Open asifbashar opened 1 month ago
[Triage] Hi @asifbashar thank you for filing this issue. I am not familiar with this configuration myself, so am not sure whether this is the expected behavior where the certificate setting bypasses the basic auth requirements. Someone will need to look into the intended use fo this setting and then address any issues found.
When client authentication certificate is set as required in opensearch.yaml , and opensearch_dashboards.yml has "alwaysPresentCertficate" : true, browser login to dashboard does not validate password and allows login with any user/password. This allows for any user to view dashboard.
config.yaml example below
config: dynamic: authc: basic_internal_auth_domain: authentication_backend: type: intern description: Authenticate via HTTP Basic against internal users database http_authenticator: challenge: true type: basic http_enabled: true order: 4 transport_enabled: true clientcert_auth_domain: authentication_backend: type: noop description: Authenticate via SSL client certificates http_authenticator: challenge: false config: username_attribute: '' type: clientcert http_enabled: true order: 2 transport_enabled: false