Anonymous User - Multiple Authentication

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.4.0

Describe the issue:
I would like to have opensearch configured such as user can either login (via ldap) and do what ever they need to based on their roles or have an anonymous user with RO access.

i know that the 2 things can be done separetly (we use ldap today) and i’ve seen (but never understood how to configure) the anonymous user with https://playground.opensearch.org

The reason for the anonymous use is iframe embedding of some dashboards…
with Elastic the configuration was straight forward but with opensearch i am struggling to understand how that would be done…

i hope that’s actually possible with the help if the multiple-authentication options feature just added

https://opensearch.org/docs/latest/security-plugin/configuration/multi-auth/

if anyone could help me, i would be extremelly grateful, below is a screenshot from elasticsearch

Relevant Logs or Screenshots:

Hi there,

Multiple Authentication Option feature for OpenSearch Dashboards can also enable anonymous login along with Basic authentication and OIDC. Configuration Steps:

1. Follow the instructions to enable multiple authentication for basic and OIDC
2. Enable Anonymous login:

• opensearch_dashboards.yml

  opensearch_security.auth.anonymous_auth_enabled: true

• config.yml
  

  

  image2052×614 77 KB

image525×576 23.3 KB

Thanks for the feedback… OIDC ? if you mean openid, then with what am i supposed to connect it to? we have no connection to openid providers

we are using LDAP

Hi @anubisg1,

Authentication type: openid defined by OpenSearch Dashboards is based on OpenID Connect (OIDC) protocol. If I did not misunderstood, you configure LDAP as your authentication backend for basic authentication. If that is true, you do not need to enable multiple authentication. You can follow the steps in below:

1. Follow the instructions to enable basic auth with LDAP as authentication backend
2. Enable Anonymous login:

• opensearch_dashboards.yml

  opensearch_security.auth.anonymous_auth_enabled: true
  

• config.yml

  http:
       anonymous_auth_enabled: true
  

Thanks

@aoguan

Thank you for your reply. i think that in config.yml you meant to say:

http:
  anonymous_auth_enabled:true

This is my configuration

opensearch_dashboards.yml

opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch.ssl.verificationMode: none
opensearchDashboards.branding.applicationTitle: XXXXX
opensearchDashboards.branding.faviconUrl: 'XXXX'
opensearchDashboards.branding.logo.defaultUrl: 'XXX'
opensearchDashboards.branding.mark.darkModeUrl: 'XXX'
opensearchDashboards.branding.mark.defaultUrl: 'XXXX'
opensearch_security.auth.anonymous_auth_enabled: true
opensearch_security.multitenancy.enable_filter: false
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: false
opensearch_security.multitenancy.tenants.preferred: ["Global"]
opensearch_security.ui.basicauth.login.brandimage: 'XXX'
opensearch_security.ui.basicauth.login.title: xxxx
server.maxPayloadBytes: 8388608
server.name: opensearch-cluster-dashboards

config.yml

config:
  dynamic:
    do_not_fail_on_forbidden: true
    http:
      anonymous_auth_enabled: true
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: "4"
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern    
      ldap:
xxxxx
    authz:
      ldap:
xxxxx

The problem i see is that if i land on the dashboard page i get automatically logged in as “opendistro_security_anonymous” and there is no button “log in as anonymous”.
to login with username and password i must first log out from anonymous, then enter my credentials

Hi @anubisg1,

That is the expected behavior for anonymous login for now. If you have any feedbacks on the existing authentication experience, please feel free to leave your feedbacks on:

1. Feedback Forum
2. OpenSearch Dashboards Repo

Looking forward to your feedback!

In your screenshot you have “login as anonymous”. How did you achieve that?

This is exactly what I am after

Hi @anubisg1, I was wondering if you were able to reach this phase of logging in as anonymous. I am not able to do that even though I followed the documentation and applied exactly the changes in config.yml and opensearch_dashboards.yml. Your help is much appreciated

Yes, it’s basically a mess. Assuming your configuration is ok, you have to click on the blue login button by leaving username and password blank.

For me it’s a terrible design choice as “login as anonymous” should be there as a button always, regardless of how many authentication are enables

@anubisg1 @MelissaL Just a small clarification in terms of the “Log in as anonymous”

I did some testing and this button appeared and worked for me in two scenarios.

First, when config.yml has anonymous auth enabled and opensearch_dashboards has multiple_auth_enabled with basicauth and openid.

config.yml:

http:
     anonymous_auth_enabled: true

openserch_dashboards.yml:

opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.anonymous_auth_enabled: true
opensearch_security.auth.multiple_auth_enabled: true

Second, when config.yml has anonymous auth enabled and opensearch_dashboards has multiple_auth_enabled with basicauth and saml.

config.yml:

http:
     anonymous_auth_enabled: true

openserch_dashboards.yml:

opensearch_security.auth.type: ["basicauth","saml"]
opensearch_security.auth.anonymous_auth_enabled: true
opensearch_security.auth.multiple_auth_enabled: true

image386×506 19.1 KB

If you have the auth type set to only basicauth, then “Log in as anonymous” won’t appear and you will be automatically logged in as an anonymous user.

opensearch_security.auth.type: ["basicauth"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.anonymous_auth_enabled: true

Thank you so much @pablo I am able to see Log in as anonymous.
But whenever I try to log in as anonymous, it gives me unauthorized. Did do you add any additional configuration? How were you able to log in as anonymous?

@MelissaL Take a look at this post.

I’ve followed exactly the same configurations:

1. Set “anonymous_auth_enabled” to true in config.yml
2. Add this line in opensearch_dashboards.yml:
   opensearch_security.auth.anonymous_auth_enabled: true
3. Add this in roles.yml:
   opendistro_security_anonymous:
   cluster_permissions:

• “unlimited”
  index_permissions:
• index_patterns:
  • “*”
    allowed_actions:
  • “unlimited”
    tenant_permissions:
• tenant_patterns:
  • “global_tenant”
    allowed_actions:
  • “kibana_all_write”

4. Add this in roles_mapping.yml:
   opendistro_security_anonymous:
   backend_roles:

• “opendistro_security_anonymous_backendrole”

Am I missing something here? Because I am still not able to login via anonymous.
I tried to login with an empty username and an empty password but it gives me 401 unauthorized

@MelissaL Could you share your config.yml and opensearch_dashboards.yml files?

This is the opensearch-dashboard configuration:

image719×373 59.5 KB

This is config.yml:

image735×915 105 KB

@MelissaL Could you share the output of the following command?

curl --insecure https://<OpenSearch_FQDN_or_IP>:9200/_plugins/_security/authinfo?pretty

I am getting unauthorized

@MelissaL What about this one?

curl --insecure -u admin:<password> https://<OpenSearch_FQDN_or_IP>:9200/_plugins/_security/api/securityconfig?pretty

@MelissaL What is your OpenSearch version?

Also, how do you apply the configuration to the cluster? Are you running OpenSearch as a service, docker or pod?

@MelissaL I was able reproduce the “Unauthorized” error only when config.dynamic.http.anonymous_auth_domain was set to false.

The last API should tell you if it is enabled inside the cluster. If you have the OpenSearch as a service then restarting the service won’t update the configuration. Also, it won’t update the config if you use the docker and you just restart it.
Once the security index is created the only way to update it is securityadmin.sh script.