Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Proxy Auth to Multi Auth Options #2076

Merged

Conversation

stephen-crawford
Copy link
Contributor

Description

[Describe what this change achieves]
This changes adds support for Proxy Auth as a Multi Auth option. It also adds tests for Proxy Auth which generally lacked testing.

With this change, you can enable proxy auth alongside one or more other auth types. For example, you can enable proxy and basic auth in your opensearch_dashboards.yml.

When proxy auth is enabled alongside other auth types, requests which do not include the expected proxy auth headers will redirect to the default OpenSearch Login page. There, the existing auth mechanisms can be accessed.

Category

[Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation]
Enhancement

Why these changes are required?

In order to support multi auth where one of the options is proxy auth.

What is the old behavior before changes and new behavior after changes?

Previously, when a user tried to enable Proxy auth alongside another auth type as part of a multi auth configuration, they would be notified that proxy auth was not a valid auth type. This was caused by the multi auth code lacking handling for Proxy auth. Similarly even if you could enable proxy auth as part of multi auth, the login page for OpenSearch would not properly render when sending a request which did not include the valid auth headers.

Issues Resolved

[List any issues this PR will resolve (Is this a backport? If so, please add backport PR # and/or commits #)]
#1724

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]
This change was manually tested and also includes jest integration and unit tests.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@derek-ho
Copy link
Collaborator

Can you run yarn lint:es --fix and fix the failing tests?

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Copy link

codecov bot commented Jul 31, 2024

Codecov Report

Attention: Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 71.39%. Comparing base (dc79df3) to head (ee3ca2f).
Report is 1 commits behind head on main.

Files Patch % Lines
public/apps/login/login-page.tsx 50.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2076      +/-   ##
==========================================
- Coverage   71.43%   71.39%   -0.05%     
==========================================
  Files          97       97              
  Lines        2647     2650       +3     
  Branches      408      410       +2     
==========================================
+ Hits         1891     1892       +1     
- Misses        641      642       +1     
- Partials      115      116       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

stephen-crawford and others added 20 commits July 31, 2024 15:56
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@cwperks
Copy link
Member

cwperks commented Aug 13, 2024

@stephen-crawford Would it be possible to share a docker setup (or manual setup) with instructions on how to test the change?

@stephen-crawford
Copy link
Contributor Author

HI @cwperks, sure no problem. It is not easy to get an actual proxy working with OpenSearch and dashboards with docker. However here are the details for running manually:

  1. Install Nginx and make a note of where the configuration file is located (if you use homebrew, the config will be located inside the homebrew path system)
  2. Update the Nginx config file (/nginx.conf) with
events {
  worker_connections  1024;
}

http {
  resolver 127.0.0.1 ipv6=off;

  upstream opensearch {
    server 0.0.0.0:5603;
    keepalive 15;
  }

  server {
    listen       8090; # http://localhost:8090/wxk/
    server_name  nginx.example.com;

    location / {
      proxy_pass http://opensearch;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header x-proxy-user admin;
      proxy_set_header x-proxy-roles admin;
      proxy_ssl_verify off; # Disable SSL verification if using self-signed certs
    }
  }
}

  1. Install OpenSearch backend and run the usual manual setup steps for running OpenSearch with the Security plugin installed
  2. Update the security configuration to minimally have
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '.*' # regex pattern
        remoteIpHeader: "x-forwarded-for"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
  1. Update opensearch_dashboards.yml following the Proxy auth steps on the documentation website. You should end up with a config that includes:

opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"]
opensearch_security.auth.type: ["proxy", "basic"]
opensearch_security.proxycache.user_header: "x-proxy-user"
opensearch_security.proxycache.roles_header: "x-proxy-roles"

  1. Turn everything on in order OpenSearch -> Nginx -> Dashboards (the last two should be interchangeable)

  2. You should now be able to access the OpenSearch dashboards home page with http://localhost:8090//app/home#

But if you instead try to access the normal dashboards address i.e. 5601 you will be redirected to the login page.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford stephen-crawford merged commit c45b931 into opensearch-project:main Aug 20, 2024
16 of 19 checks passed
@cwperks cwperks added backport 2.x backport to 2.x branch v2.17.0 labels Aug 20, 2024
opensearch-trigger-bot bot pushed a commit that referenced this pull request Aug 20, 2024
* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Add Proxy Auth to Multi Auth Options

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

---------

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
(cherry picked from commit c45b931)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwperks pushed a commit that referenced this pull request Aug 23, 2024
* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



* Add Proxy Auth to Multi Auth Options



---------


(cherry picked from commit c45b931)

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch v2.17.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants