Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elasticsearch ApiKey authentication not working #3848

Closed
fraekfyr76 opened this issue Jul 27, 2023 · 3 comments
Closed

Elasticsearch ApiKey authentication not working #3848

fraekfyr76 opened this issue Jul 27, 2023 · 3 comments
Assignees
@richard-julien
Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 5.10.0

Comments

@fraekfyr76
Copy link

Description

According to https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-platform/opencti-graphql/src/database/engine.js#L142 you can use an apikey to auth with your search engine (Elasticsearch) for example with an environment variable like ELASTICSEARCH__API_KEY=<base64 string>.

This does not work because the default search engine client (Opensearch) does not support apikey authentication.

Environment

  1. OS (where OpenCTI server runs): Docker
  2. OpenCTI version: OpenCTI 5.9.6

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Run Elasticsearch and create an apikey
  2. Run OpenCTI with the environment variable ELASTICSEARCH__API_KEY=<your apikey>
  3. See [OPENCTI] Platform start fail error message

Expected Output

Not getting the [OPENCTI] Platform start fail error message

Actual Output

{"category":"APP","error":{"context":{"category":"technical","error":"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/]","http_status":500,"reason":"[SEARCH] Search engine seems down"},"message":"A configuration error has occurred","name":"ConfigurationError","stack":"ConfigurationError: A configuration error has occurred\n    at error (/opt/opencti/build/src/config/errors.js:8:10)\n    at ConfigurationError (/opt/opencti/build/src/config/errors.js:61:53)\n    at /opt/opencti/build/src/database/engine.js:185:15\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at searchEngineInit (/opt/opencti/build/src/database/engine.js:175:3)\n    at checkSystemDependencies (/opt/opencti/build/src/initialization.js:138:3)\n    at platformStart (/opt/opencti/build/src/boot.js:179:5)"},"level":"error","message":"[OPENCTI] Platform start fail","timestamp":"2023-07-27T12:11:18.106Z","version":"5.9.6"}

Additional information

Opensearch client not supporting apikeys:
https://github.com/opensearch-project/opensearch-js/blob/main/lib/Connection.js#L329
@fraekfyr76 fraekfyr76 added the bug use for describing something not working as expected label Jul 27, 2023
@SamuelHassine SamuelHassine added this to the Release 5.10.0 milestone Jul 27, 2023
@richard-julien richard-julien self-assigned this Aug 9, 2023
@richard-julien
Copy link
Member

Hi @fraekfyr76 , thanks for the report.
As its impossible to check/detect the client on this case, we will add a new configuration option to have auto detection of the client or directly defined the correct one.

richard-julien added a commit that referenced this issue Aug 9, 2023
@richard-julien
[backend] Add engine_selector option to support elk specific auth str…
e23391d 
…ategy (#3848)
richard-julien added a commit that referenced this issue Aug 9, 2023
@richard-julien
[backend] Adapt for testing and about API (#3848)
dbda656
SamuelHassine pushed a commit that referenced this issue Aug 20, 2023
@richard-julien
[backend] Add engine_selector option to support elk specific auth str…
873bcaa 
…ategy (#3848)
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Aug 20, 2023
@ckyoog
Copy link

ckyoog commented Aug 29, 2023

So this issue and the resolution bring out two information.

  • If your search engine is OpenSearch, you can't use API_KEY to do the auth
  • If you want to use API_KEY to auth, you have to set engine_selector to elk only. Both auto and opensearch will cause error.

Maybe it is worth writing a NOTE in the doc?

@SamuelHassine
Copy link
Member

Thanks @ckyoog, you're fully right. Just did the modification here: https://docs.opencti.io/latest/deployment/configuration/#elasticsearch.

Kind regards,
Samuel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@richard-julien richard-julien

Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 5.10.0
Development

No branches or pull requests
4 participants
@ckyoog @richard-julien @SamuelHassine @fraekfyr76