Open derek-ho opened 1 month ago
Users should not be automatically logged in as anonymous.
Having said that, this feature can be enabled via feature-flag and can be cluster specific. The original PR fixed an important bug, where after logging out as SAML user it would automatically log you in as anonymous. This is not a good user experience.
Reasoning for the observed behavior:
When multi-auth is enabled, user will still be automatically logged in as anonymous when anonymous auth is enabled, given that the setting opensearch_security.auth.type:
is present with only 1 type ["basicauth"]
or the setting is not present at all. [1][2]
When more than one option is passed for multi-auth, the Multi-Auth handler kicks in and the block similar to [2] is not present in handleUnauthedRequest
to automatically login as anonymous when url is /
. Hence, we see the login screen instead of auto-login as anonymous. This change was required otherwise this would automatically login as anonymous upon log-out.
[1] - https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/auth_handler_factory.ts#L64 [2] - https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/basic/basic_auth.ts#L119-L125
where after logging out as SAML user it would automatically log you in as anonymous. This is not a good user experience.
which is anonymous feature flag purpose, right? this is default behavior behind this feature flag opensearch_security.auth.anonymous_auth_enabled: true
if I understand correctly. Can you give more info about This is not a good user experience
.
If users don't want to enable anonymous login, they should refrain from enabling this feature flag.
@Flyingliuhub There are 2 different scenarios to consider when thinking about what the behavior should be:
In the case of 1) anonymous will be logged in automatically. The log out button does show in the dashboard, but its functionless if anonymous auth is the only sign in option.
In the case of 2) what should the behavior be?
@DarshitChanpura recently fixed a bug where SAML auth + Anonymous auth were incompatible: https://github.com/opensearch-project/security-dashboards-plugin/issues/1731
The fix for that issue introduced the change in behavior you are seeing.
The behavior now is that if multiple sign in options are configured then it doesn't automatically login and instead displays the sign in options including a button for "Log in as Anonymous".
There was a separate bug that @DarshitChanpura addressed when fixing the SAML + Anon incompatibility which was that if a user logged in as a regular user (regular meaning not anonymous, so basic auth user, SAML user, etc) and logged out. On log out they were being automatically logged in as anonymous instead of being presented with the sign on options.
@kamingleung Any thoughts on this issue?
[Triage] @Flyingliuhub @kamingleung do you have any more comments?
adding @seraphjiang @BionIT here for more comments
Is your feature request related to a problem? With a recent PR, some behavior was changed such that when anonymous auth is enabled, anonymous user is no longer automatically logged in. Instead, when visiting OpenSearch Dashboards, users are presented with a login screen. To support public playground usecase, there is an ask to provide a way to go back to the old behavior of automatically login as anonymous. What solution would you like? Add a new setting that allows anonymous users to be automatically logged into OpenSearch Dashboards. What alternatives have you considered? None Do you have any additional context? None