How to disable basic authentication while keeping ssl enabled

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

I have installed Opensearch server version 2.19 using the official helm chart (more detail on helm chart available at Helm - OpenSearch Documentation)

Describe the issue:
I want to disable the basic authentication while keeping the SSL enabled. But i don’t find any option to do the same. I can disable basic auth using plugins.security.disabled = true option, but SSL is also getting disabled.

Note that I want to disable the basic auth to improve the REST API performance which uses opensearch to fetch the desired data. OpenSearch will be running in Kubernetes inside the VPC, so there won’t be any security issues. Also, note that we can provision AWS-managed Open search without basic authentication but SSL is enabled. So I think the same should be possible for self-hosted OpenSearch servers as well.

Configuration:
Below is my config on values.yaml file

config:
opensearch.yml: |
cluster.name: opensearch-cluster
network.host: 0.0.0.0

plugins:
  security:
    disabled: true
    ssl:
      transport:
        pemcert_filepath: /usr/share/opensearch/config/certs/node.pem
        pemkey_filepath: /usr/share/opensearch/config/certs/node-key.pem
        pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem
        enforce_hostname_verification: false
      http:
        enabled: true
        pemcert_filepath: /usr/share/opensearch/config/certs/node.pem
        pemkey_filepath: /usr/share/opensearch/config/certs/node-key.pem
        pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem
    allow_unsafe_democertificates: false
    allow_default_init_securityindex: true
    authcz:
      admin_dn:
        - "CN=*.opensearch.svc.cluster.local,OU=Unit,O=Org,L=Location,C=US"

Relevant Logs or Screenshots:

2

Hi @sarankrishna, You can disable basicauth in config.yml file.

“securityConfig” can be used in values.yaml file, see following example:

securityConfig:
  enabled: true
  path: "/usr/share/opensearch/plugins/opensearch-security/securityconfig"
  actionGroupsSecret:
  configSecret:
  internalUsersSecret:
  rolesSecret:
  rolesMappingSecret:
  tenantsSecret:
  # The following option simplifies securityConfig by using a single secret and
  # specifying the config files as keys in the secret instead of creating
  # different secrets for for each config file.
  # Note that this is an alternative to the individual secret configuration
  # above and shouldn't be used if the above secrets are used.
  config:
    # There are multiple ways to define the configuration here:
    # * If you define anything under data, the chart will automatically create
    #   a secret and mount it.
    # * If you define securityConfigSecret, the chart will assume this secret is
    #   created externally and mount it.
    # * It is an error to define both data and securityConfigSecret.
    securityConfigSecret: ""
    data:
      action_groups.yml: |-
        _meta:
          type: "actiongroups"
          config_version: 2
      config.yml: |-
        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
            do_not_fail_on_forbidden: true
            http:
              anonymous_auth_enabled: false
              xff:
                enabled: false
                internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
            authc:
              basic_internal_auth_domain:
                description: "Authenticate via HTTP Basic against internal users database"
                http_enabled: false
                transport_enabled: false
                order: 0
                http_authenticator:
                  type: "basic"
                  challenge: true
                authentication_backend:
                  type: "intern"