Update 2024-04-30-A-comprehensive-guide-to-setup-and-connect-self-man…

…aged-dashboards-with-Amazon-OpenSearch-domain.md Signed-off-by: Madhan <[email protected]>
erikbledsoe · May 17, 2024 · 209d11c · 209d11c
1 parent af4bdae
commit 209d11c
Showing 1 changed file with 29 additions and 9 deletions.
diff --git a/...e-to-setup-and-connect-self-managed-dashboards-with-Amazon-OpenSearch-domain.md b/...e-to-setup-and-connect-self-managed-dashboards-with-Amazon-OpenSearch-domain.md
@@ -29,7 +29,8 @@ This solution currently supports three different methods of authentication:
 
 ## Prerequisite
 An AWS-managed OpenSearch domain without any authentication method enabled, accompanied by the following domain access policy, is required:
-```json
+
+```
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -44,25 +45,31 @@ An AWS-managed OpenSearch domain without any authentication method enabled, acco
   ]
 }
 ```
+
 **CAUTION**: To establish a connection with the managed OpenSearch Service domain, it is necessary to uninstall the Security plugin from self-managed Dashboards. Otherwise, the Dashboards Security plugin will anticipate a secured domain and will fail to make a connection.
 
 ## Removing the Security plugin and spinning up a self-managed Dashboards instance
 1. Remove all Security plugin configurations from `opensearch_dashboards.yml` or place the following example file in the same folder as the Dockerfile:
-```yml
+
+```
 server.name: opensearch-dashboards
 server.host: "0.0.0.0"
 opensearch.hosts: http://localhost:9200
 ```
+
 2. Create a new Dockerfile, such as the following:
+
 ```
 FROM opensearchproject/opensearch-dashboards:2.5.0
 RUN /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards
 COPY --chown=opensearch-dashboards:opensearch-dashboards opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/
 ```
+
 3. Run the command **`docker build --tag=opensearch-dashboards-no-security .`** to build a new Docker image with the Security plugin removed.
 4. Validate whether the new image has been created by running the **`docker images`** command.
 5. In the following sample **`docker-compose.yml`** file, change the Dashboards image name from **`opensearchproject/opensearch-dashboards:2.5.0`** to **`opensearch-dashboards-no-security`** and remove the username and password fields:
-```yml
+
+```
 version: '3'
 services:
   opensearch-dashboards:
@@ -81,8 +88,10 @@ services:
 networks:
   opensearch-net:
 ```
+
 6. The new **`docker-compose-no-security.yml`** file has now been created and should appear similar to the following file. Now run the **`docker-compose up`** command to run the containers with the new image. Then you can access the self-managed Dashboards instances by connecting to the Amazon Elastic Compute Cloud (Amazon EC2) endpoint with port **`5601`**. By doing so, you can conveniently view and interact with all the saved objects.
-```yml
+
+```
 version: '3'
 services:
   opensearch-dashboards:
@@ -99,6 +108,7 @@ services:
 networks:
   opensearch-net:
 ```
+
 # Setting up self-managed Dashboards instances in Amazon ECS and in an EC2-hosted Docker container: HTTP basic authentication
 
 ## Prerequisite
@@ -109,7 +119,8 @@ The AWS-managed OpenSearch domain must incorporate fine-grained access control (
 2. When creating a task, under **`container definition`** in **`port mapping`**, make sure the container ports **`5601`** and **`9200`** are added.
 3. Under **`environment variables`**, add the mandatory keys and values specified in [this document](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/dashboards.html#dashboards-local) to seamlessly connect with the managed service domain.
 **NOTE**: The following sample **`task.json`** file from the Amazon ECS task definition shows the environment variables that have to be set while creating tasks:
-```json
+
+```
 {
 ...
             "portMappings": [
@@ -146,14 +157,16 @@ The AWS-managed OpenSearch domain must incorporate fine-grained access control (
 ...
 }
 ```
+
 4. Create a service using the previously created task within the same virtual private cloud (VPC) and subnet where the OpenSearch Service domain is operating.
 5. Access the self-managed Dashboards instances by connecting to the public endpoint of the running task in Amazon ECS on AWS Fargate. By doing so, you can conveniently view and interact with all the saved objects in accordance with the FGAC settings.
 
 ## Spinning up a self-managed Dashboards instance in an EC2-hosted container
 1. Deploy an EC2 instance in the same VPC and subnet as the managed OpenSearch Service domain.
 2. Set up Docker/Kubernetes and their dependencies on the instance.
 3. Use the following **`docker-compose.yml`** file to launch a self-managed Dashboards container. After the container is running, you can easily access and interact with all the saved objects.
-```yml
+
+```
 version: '3'
 services:
   opensearch-dashboards:
@@ -172,6 +185,7 @@ services:
 networks:
   opensearch-net:
 ```
+
 4. To enable TLS, add the attributes specified [here](https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/) as environment variables.
 
