enabled SSO - no Wazuh Dashboard permissions
679 views
Skip to first unread message
Bob Cunius
Mar 24, 2023, 9:44:58 PM3/24/23
to Wazuh mailing list
Hi,
I'm running Version 4.3.10 of the all in one AWS AMI installation.
I enabled Single SIgn On (with GSuite). I can successfully authenticate but am having a problem with the role mappings.
I did map the new backend role "Wazuh_access" to "all_access in /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
all_access:
reserved: false
hidden: false
backend_roles:
- "admin"
- "Wazuh_access"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
reserved: false
hidden: false
backend_roles:
- "admin"
- "Wazuh_access"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
When I login to the Wazuh dashboard I see the following permission when clicking my avatar -> "View Roles and Identities":
Roles (2)
Roles you are currently mapped to by your administrator.
own_index
all_access
Backend roles (2)
Backend roles you are currently mapped to by your administrator.
Wazuh_access
Roles you are currently mapped to by your administrator.
own_index
all_access
Backend roles (2)
Backend roles you are currently mapped to by your administrator.
Wazuh_access
Strangely it says I am mapped to two backend roles but only shows "Wazuh_access" after a blank line. I'm not sure what other Backend role I would be mapped to. Perhaps this is a clue.
From the navigation menu on the left I seem to have full access with OpenSearch dashboards and Opensearch Plugins. e.g. I can see events from my agents under Opensearch Dashboards > Discover.
However, I have no access under Home or the Wazuh section. For instance I cannot see previously registered agents and am not able to register new agents. Clicking "Add agent" shows the following errors:
This section could not be configured because you do not have permission to read groups.
This section could not be displayed because you do not have permission to get access to the registration service.
If I disable SSO I can still login as my existing internal user and see all of my agents.
I thought maybe it was a caching issue between different components, but I've tried purging the cache under OpenSearch Plugins > Security and have rebooted the entire server to no avail.
Any idea where I went wrong?
Thanks,
Bob
Devender Rao
Mar 27, 2023, 3:28:42 AM3/27/23
to Wazuh mailing list
Hi,
Thanks for using Wazuh!
Have you followed the steps which are in the following documentation?
https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/google.html
Also, as I am able to see that there should be 2 roles, one should be an admin and other Wazuh_access,
Thanks for using Wazuh!
Have you followed the steps which are in the following documentation?
https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/google.html
Also, as I am able to see that there should be 2 roles, one should be an admin and other Wazuh_access,
Can you recheck all the steps and try again by following the documentation?
1.Google Configuration
2.Wazuh indexer configuration
configuration file (/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml)
3.Wzuh dashboard configuration
1.Google Configuration
2.Wazuh indexer configuration
configuration file (/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml)
3.Wzuh dashboard configuration
configuration file (/etc/wazuh-dashboard/opensearch_dashboards.yml)
I hope it helps. Please let us know the updates regarding the configuration and troubleshooting.
Regards,
Devender
I hope it helps. Please let us know the updates regarding the configuration and troubleshooting.
Regards,
Devender
Bob Cunius
Mar 27, 2023, 4:46:11 PM3/27/23
to Wazuh mailing list
Hi,
Thank you for getting back to me. I wasn't clear in my initial posting, but yes I followed the instructions on that page to set up SSO.
I can happily report that I just fixed my issue. Possibly my experience can help others.
I created a new Wazuh all-in-one server to test my setup from scratch. I did the initial setup but didn't add any custom internal users. Then I enabled GSuite SSO on this instance and it worked.
So I started to compare my existing server to the newly setup working server. On the problematic server, I had created custom internal users in the past by following the instructions here https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html?highlight=run_as . Which had me set run_as to true in wazuh.yml. So I set run_as back to false, restarted wazuh-dashboard, and logged in using SSO and now the entire dashboard is working.
Maybe the SSO instructions should note that run_as must be set to false in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml?
All the best,
Bob
Jim Nitterauer
Mar 28, 2023, 10:29:51 AM3/28/23
to Wazuh mailing list
I had exactly the same experience. I will test this and report back. It’s a cumbersome process switching back and forth thanks to the convoluted security in OpenSearch.
Jim Nitterauer
Daniel Chung
May 11, 2023, 11:19:25 AM5/11/23
to Wazuh mailing list
Hi All,
I'm having the same issue after SSO enabled. One main difference is that I have also enabled multiple authentication options so I have an option to select whether I login using local internal user or SSO on the logon screen. I needed this function as business requirement.
With internal user logged in, it works perfectly, but with SSO user logged in, no permission to see any agents, even role mapping is configured as admin with full access to all index.
Appreciate if someone can confirm whether disabling run_as is a fix to go with?
Appreciate if someone can confirm whether disabling run_as is a fix to go with?
Daniel
Reply all
Reply to author
Forward
0 new messages