opensearch-project
Add Proxy Auth to Multi Auth Options
Description
[Describe what this change achieves] This changes adds support for Proxy Auth as a Multi Auth option. It also adds tests for Proxy Auth which generally lacked testing.
With this change, you can enable proxy auth alongside one or more other auth types. For example, you can enable proxy and basic auth in your opensearch_dashboards.yml.
When proxy auth is enabled alongside other auth types, requests which do not include the expected proxy auth headers will redirect to the default OpenSearch Login page. There, the existing auth mechanisms can be accessed.
Category
[Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation] Enhancement
Why these changes are required?
In order to support multi auth where one of the options is proxy auth.
What is the old behavior before changes and new behavior after changes?
Previously, when a user tried to enable Proxy auth alongside another auth type as part of a multi auth configuration, they would be notified that proxy auth was not a valid auth type. This was caused by the multi auth code lacking handling for Proxy auth. Similarly even if you could enable proxy auth as part of multi auth, the login page for OpenSearch would not properly render when sending a request which did not include the valid auth headers.
Issues Resolved
[List any issues this PR will resolve (Is this a backport? If so, please add backport PR # and/or commits #)] https://github.com/opensearch-project/security-dashboards-plugin/issues/1724
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing] This change was manually tested and also includes jest integration and unit tests.
Check List
- [x] New functionality includes testing
- [x] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.
Codecov Report
Attention: Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.
Project coverage is 71.39%. Comparing base (
dc79df3) to head (ee3ca2f). Report is 1 commits behind head on main.
| Files | Patch % | Lines |
|---|---|---|
| public/apps/login/login-page.tsx | 50.00% | 1 Missing and 1 partial :warning: |
Additional details and impacted files
@@ Coverage Diff @@
## main #2076 +/- ##
==========================================
- Coverage 71.43% 71.39% -0.05%
==========================================
Files 97 97
Lines 2647 2650 +3
Branches 408 410 +2
==========================================
+ Hits 1891 1892 +1
- Misses 641 642 +1
- Partials 115 116 +1
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@stephen-crawford Would it be possible to share a docker setup (or manual setup) with instructions on how to test the change?
HI @cwperks, sure no problem. It is not easy to get an actual proxy working with OpenSearch and dashboards with docker. However here are the details for running manually:
- Install Nginx and make a note of where the configuration file is located (if you use homebrew, the config will be located inside the homebrew path system)
- Update the Nginx config file (
/nginx.conf) with
events {
worker_connections 1024;
}
http {
resolver 127.0.0.1 ipv6=off;
upstream opensearch {
server 0.0.0.0:5603;
keepalive 15;
}
server {
listen 8090; # http://localhost:8090/wxk/
server_name nginx.example.com;
location / {
proxy_pass http://opensearch;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header x-proxy-user admin;
proxy_set_header x-proxy-roles admin;
proxy_ssl_verify off; # Disable SSL verification if using self-signed certs
}
}
}
- Install OpenSearch backend and run the usual manual setup steps for running OpenSearch with the Security plugin installed
- Update the security configuration to minimally have
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: '.*' # regex pattern
remoteIpHeader: "x-forwarded-for"
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
- Update opensearch_dashboards.yml following the Proxy auth steps on the documentation website. You should end up with a config that includes:
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] opensearch_security.auth.type: ["proxy", "basic"] opensearch_security.proxycache.user_header: "x-proxy-user" opensearch_security.proxycache.roles_header: "x-proxy-roles"
-
Turn everything on in order OpenSearch -> Nginx -> Dashboards (the last two should be interchangeable)
-
You should now be able to access the OpenSearch dashboards home page with http://localhost:8090/
/app/home#
But if you instead try to access the normal dashboards address i.e. 5601 you will be redirected to the login page.