Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed the yaml keyword instead of yml and added bullets in the blog. #2882

Merged
merged 4 commits into from
May 20, 2024
Merged

Fixed the yaml keyword instead of yml and added bullets in the blog. #2882

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0b0d7a6
Update 2024-04-30-A-comprehensive-guide-to-setup-and-connect-self-man…
madhankb May 20, 2024
3087e7c
Update 2024-04-30-A-comprehensive-guide-to-setup-and-connect-self-man…
madhankb May 20, 2024
de59b14
Update 2024-04-30-A-comprehensive-guide-to-setup-and-connect-self-man…
madhankb May 20, 2024
3af050d
Update 2024-04-30-A-comprehensive-guide-to-setup-and-connect-self-man…
madhankb May 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 29 additions & 29 deletions ...e-to-setup-and-connect-self-managed-dashboards-with-Amazon-OpenSearch-domain.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,27 +49,27 @@ An AWS-managed OpenSearch domain without any authentication method enabled, acco
**CAUTION**: To establish a connection with the managed OpenSearch Service domain, it is necessary to uninstall the Security plugin from self-managed Dashboards. Otherwise, the Dashboards Security plugin will anticipate a secured domain and will fail to make a connection.

## Removing the Security plugin and spinning up a self-managed Dashboards instance
1. Remove all Security plugin configurations from `opensearch_dashboards.yml` or place the following example file in the same folder as the Dockerfile:
* Remove all Security plugin configurations from `opensearch_dashboards.yml` or place the following example file in the same folder as the Dockerfile:

```
server.name: opensearch-dashboards
server.host: "0.0.0.0"
opensearch.hosts: http://localhost:9200
```

2. Create a new Dockerfile, such as the following:
* Create a new Dockerfile, such as the following:

```
FROM opensearchproject/opensearch-dashboards:2.5.0
RUN /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards
COPY --chown=opensearch-dashboards:opensearch-dashboards opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/
```

3. Run the command **`docker build --tag=opensearch-dashboards-no-security .`** to build a new Docker image with the Security plugin removed.
4. Validate whether the new image has been created by running the **`docker images`** command.
5. In the following sample **`docker-compose.yml`** file, change the Dashboards image name from **`opensearchproject/opensearch-dashboards:2.5.0`** to **`opensearch-dashboards-no-security`** and remove the username and password fields:
* Run the command **`docker build --tag=opensearch-dashboards-no-security .`** to build a new Docker image with the Security plugin removed.
* Validate whether the new image has been created by running the **`docker images`** command.
* In the following sample **`docker-compose.yml`** file, change the Dashboards image name from **`opensearchproject/opensearch-dashboards:2.5.0`** to **`opensearch-dashboards-no-security`** and remove the username and password fields:

```
```yaml
version: '3'
services:
opensearch-dashboards:
Expand All @@ -89,9 +89,9 @@ networks:
opensearch-net:
```

6. The new **`docker-compose-no-security.yml`** file has now been created and should appear similar to the following file. Now run the **`docker-compose up`** command to run the containers with the new image. Then you can access the self-managed Dashboards instances by connecting to the Amazon Elastic Compute Cloud (Amazon EC2) endpoint with port **`5601`**. By doing so, you can conveniently view and interact with all the saved objects.
* The new **`docker-compose-no-security.yml`** file has now been created and should appear similar to the following file. Now run the **`docker-compose up`** command to run the containers with the new image. Then you can access the self-managed Dashboards instances by connecting to the Amazon Elastic Compute Cloud (Amazon EC2) endpoint with port **`5601`**. By doing so, you can conveniently view and interact with all the saved objects.