 **TIP**: One notable advantage of setting up a self-managed Dashboards instance is that when it is deployed on **`Amazon Elastic Container Service (Amazon ECS) on AWS Fargate`**, it generates a public IP address. This allows the self-managed Dashboards instance to be accessed over the internet without the need to set up a reverse proxy. As a result, the OpenSearch domains will be within the VPC, and the self-managed Dashboards instances will be publicly available, enabling seamless connectivity and eliminating the complexity of configuring additional infrastructure components. This simplifies the setup process and provides convenient access to the Dashboards instances from anywhere on the internet without compromising security or requiring additional network configurations.
@@ -186,7 +200,8 @@ An AWS-managed OpenSearch domain with SAML authentication enabled is required. F
 1. Create an EC2 instance within the same VPC where the managed OpenSearch Service domain is operating to configure the self-managed Dashboards instance and capture its endpoint.
 2. Create a new application in your `IDP` with the self-managed Dashboards endpoint, which generates new identity provider (IdP) metadata.
 3. Copy the IdP metadata of the newly created application and paste it into the IdP metadata text box found in the **`Configure identity provider (IdP)`** section on the **Security Configuration** tab of the managed service domain in the AWS Management Console. The following is the sample IdP metadata XML:
-```xml
+
+```
 <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor entityID="http://www.okta.com/exk5o8mj6eLo2an697" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAYhxRsHXMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
 A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
 MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDXRyaWFsLTg4MDM5MzMxHDAaBgkqhkiG9w0B
@@ -204,11 +219,13 @@ Bgn+nueNrZY5+cOLLW8DSayGG0lZanTgtiCqA7JuKgzwxXmpsld1d7JgQ+EshCNLvF8c3iR47/+R
 OzAwZlwvGWNaT3kaLtjdLmFjlDV5PUMiQdBf6DKihH8fdQjty/vbswxqfMGj0aSppxzXn0XG1kwH
 IK5Y04uMGfRjcE+cPA/vPCKPxh/sgB0n6GaJCIDI</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://trial-8803933.okta.com/app/trial-8803933_2325vpc_1/exk5o8zomj6eLo2an697/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://trial-8803933.okta.com/app/trial-8803933_2325vpc_1/exk5o8zomj6eLo2an697/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
 ```
+
 4. Replace the self-managed Dashboards URL in the security configuration file with the self-managed Dashboards endpoint. The purpose of this change is to guarantee that after the user is authenticated by IdP, they are redirected to the self-managed Dashboards instance instead of the managed Dashboards instance.
 **IMPORTANT**: Users do not have access to modify the security configuration file, so you will need to raise a support case with AWS Support to request a change to the self-managed Dashboards URL endpoint. After AWS Support completes your request, you can check the new endpoint by running the API call **```_opendistro/_security/api/securityconfig```** and validate the **`kibana_url`** changes in the security configuration file.
 5. Install Docker and its dependencies on the EC2 instance.
 6. Use the following **`docker-compose.yml`** file and run the self-managed Dashboards instance:
-```yml
+
+```
 version: '3'
 services:
   opensearch-dashboards:
@@ -227,8 +244,10 @@ services:
 networks:
   opensearch-net:
 ```
+
 7. After the container is up and running, access it by using the command **`docker exec -it <CONTAINER ID> bash`** and then modify the **`opensearch_dashboards.yml`** file by adding the SAML-specific attributes. Once the modifications are made, restart the container using **`docker restart <CONTAINER ID>`**. See the following sample **`opensearch_dashboards.yml`** file as a reference. See [OpenSearch Dashboards configuration](https://opensearch.org/docs/latest/security/authentication-backends/saml/#opensearch-dashboards-configuration) for more information.
-```yml
+
+```
 opensearch.hosts: [https://localhost:9200]
 opensearch.ssl.verificationMode: none
 opensearch.username: kibanaserver
@@ -243,6 +262,7 @@ server.host: '0.0.0.0'
 opensearch_security.auth.type: "saml"
 server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
 ```
+
 8. After restarting the container, you can access the self-managed Dashboards instance by connecting to the EC2 endpoint with port `5601`. By doing so, you can view and interact with all the saved objects in accordance with the FGAC settings and SAML authentication.
 
 **CAUTION**: If the endpoint is transitioned to self-managed Dashboards and the user intends to revert to the managed service Dashboards endpoint, they must repeat the same procedure, which involves changing the kibana_url in the security configuration file back to the managed service Dashboards endpoint. Until this change is made, the managed service Dashboards endpoint will remain inaccessible.