security icon indicating copy to clipboard operation
security copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[BUG] Default admin:admin cant auth in opensearch-dashboards

Open bob4inski opened this issue 1 year ago • 12 comments

I need to login to access my opensearch dashboard but it says Invalid username or password, please try again

So i installed opensearch and opensearch-dashboards 2.11.0-1 on my redos

There is configs of

  • opensearch
cluster.name: boba
node.name: node
path.data: /elasticsearch/data
path.logs: /elasticsearch/logs
network.host: localhost
http.port: 20020
discovery.seed_hosts: ["localhost"]
discovery.type: single-node
  • opensearch-dashboards
server.port: 20021
server.host: "0.0.0.0."
server.name: "biba"
opensearch.hosts: ["http://localhost:20020"]
opensearchDashboards.defaultAppId: "home"
server.ssl.enabled: false
logging.dest: /var/log/opensearch-dashboards/log.log
logging.verbose: false
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

Services are running, and opensearch has data

curl -X GET "localhost:20020/_cat/indices?v"
health status index                     uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .plugins-ml-config        5OrC4k7ERMyrYlGoWWtqnA   1   0          1            0      3.9kb          3.9kb
green  open   .opensearch-observability cAd23xBkT6i1nPyNQG0Y1Q   1   0          0            0       208b           208b
yellow open   postgresql-logs           q4MwZ82GTPqk_P3MY778ew   1   1     147486            0     43.1mb         43.1mb
green  open   .kibana_1                 9EvWqMvAQj6KqraikfGrRQ   1   0          0            0       208b           208b

But when i try to auth in web dashboards i cant auth with default admin:admin image

and when i try to login there is a message in logs

{"type":"log","@timestamp":"2024-02-22T10:50:06Z","tags":["error","plugins","securityDashboards"],"pid":2924570,"message":"Failed authentication: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET]"}
{"type":"response","@timestamp":"2024-02-22T10:50:06Z","tags":[],"pid":2924570,"method":"post","statusCode":401,"req":{"url":"/auth/login","method":"post","headers":{"host":"10.26.104.120:20021","connection":"keep-alive","content-length":"39","osd-xsrf":"osd-fetch","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36","osd-version":"2.11.0","content-type":"application/json","accept":"*/*","origin":"http://10.26.104.120:20021","referer":"http://10.26.104.120:20021/app/login?","accept-encoding":"gzip, deflate","accept-language":"ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"10.26.140.28","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36","referer":"http://10.26.104.120:20021/app/login?"},"res":{"statusCode":401,"responseTime":10,"contentLength":9},"message":"POST /auth/login 401 10ms - 9.0B"}

I tried to fix this, but the only one solution was delete all security plugin that dont work

bob4inski avatar Feb 22 '24 10:02 bob4inski

Hello @bob4inski,

OpenSearch Security plugin now requires a stronger password by default. https://github.com/opensearch-project/OpenSearch-Dashboards/blob/352d3046515bdcb5178ebcf3cdb0020093c1634b/DEVELOPER_GUIDE.md?plain=1#L291.

If this solves your problem let us know.

@opensearch-project/admin please re-route this issue to OpenSearch Security.

kavilla avatar Feb 22 '24 20:02 kavilla

@kavilla that cant help me bc i installed dashboards and search via yum I tried changing the password via the hash.sh file, but that didn't work either i think main problem in error

{"message":"Failed authentication: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET]"}

bob4inski avatar Feb 26 '24 06:02 bob4inski

it`s the same problem but there is no obvious answer

bob4inski avatar Feb 26 '24 06:02 bob4inski

[Triage] This seems either related to the admin credential changes in 2.12 or a bug with the APIs. We will be looking into this more.

derek-ho avatar Feb 26 '24 16:02 derek-ho

Exactly the same in version 2.11.1

AniaKru95 avatar Mar 20 '24 09:03 AniaKru95

@derek-ho any solution?

bob4inski avatar Mar 22 '24 11:03 bob4inski

@DarshitChanpura Could you look into this?

peternied avatar Mar 22 '24 12:03 peternied

I'm having the same error, but with OIDC. Maybe related. Writeup: https://forum.opensearch.org/t/infinite-loop-with-authentik-openid-connect/18601

shotor avatar Mar 27 '24 22:03 shotor

I encountered the same error and tried the methods suggested by the official documentation, but they didn't work. Do you have any effective solutions currently?

Mark-JJ avatar Apr 25 '24 06:04 Mark-JJ

@Mark-JJ which OpenSearch version are you using?

DarshitChanpura avatar Apr 25 '24 15:04 DarshitChanpura

@Mark-JJ which OpenSearch version are you using?

Thank you for your response. Eventually, I found a solution. I added the security plugin in the YAML file without enabling it, instead of directly deleting it as suggested by the official documentation.

Mark-JJ avatar Apr 26 '24 10:04 Mark-JJ

@Mark-JJ Feel free to open an issue with https://github.com/opensearch-project/documentation-website/ describing what you faced and what you did to solve the issue, and what documentation should be updated?

DarshitChanpura avatar Apr 26 '24 15:04 DarshitChanpura

Please visit step by step guide with explanations for enabling-disabling-security

Or follow these instructions ( with caution, always use openSearch security plugin in production env)

  • in your cli/terminal/bash - change dir to openSearch bin folder \opensearch-2.14.0\bin>
  • Execute the command to uninstall openSearch security plugin
opensearch-plugin remove opensearch-security
  • this will execute the batch file for openSearch-plugin to remove openSearch security plugin
  • Do the same with openSearch-dashboards package in your cli/terminal/bash - go to openSearch-dashboards bin folder \opensearch-dashboards-2.14.0\bin>
  • Execute the command to uninstall openSearch-dashboards security plugin
opensearch-dashboards-plugin remove securityDashboards

Now change the .yml files for both opensearch_dashboards.yml and opensearch.yml ,

  • comment out/ remove all security related configurations in the .yml files After that your yml files should look something like ->

  • opensearch_dashboards.yml

server.port: 5601 # the port at which openSearch-dashboards will run
server.host: "localhost"
opensearch.hosts: [http://localhost:9200]  # port at which your openSearch nodes are running 
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
  • opensearch.yml
node.max_local_storage_nodes: 3 
...  # additional configurations
  • Notice opensearch.hosts: [http://localhost:9200] it's https by default, but since we have disabled the security configs in our openSearch.yaml file it will run on http , make sure to use the correct link
  • After this just head to the port configured for openSearch-dashboards in my case http://localhost:5601/ and enjoy 👍🏻

Jai2305 avatar Jun 25 '24 11:06 Jai2305

Marking this issue as closed since it seems to be resolved based on last few comments. Please leave a message if this issue needs more attention.

DarshitChanpura avatar Jun 25 '24 15:06 DarshitChanpura