```
```yaml
version: '3'
services:
opensearch-dashboards:
Expand All @@ -115,9 +115,9 @@ networks:
The AWS-managed OpenSearch domain must incorporate fine-grained access control (FGAC) with HTTP basic authentication, ensuring that a primary user is created in the internal user database. For more information, see [this tutorial](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac-http-auth.html).

## Spinning up a self-managed Dashboards instance in Amazon ECS
1. Create a task within Amazon Elastic Container Service (Amazon ECS) on AWS Fargate using the Dashboards Docker image.
2. When creating a task, under **`container definition`** in **`port mapping`**, make sure the container ports **`5601`** and **`9200`** are added.
3. Under **`environment variables`**, add the mandatory keys and values specified in [this document](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/dashboards.html#dashboards-local) to seamlessly connect with the managed service domain.
* Create a task within Amazon Elastic Container Service (Amazon ECS) on AWS Fargate using the Dashboards Docker image.
* When creating a task, under **`container definition`** in **`port mapping`**, make sure the container ports **`5601`** and **`9200`** are added.
* Under **`environment variables`**, add the mandatory keys and values specified in [this document](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/dashboards.html#dashboards-local) to seamlessly connect with the managed service domain.
**NOTE**: The following sample **`task.json`** file from the Amazon ECS task definition shows the environment variables that have to be set while creating tasks:

```
Expand Down Expand Up @@ -158,15 +158,15 @@ The AWS-managed OpenSearch domain must incorporate fine-grained access control (
}
```

4. Create a service using the previously created task within the same virtual private cloud (VPC) and subnet where the OpenSearch Service domain is operating.
5. Access the self-managed Dashboards instances by connecting to the public endpoint of the running task in Amazon ECS on AWS Fargate. By doing so, you can conveniently view and interact with all the saved objects in accordance with the FGAC settings.
* Create a service using the previously created task within the same virtual private cloud (VPC) and subnet where the OpenSearch Service domain is operating.
* Access the self-managed Dashboards instances by connecting to the public endpoint of the running task in Amazon ECS on AWS Fargate. By doing so, you can conveniently view and interact with all the saved objects in accordance with the FGAC settings.

## Spinning up a self-managed Dashboards instance in an EC2-hosted container
1. Deploy an EC2 instance in the same VPC and subnet as the managed OpenSearch Service domain.
2. Set up Docker/Kubernetes and their dependencies on the instance.
3. Use the following **`docker-compose.yml`** file to launch a self-managed Dashboards container. After the container is running, you can easily access and interact with all the saved objects.
* Deploy an EC2 instance in the same VPC and subnet as the managed OpenSearch Service domain.
* Set up Docker/Kubernetes and their dependencies on the instance.
* Use the following **`docker-compose.yml`** file to launch a self-managed Dashboards container. After the container is running, you can easily access and interact with all the saved objects.

```
```yaml
version: '3'
services:
opensearch-dashboards:
Expand All @@ -186,20 +186,19 @@ networks:
opensearch-net:
```

4. To enable TLS, add the attributes specified [here](https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/) as environment variables.
* To enable TLS, add the attributes specified [here](https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/) as environment variables.

**TIP**: One notable advantage of setting up a self-managed Dashboards instance is that when it is deployed on **`Amazon Elastic Container Service (Amazon ECS) on AWS Fargate`**, it generates a public IP address. This allows the self-managed Dashboards instance to be accessed over the internet without the need to set up a reverse proxy. As a result, the OpenSearch domains will be within the VPC, and the self-managed Dashboards instances will be publicly available, enabling seamless connectivity and eliminating the complexity of configuring additional infrastructure components. This simplifies the setup process and provides convenient access to the Dashboards instances from anywhere on the internet without compromising security or requiring additional network configurations.

# Setting up a self-managed Dashboards instance in an EC2-hosted container: SAML authentication

## Prerequisite
An AWS-managed OpenSearch domain with SAML authentication enabled is required. For more information, see [SAML authentication for OpenSearch Dashboards](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html).
)
An AWS-managed OpenSearch domain with SAML authentication enabled is required. For more information, see [SAML authentication for OpenSearch Dashboards](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html)

