-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS OpenSearch 2.3 authentication issue with Graylog 5.0.2 #15767
Comments
Intermediate result: I checked against the included OpenSearch 2.5 in our DataNode and a user who's password uses the mentioned special chars and had no problems. |
May I check the Graylog version you used was 5.0.2? Are there anyway you can recommend me to debug this on my side? |
This was using the current dev version I have on my machine. But the code involved should not have any changes since 5.0 (at least after a first glance). But I'll check with a 5.0 version next. The first test was just to make sure that I enabled the security plugin correctly. Can you give me some more info about your setup? OpenSearch is your own installation? Or the AWS service? Also, it might be helpful, if you could share the startup logs up to the point where the error occurs - this could help track it down, too. |
The OpenSearch 2.3 I used was a AWS service, I have enabled the fine grained access control (fgac) and created a master user, the policy of the fgac, I allowed all methods. Https for the OpenSerach was enabled. |
@lkwjohn thx for the info. |
Also, for clarification because I might have misunderstood your second sentence from the top: you were using 5.0.2 without auth before enabling it (and refer to this as "worked before") or did you upgrade from an older graylog version (which worked) to 5.0.2? |
I was using 5.0.2 graylog with AWS openseach 2.3 without auth. After that, I did not upgrade the graylog when I enable the AWS opensearch from non auth to auth. As for the char to avoid in the password, are there others char I should avoid using? |
My colleagues use the following in their exclusion policy: |
it seems spaces are excluded characters too. It'd be really nice to be able to use more than alphanumerals in our Opensearch user passwords, for all the common security reasons 👍 Double-quoting or single-quoting the |
@williamtrelawny It's not that easy (actually, it is) - because in that area of an URL/URI per HTTP-Specification only a few special characters are allowed. |
I'm closing this - the issue has not come up for others in the meantime and I was not able to reproduce it. |
Having authentication issue with AWS OpenSearch authentication with Graylog 5.0.2 within ECS Fargate.
Previous setup without authentication works fine.
Expected Behavior
elasticsearch_hosts = https://username:[email protected]:443
Current Behavior
elasticsearch_hosts = https://username:[email protected]:443
where the password container Upper case, Lower case, Numeric and special char of either a _ - or !org.graylog2.storage.versionprobe.VersionProbe - Unable to retrieve version from Elasticsearch node vpc-parentsgateway-zxdhaqbggz44a52lzk26amm2wu.ap-southeast-1.es.amazonaws.com:-1: unknown error - an exception occurred while deserializing error response: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Unauthorized': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: (okhttp3.ResponseBody$BomAwareReader); line: 1, column: 13] | at [Source: (okhttp3.ResponseBody$BomAwareReader); line: 1, column: 13] -- | --
Steps to Reproduce (for bugs)
elasticsearch_hosts = https://username:[email protected]:443
to graylog.configContext
I done a few testing.
Curl Test within where Graylog is running
curl https://username:[email protected]:443
within where the Graylog is running, was able to connect to the OpenSearch with the response{ "name" : "xxxxx", "cluster_name" : "xxx:x", "cluster_uuid" : "xxx", "version" : { "distribution" : "opensearch", "number" : "2.3.0", "build_type" : "tar", "build_hash" : "unknown", "build_date" : "2023-04-20T07:23:19.274646Z", "build_snapshot" : false, "lucene_version" : "9.3.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" }
Test on VersionProbe.java snippet
I have tested the VersionProbe.java portion, and it works fine, suspecting the issue could lies where it took the elasticsearch_hosts url from the config (config parser) to the VersionProbe.java. Below is the snippet of what i tested of the VersionProbe.java.
The response was
Optional[VersionResponse{number=2.3.0, distribution=opensearch}]
The text was updated successfully, but these errors were encountered: