[BUG] FATAL ValidationError: child "plugins" fails because ["security" is not allowed]

[sooslaca]

Describe the bug

Cannot configure OIDC auth for opensearch_dashboard as written at https://opensearch.org/docs/security-plugin/configuration/openid-connect/

Each line starts with plugins.security throwing error:

{"type":"log","@timestamp":"2021-07-30T13:51:42Z","tags":["fatal","root"],"pid":1,"message":"{ ValidationError: child \"plugins\" fails because [\"security\" is not allowed]\n    at Object.exports.process (/usr/share/opensearch-dashboards/node_modules/joi/lib/errors.js:196:19)\n    at internals.Object._validateWithOptions (/usr/share/opensearch-dashboards/node_modules/joi/lib/types/any/index.js:675:31)\n    at module.exports.internals.Any.root.validate (/usr/share/opensearch-dashboards/node_modules/joi/lib/index.js:146:23)\n    at Config._commit (/usr/share/opensearch-dashboards/src/legacy/server/config/config.js:146:34)\n    at Config.set (/usr/share/opensearch-dashboards/src/legacy/server/config/config.js:117:10)\n    at Config.extendSchema (/usr/share/opensearch-dashboards/src/legacy/server/config/config.js:89:10)\n    at _lodash.default.each.child (/usr/share/opensearch-dashboards/src/legacy/server/config/config.js:79:14)\n    at arrayEach (/usr/share/opensearch-dashboards/node_modules/lodash/lodash.js:530:11)\n    at Function.forEach (/usr/share/opensearch-dashboards/node_modules/lodash/lodash.js:9410:14)\n    at Config.extendSchema (/usr/share/opensearch-dashboards/src/legacy/server/config/config.js:78:30)\n    at new Config (/usr/share/opensearch-dashboards/src/legacy/server/config/config.js:69:10)\n    at Function.withDefaultSchema (/usr/share/opensearch-dashboards/src/legacy/server/config/config.js:63:12)\n    at LegacyService.setupLegacyConfig (/usr/share/opensearch-dashboards/src/core/server/legacy/legacy_service.js:84:43) name: 'ValidationError' }"}

 FATAL  ValidationError: child "plugins" fails because ["security" is not allowed]

To Reproduce
Install opensearch, install opensearch-dashboards.
Enable openid_auth_domain in opensearch, reload config with securityadmin.sh
configure opensearch-dashboards to use, eg

plugins.security.auth.type: "openid"

Expected behavior
OIDC auth to work

OpenSearch Version
docker opensearchproject/opensearch:1.0.0

Dashboards Version
docker opensearchproject/opensearch-dashboards:1.0.0

Plugins

[opensearch-dashboards@5be9c9ca0417 ~]$ bin/opensearch-dashboards-plugin list
alertingDashboards@1.0.0.0
anomalyDetectionDashboards@1.0.0.0
ganttChartDashboards@1.0.0.0
indexManagementDashboards@1.0.0.0-rc1
notebooksDashboards@1.0.0.0
queryWorkbenchDashboards@1.0.0.0
reportsDashboards@1.0.0.0
securityDashboards@1.0.0.0
traceAnalyticsDashboards@1.0.0.0

Screenshots
NA

Host/Environment (please complete the following information):

• OS: 18.04.5 LTS (Bionic Beaver)
• Docker: Server Version: 19.03.14

[kavilla]

Hello @sooslaca ,

Sorry about the delay but thanks for bringing this up! This is more so a problem with the documentation. Unfortunately there are gaps in the documentation and apparently errors. The configuration should be:
opensearch_security.auth.type: "openid" [Code reference]

All the settings in there should be modified with the config path of "opensearch_security"

I will close this issue and I have created an issue in the documentation repo here: opensearch-project/documentation-website#125

Please re-open if changing it to opensearch_security.auth.type: "openid" doesn't make more progress

Thanks again!

[kafonek]

@sooslaca @kavilla if you have a working set of configuration files for this, I'd appreciate seeing them. We struggled with this exact problem today and even switching it to opensearch_security instead of plugins.security still leaves us with 401's from the Dashboard UI.

We've been running a slightly modified version of https://github.com/opensearch-project/opensearch-build/blob/main/release/docker/dockercomposefiles/docker-compose.yml with just a single node, and an external (corporate) Keycloak. Relevant config files --

# /usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
# mounted in the opensearch node container

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false

    authc:
      basic:
        description: "Basic user/pw"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal

      keycloak:
        description: "Log in with Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://my.keycloak/auth/realms/my-realm/.well-known/openid-configuration
            verify_hostnames: false
        authentication_backend:
          type: noop

# /usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
# mounted into opensearch-dashboards container

server.host: "0"
opensearch.hosts: ["https://opensearch:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false


opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://my.keycloak/auth/realms/my-realm/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearch"
opensearch_security.openid.client_secret: "abc123..."
opensearch_security.openid.scope: "openid"
opensearch_security.openid.base_redirect_url: "http://opensearch-host-machine:5601"

When we visit the dashboard UI, it just says {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"} with no attempted redirect to Keycloak. Navigating to https://opensearch-host-machine:9200 returns Authentication finally failed (no challenge/prompt as expected) although I can get the normal json response if I use Python to do a GET with basic auth admin/admin.

Thanks for your time and help.

[kavilla]

@kafonek, sorry about your struggles!

I see there are a few open issues in the security plugin related to open id: https://github.com/opensearch-project/security-dashboards-plugin/issues?q=is%3Aissue+is%3Aopen+openid. I see a closed issue that is similar to what you are seeing to which was solved with: opensearch-project/security-dashboards-plugin#672 (comment).

As the original issue was related to the security plugin and your follow-up issue is seeing errors due to it as well. Would you be able to open an issue in the security plugin repo [here]. I would still open a new issue if there is any confusion related to getting the configuration of the plugin correct even if you scanned the closed issues and resolved it that way.

Let me know if you would like me to create it for you to help reduce your struggles.

[kafonek]

yep opensearch-project/security-dashboards-plugin#806 opened, thanks so much @kavilla

[elhamahmadloo]

hi @kafonek

Did you find any solution ? i have a same problem with same config?