Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Add proxy authentication support to multi-auth framework #1724

Closed
samk-acw opened this issue Jan 4, 2024 · 7 comments
Closed

[Enhancement] Add proxy authentication support to multi-auth framework #1724

samk-acw opened this issue Jan 4, 2024 · 7 comments
Assignees
@stephen-crawford
Labels
enhancement New feature or request triaged

Comments

@samk-acw
Copy link

samk-acw commented Jan 4, 2024

description

I've setup proxy authentication and it works fine, however I want to also allow basicauth as well to allow non-SSO users, but it doesn't seem to be supported.
Multiple auth types is possible according to https://opensearch.org/docs/latest/security/configuration/multi-auth/ but this doesn't mention proxy auth.
Attempting to configure both proxy and basicauth results in opensearch-dashboards not being able to start, showing "Error: Unsupported authentication type: proxy"

To Reproduce
Steps to reproduce the behavior:

  1. set proxy and basicauth types and multiple_auth_enabled in opensearch-dashboards.yml:
opensearch_security.auth.type: ["proxy","basicauth"]
opensearch_security.auth.multiple_auth_enabled: true
  1. start opensearch-dashboards
  2. startup fails and logs the following:

Error: Unsupported authentication type: proxy
at MultipleAuthentication.init (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/multiple/multi_auth.ts:97:17)
at createAuthentication (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:46:3)
at getAuthenticationHandler (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:91:37)
at SecurityPlugin.setup (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/plugin.ts:119:39)
at PluginsSystem.setupPlugins (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_system.js:101:24)
at PluginsService.setup (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_service.js:117:19)
at Server.setup (/usr/share/opensearch-dashboards/src/core/server/server.js:275:26)
at Root.setup (/usr/share/opensearch-dashboards/src/core/server/root/index.js:70:14)
at bootstrap (/usr/share/opensearch-dashboards/src/core/server/bootstrap.js:133:5)
at Command. (/usr/share/opensearch-dashboards/src/cli/serve/serve.js:193:5)

Expected behavior
dashboards should allow proxy auth in combination with other auth types - eg use proxy auth if the relevant headers are present and request is coming from an allowed proxy, otherwise go to the regular login page.

OpenSearch Version
2.11.1

Dashboards Version
2.11.1

Plugins

defaults

Host/Environment (please complete the following information):
Debian 12
@samk-acw samk-acw added bug Something isn't working untriaged labels Jan 4, 2024
@kavilla
Copy link
Member

kavilla commented Jan 4, 2024

Hello @samk-acw, thank you for opening.

@opensearch-project/admin, can you please move this to https://github.com/opensearch-project/security-dashboards-plugin

@gaiksaya gaiksaya transferred this issue from opensearch-project/OpenSearch-Dashboards Jan 4, 2024
@stephen-crawford
Copy link
Contributor

stephen-crawford commented Jan 8, 2024
edited
Loading

[Triage] Hi @samk-acw, thank you for filing this issue. Currently, multiple authentication forms are only supported for external identity provider sign on options (SAML, OIDC, etc.) and basic auth or bearer auth. That being said, support for proxy authentication alongside basic auth would be a change we would be interested in seeing should you be willing to propose a design or open a PR.

I will mark this as an enhancement and change the title so that it is clear what the issue is requesting. Thank you :)

(Sorry the documentation was not clear on this, we will get that addressed in the meantime)

@stephen-crawford stephen-crawford added enhancement New feature or request triaged and removed untriaged bug Something isn't working labels Jan 8, 2024
@stephen-crawford stephen-crawford changed the title [BUG] Can't enable proxy and basic auth at the same time [Enhancement] Add proxy authentication support to multi-auth framework Jan 8, 2024
@cwperks
Copy link
Member

cwperks commented Jan 8, 2024

The currently support auth types for multiauth can be found here: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/multiple/multi_auth.ts#L51-L101

@Manuelraa

This comment was marked as off-topic.

Sign in to view
@stephen-crawford stephen-crawford self-assigned this Jul 17, 2024
@stephen-crawford
Copy link
Contributor

stephen-crawford commented Jul 24, 2024
edited
Loading

@samk-acw and @Manuelraa could you please provide copies of your OpenSearch dashboards and Nginx/other proxy configuration?

I see where the code enforces the behavior you are mentioning but would like to reproduce your issue before making changes. Thanks

Edit: Also if you are running with docker please provide a copy of your docker compose; in my testing docker can cause complications with the proxy setup.

@Manuelraa
Copy link
Contributor

@samk-acw and @Manuelraa could you please provide copies of your OpenSearch dashboards and Nginx/other proxy configuration?

I see where the code enforces the behavior you are mentioning but would like to reproduce your issue before making changes. Thanks

Edit: Also if you are running with docker please provide a copy of your docker compose; in my testing docker can cause complications with the proxy setup.

Sorry I must have commented on the wrong issue.
My comment was related to another issue for which I then made a PR #2024
Sorry for the inconvenience.

@stephen-crawford stephen-crawford mentioned this issue Jul 30, 2024
Merged
3 tasks
@stephen-crawford
Copy link
Contributor

This is resolved with #2076

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephen-crawford stephen-crawford

Labels
enhancement New feature or request triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Manuelraa @kavilla @cwperks @samk-acw @stephen-crawford