## Spinning up a self-managed Dashboards instance in an EC2-hosted container
1. Create an EC2 instance within the same VPC where the managed OpenSearch Service domain is operating to configure the self-managed Dashboards instance and capture its endpoint.
2. Create a new application in your `IDP` with the self-managed Dashboards endpoint, which generates new identity provider (IdP) metadata.
3. Copy the IdP metadata of the newly created application and paste it into the IdP metadata text box found in the **`Configure identity provider (IdP)`** section on the **Security Configuration** tab of the managed service domain in the AWS Management Console. The following is the sample IdP metadata XML:
* Create an EC2 instance within the same VPC where the managed OpenSearch Service domain is operating to configure the self-managed Dashboards instance and capture its endpoint.
* Create a new application in your `IDP` with the self-managed Dashboards endpoint, which generates new identity provider (IdP) metadata.
* Copy the IdP metadata of the newly created application and paste it into the IdP metadata text box found in the **`Configure identity provider (IdP)`** section on the **Security Configuration** tab of the managed service domain in the AWS Management Console. The following is the sample IdP metadata XML:

```
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor entityID="http://www.okta.com/exk5o8mj6eLo2an697" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAYhxRsHXMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
Expand All @@ -220,12 +219,13 @@ OzAwZlwvGWNaT3kaLtjdLmFjlDV5PUMiQdBf6DKihH8fdQjty/vbswxqfMGj0aSppxzXn0XG1kwH
IK5Y04uMGfRjcE+cPA/vPCKPxh/sgB0n6GaJCIDI</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://trial-8803933.okta.com/app/trial-8803933_2325vpc_1/exk5o8zomj6eLo2an697/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://trial-8803933.okta.com/app/trial-8803933_2325vpc_1/exk5o8zomj6eLo2an697/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
```

4. Replace the self-managed Dashboards URL in the security configuration file with the self-managed Dashboards endpoint. The purpose of this change is to guarantee that after the user is authenticated by IdP, they are redirected to the self-managed Dashboards instance instead of the managed Dashboards instance.
* Replace the self-managed Dashboards URL in the security configuration file with the self-managed Dashboards endpoint. The purpose of this change is to guarantee that after the user is authenticated by IdP, they are redirected to the self-managed Dashboards instance instead of the managed Dashboards instance.

**IMPORTANT**: Users do not have access to modify the security configuration file, so you will need to raise a support case with AWS Support to request a change to the self-managed Dashboards URL endpoint. After AWS Support completes your request, you can check the new endpoint by running the API call **```_opendistro/_security/api/securityconfig```** and validate the **`kibana_url`** changes in the security configuration file.
5. Install Docker and its dependencies on the EC2 instance.
6. Use the following **`docker-compose.yml`** file and run the self-managed Dashboards instance:
* Install Docker and its dependencies on the EC2 instance.
* Use the following **`docker-compose.yml`** file and run the self-managed Dashboards instance:

```
```yaml
version: '3'
services:
opensearch-dashboards:
Expand All @@ -245,7 +245,7 @@ networks:
opensearch-net:
```

7. After the container is up and running, access it by using the command **`docker exec -it <CONTAINER ID> bash`** and then modify the **`opensearch_dashboards.yml`** file by adding the SAML-specific attributes. Once the modifications are made, restart the container using **`docker restart <CONTAINER ID>`**. See the following sample **`opensearch_dashboards.yml`** file as a reference. See [OpenSearch Dashboards configuration](https://opensearch.org/docs/latest/security/authentication-backends/saml/#opensearch-dashboards-configuration) for more information.
* After the container is up and running, access it by using the command **`docker exec -it <CONTAINER ID> bash`** and then modify the **`opensearch_dashboards.yml`** file by adding the SAML-specific attributes. Once the modifications are made, restart the container using **`docker restart <CONTAINER ID>`**. See the following sample **`opensearch_dashboards.yml`** file as a reference. See [OpenSearch Dashboards configuration](https://opensearch.org/docs/latest/security/authentication-backends/saml/#opensearch-dashboards-configuration) for more information.

```
opensearch.hosts: [https://localhost:9200]
Expand All @@ -263,7 +263,7 @@ opensearch_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
```

8. After restarting the container, you can access the self-managed Dashboards instance by connecting to the EC2 endpoint with port `5601`. By doing so, you can view and interact with all the saved objects in accordance with the FGAC settings and SAML authentication.
* After restarting the container, you can access the self-managed Dashboards instance by connecting to the EC2 endpoint with port `5601`. By doing so, you can view and interact with all the saved objects in accordance with the FGAC settings and SAML authentication.

**CAUTION**: If the endpoint is transitioned to self-managed Dashboards and the user intends to revert to the managed service Dashboards endpoint, they must repeat the same procedure, which involves changing the kibana_url in the security configuration file back to the managed service Dashboards endpoint. Until this change is made, the managed service Dashboards endpoint will remain inaccessible.

Expand Down
Loading