security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard
verified publisher icon opensearch-project

[BUG] Session expiration and keepalive settings ignored

Open hagaram opened this issue 1 year ago • 3 comments

What is the bug? These options seems to be ignored

opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true

I have no issue with frequent logouts, but with that that cookie is set as “session cookie” regardless of what I configure. This also happens when local account is used (tried with admin) - only difference is that with local login there is one cookie set: security_authentication With oidc login there is security_authentication AND security_authentication_oidc1.

In both cases the cookie is deleted after browser is closed. If I modify expiration date of cookie, everything work after closing and reopening the browser, but security_authentication is set back to session cookie, so I have to change it back with expiration, if I want to to live trought another browser closing.

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Log in to opensearch dashboards and inspect the cookies
  2. close browser
  3. open browser
  4. relogin is needed and cookies are gone

What is the expected behavior? Continue work with OSD without the need to relogin again

What is your host/environment?

  • OS: Linux
  • Version 2.15 (also happened on 2.14)

Do you have any additional context?

  • OSD is on 3 servers with nginx in fornt of it which does the balancing. This unfortunately happens also when I go to specific dashboard directly, with local account, bypassing nginx.
  • I use keycloak OIDC + default basic auth login

hagaram avatar Jul 03 '24 12:07 hagaram

[Triage] Hi @hagaram thanks for filing this issue. @derek-ho has taken a look at similar issue in the past so will check into this use case and see if that is something we are able to support.

stephen-crawford avatar Jul 08 '24 15:07 stephen-crawford

@scrawfor99 @derek-ho Thank you very much for taking a look at this.

If it helps anything, here is OSD config.

server.port: 5601
server.host: "0.0.0.0"
opensearch.hosts: ["https://xxxx.XXXXXXXX:9200","https://xxx.XXXXXXXX:9200","https://xxx.XXXXXXXX:9200"]
opensearch.username: "XXXXXXXXXX"
opensearch.password: "XXXXXXXXXX"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]

opensearch_security.multitenancy.enabled: false
# opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.readonly_mode.roles: ["kibana_read_only"]


opensearch.ssl.verificationMode: "full"
opensearch.ssl.certificate: "/usr/share/opensearch-dashboards/config/esnode.pem"
opensearch.ssl.key: "/usr/share/opensearch-dashboards/config/esnode-key.pem"
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem" ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/rest-esnode.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/rest-esnode-key.pem
server.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/rest-root-ca.pem" ]

opensearch_security.cookie.secure: true

# OpenID settings -> IDP used is Keycloak
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true

opensearch_security.openid.base_redirect_url: "https://xXXXXXX.XXXXXXXX"
opensearch_security.openid.client_id: "XXXXXXX.XXXXXXXX"
opensearch_security.openid.scope: "openid profile email"
opensearch_security.openid.client_secret: "XXXXXXXXX"
opensearch_security.openid.connect_url: "https://XXXXX.XXXXXX.XXXXX/realms/XXXXXX/.well-known/openid-configuration"
opensearch_security.openid.verify_hostnames: true



opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
#I've tried to change the bellow two setting to true/false - no effect regarding this issue
#opensearch_security.session.keepalive: false
#opensearch_security.openid.refresh_tokens: true
opensearch_security.ui.openid.login.buttonname: "Sign in with XXXXXX ID"

And here is security plugins config

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: ".*"
        remoteIpHeader: "x-forwarded-for"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            enable_ssl: true
            verify_hostnames: true
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://XXXXXX.XXXXX.XXXXX/realms/XXXXXX/.well-known/openid-configuration
            kibana_url: https://XXXXX.XXXXX.XXXXX
        authentication_backend:
          type: noop
    authz: {}
    ```

hagaram avatar Jul 08 '24 20:07 hagaram

@derek-ho Hello Derek, any update on this? Or is some other conig option available for oidc which I didnt find?

hagaram avatar Nov 20 '24 03:11 hagaram

It looks like the cookie.ttl parameter is entirely unused in the plugin code, I only found it mentioned in the config schema, but then it is not passed anywhere

m-burst avatar May 22 '25 12:05 m-burst

problem still exists in 3.1.0 , using SAML, same behavior

BrotherLavarius avatar Oct 15 '25 19:10 BrotherLavarius