[Security Plugin] The root_ca property for Open ID configurations isn't documented

[zehonghuang]

https://github.com/opensearch-project/security-dashboards-plugin/blob/5e4004fbb7195f5a5f9f7ded14ea7ea49dadecaa/server/auth/types/openid/openid_auth.ts#L115

I have expended efforts to solve just because this.config.openid.root_ca display no in documentnation.
Using https keycloak-openid maybe occur OpenId authentication failed: Error: Client request error: unable to get issuer certificate.

So, Please Update doc !

[peternied]

thanks for filing this issue, I'm moving this to the documentation repo where it can be updated, if you'd like to update the documentation around Open ID see openid-connect.md, we would be happy to review a pull request.

[cwillum]

@opensearch-project/security Could someone weigh in and provide a description for this property? Then we'll get it into documentation. Thanks.

[peternied]

Based on the name and usage, its a path to a root certification authority file, in a pem format. AFAIK it should follow the same usage patterns we have in security around other root CA certificates. See additional background from https://opensearch.org/docs/latest/dashboards/install/tls/ that looks like it should align with this usage.

[cwillum]

If this property is used for certificate validation using OpenID, it's not clear to me how root_ca would differ from pemtrustedcas_filepath (described as "Absolute path to the PEM file containing the root CAs of your IdP."). Should root_ca specify a different path?

[zehonghuang]

If this property is used for certificate validation using OpenID, it's not clear to me how root_ca would differ from pemtrustedcas_filepath (described as "Absolute path to the PEM file containing the root CAs of your IdP."). Should root_ca specify a different path?

Actually, they are the same file, but used in different places. Kibana verify OpenID TLS with root_ca.

[cwillum]

@zehonghuang Thanks for the reply and additional information. I just wanted to confirm that you're using root_ca to specify the path to the root CA with Kibana. Do you agree that pemtrustedcas_filepath should accomplish the same for Dashboards?

[zehonghuang]

I think names should at least be consistent, and documented. :p

[cwillum]

@opensearch-project/security I've looked into this a little more. The pemtrustedcas_filepath property is pretty well established syntax for specifying the "Absolute path to the PEM file containing the root CAs of your IdP" in OpenID for TLS settings (as well as SAML). I'm beginning to wonder if root_ca might be a configuration property specifying the same but related to client certificates. If so, I'm still not sure when/how it is used. And I may be barking up the wrong tree anyhow. Could the reference in the openid_auth.ts file, #L115 shed more light on this?

[peternied]

@cwillum I've started a discussion to try to get help looking into this issue, follow up at https://github.com/orgs/opensearch-project/teams/security/discussions/3

[hdhalter]

Hi @peternied - did you find any resolution to this issue? I can't access the above link, so not sure if there was any discussion about this. Thanks!

[peternied]

I can't find it either, looks like that was deleated. Can we document the setting for root_ca like we've documented the other dashboards settings. Looks like we can existing description for pemtrustedcas_filepath as a good starting point.

[hdhalter]

Sounds good! Can you please update the file with the description? And would it go here: https://opensearch.org/docs/latest/install-and-configure/configuring-opensearch/security-settings/?

[peternied]

@derek-ho Would you mind taking a look at making this change?