Client certificate setting bypasses password requirements

[asifbashar]

When client authentication certificate is set as required in opensearch.yaml , and opensearch_dashboards.yml has "alwaysPresentCertficate" : true, browser login to dashboard does not validate password and allows login with any user/password. This allows for any user to view dashboard.

config.yaml example below

config: dynamic: authc: basic_internal_auth_domain: authentication_backend: type: intern description: Authenticate via HTTP Basic against internal users database http_authenticator: challenge: true type: basic http_enabled: true order: 4 transport_enabled: true clientcert_auth_domain: authentication_backend: type: noop description: Authenticate via SSL client certificates http_authenticator: challenge: false config: username_attribute: '' type: clientcert http_enabled: true order: 2 transport_enabled: false

[scrawfor99]

[Triage] Hi @asifbashar thank you for filing this issue. I am not familiar with this configuration myself, so am not sure whether this is the expected behavior where the certificate setting bypasses the basic auth requirements. Someone will need to look into the intended use fo this setting and then address any issues found.