Comments (5)
@Flyingliuhub There are 2 different scenarios to consider when thinking about what the behavior should be:
- Anonymous login is the only method to login to Dashboards
- Dashboards is configured with multiple sign in options
In the case of 1) anonymous will be logged in automatically. The log out button does show in the dashboard, but its functionless if anonymous auth is the only sign in option.
In the case of 2) what should the behavior be?
@DarshitChanpura recently fixed a bug where SAML auth + Anonymous auth were incompatible: #1731
The fix for that issue introduced the change in behavior you are seeing.
The behavior now is that if multiple sign in options are configured then it doesn't automatically login and instead displays the sign in options including a button for "Log in as Anonymous".
There was a separate bug that @DarshitChanpura addressed when fixing the SAML + Anon incompatibility which was that if a user logged in as a regular user (regular meaning not anonymous, so basic auth user, SAML user, etc) and logged out. On log out they were being automatically logged in as anonymous instead of being presented with the sign on options.
@kamingleung Any thoughts on this issue?
from security-dashboards-plugin.
Users should not be automatically logged in as anonymous.
Having said that, this feature can be enabled via feature-flag and can be cluster specific. The original PR fixed an important bug, where after logging out as SAML user it would automatically log you in as anonymous. This is not a good user experience.
Reasoning for the observed behavior:
When multi-auth is enabled, user will still be automatically logged in as anonymous when anonymous auth is enabled, given that the setting opensearch_security.auth.type:
is present with only 1 type ["basicauth"]
or the setting is not present at all. [1][2]
When more than one option is passed for multi-auth, the Multi-Auth handler kicks in and the block similar to [2] is not present in handleUnauthedRequest
to automatically login as anonymous when url is /
. Hence, we see the login screen instead of auto-login as anonymous. This change was required otherwise this would automatically login as anonymous upon log-out.
[1] - https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/auth_handler_factory.ts#L64
[2] - https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/basic/basic_auth.ts#L119-L125
from security-dashboards-plugin.
where after logging out as SAML user it would automatically log you in as anonymous. This is not a good user experience.
which is anonymous feature flag purpose, right? this is default behavior behind this feature flag opensearch_security.auth.anonymous_auth_enabled: true
if I understand correctly. Can you give more info about This is not a good user experience
.
If users don't want to enable anonymous login, they should refrain from enabling this feature flag.
from security-dashboards-plugin.
[Triage] @Flyingliuhub @kamingleung do you have any more comments?
from security-dashboards-plugin.
adding @seraphjiang @BionIT here for more comments
from security-dashboards-plugin.
Related Issues (20)
- Security Plugin - OpenID Connect Authentication returns 401 Unauthorized since 2.14 HOT 12
- [AUTOCUT] Distribution Build Failed for securityDashboards-2.15.0 HOT 6
- Different indexes are accessed depending on the tenant HOT 3
- [AUTOCUT] Integration Test failed for securityDashboards: 1.3.17 HOT 5
- [BUG] Tenancy should be automatically switched to user's default tenant when the user does not have access to the tenant read from a cookie HOT 1
- [BUG / CI] Investigate OIDC Cypress E2E test failures on 2.x CI runs HOT 1
- [FEATURE] security_authentication cookie lacks SameSite attribute
- [RELEASE] Release version 2.15.0 HOT 2
- [AUTOCUT] Integration Test failed for securityDashboards: 2.15.0 HOT 9
- [RELEASE] Release version 2.16.0 HOT 1
- [Enhancement] Remove service account code in main HOT 2
- [FEATURE] Deprecate/remove aggregation view HOT 1
- [FEATURE] Support JDK 21 for main branch HOT 1
- [BUG] Remove AOSS data sources from the data source picker HOT 1
- [AUTOCUT] Integration Test failed for securityDashboards: 2.15.0 HOT 6
- [BUG] Missing OIDC refresh token calls in case of expired id token HOT 1
- [RELEASE] Release version 2.15.0 HOT 2
- [BUG] Tenant is defaulting incorrectly based on the ordering of: opensearch_security.multitenancy.tenants.preferred HOT 3
- [FEATURE] Security Plugin Navigation Changes
- [BUG] Session expiration and keepalive settings ignored
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-dashboards-plugin.