OpenSearch Dashboard Login Failure Handling

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch & Dashboard 3.0.0

Describe the issue:

When we log in to opensearch dashboard with username & uassword and the login fails (e.g. wrong username or password) we don’t get a Login failed error but we are logged in as the dashboard client user (client certificate) which is used for authenticate opensearch dashboard against opensearch.

I’m currently a little bit lost what I’ve configured wrong to enforce such behavior.

Configuration:

config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    kibana:
      server_username: client-dashboard
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11'
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: false
        transport_enabled: false
        order: 1
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

roles_mapping.yml

all_access:
  reserved: false
  backend_roles:
  - "admin"
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

logstash:
  reserved: false
  backend_roles:
  - "logstash"

kibana_server:
  reserved: true
  users:
  - "client-dashboard" # Dashboard CN
  - "kibanaserver"

open search-dashboards.yml

server:
  host: '0.0.0.0'
# Secure traffic between browser and dashboard
  ssl:
    enabled: true
    certificate: /usr/share/opensearch-dashboards/config/certs/node.pem
    key: /usr/share/opensearch-dashboards/config/certs/node-key.pem

# Secure traffic between dashboard and data nodes
opensearch:
  ssl:
    alwaysPresentCertificate: true
    certificate: /usr/share/opensearch-dashboards/config/certs/client.pem
    key: /usr/share/opensearch-dashboards/config/certs/client-key.pem
    certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" ]
    verificationMode: full
  requestHeadersAllowlist: [ authorization, securitytenant ]

opensearch_security:
  multitenancy:
    enabled: true
    tenants:
      preferred: [ "Private", "Global" ]
  readonly_mode:
    roles: [ "kibana_read_only" ]
  cookie:
    secure: true

Relevant Logs or Screenshots:

opensearch_strange856×352 44.1 KB

Hi @Andy. Did you use the same configuration in the older versions? If so, did you notice the same behaviour?

@Andy You have configured alwaysPresentCertificate: true, this ensures that the client certificate is sent with every request, which is needed for mTLS, however due to this the authentication will recognise the user from the certificate upon failed login.

If you set this to false, you should see the expected behaviour.

I would recommend to raise a feature request here to change this behaviour, please note that this would not be classified as a bug as this was already reported and closed as expected behaviour here