Plugins

defaults

Host/Environment (please complete the following information): Debian 12

samk-acw avatar Jan 04 '24 01:01 samk-acw

Hello @samk-acw, thank you for opening.

@opensearch-project/admin, can you please move this to https://github.com/opensearch-project/security-dashboards-plugin

kavilla avatar Jan 04 '24 21:01 kavilla

[Triage] Hi @samk-acw, thank you for filing this issue. Currently, multiple authentication forms are only supported for external identity provider sign on options (SAML, OIDC, etc.) and basic auth or bearer auth. That being said, support for proxy authentication alongside basic auth would be a change we would be interested in seeing should you be willing to propose a design or open a PR.

I will mark this as an enhancement and change the title so that it is clear what the issue is requesting. Thank you :)

(Sorry the documentation was not clear on this, we will get that addressed in the meantime)

stephen-crawford avatar Jan 08 '24 16:01 stephen-crawford

The currently support auth types for multiauth can be found here: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/multiple/multi_auth.ts#L51-L101

cwperks avatar Jan 08 '24 16:01 cwperks

This really is a big problem. This is completely blocking certain deployments in companies where HTTP proxies are required.

Manuelraa avatar Jul 03 '24 11:07 Manuelraa

@samk-acw and @Manuelraa could you please provide copies of your OpenSearch dashboards and Nginx/other proxy configuration?

I see where the code enforces the behavior you are mentioning but would like to reproduce your issue before making changes. Thanks

Edit: Also if you are running with docker please provide a copy of your docker compose; in my testing docker can cause complications with the proxy setup.

stephen-crawford avatar Jul 24 '24 14:07 stephen-crawford

@samk-acw and @Manuelraa could you please provide copies of your OpenSearch dashboards and Nginx/other proxy configuration?

I see where the code enforces the behavior you are mentioning but would like to reproduce your issue before making changes. Thanks

Edit: Also if you are running with docker please provide a copy of your docker compose; in my testing docker can cause complications with the proxy setup.

Sorry I must have commented on the wrong issue. My comment was related to another issue for which I then made a PR #2024 Sorry for the inconvenience.

Manuelraa avatar Jul 29 '24 10:07 Manuelraa

This is resolved with #2076

stephen-crawford avatar Aug 20 '24 18:08 stephen-crawford