[FEATURE] Automatically login as anonymous about security-dashboards-plugin HOT 5 OPEN

@Flyingliuhub There are 2 different scenarios to consider when thinking about what the behavior should be:

1. Anonymous login is the only method to login to Dashboards
2. Dashboards is configured with multiple sign in options

In the case of 1) anonymous will be logged in automatically. The log out button does show in the dashboard, but its functionless if anonymous auth is the only sign in option.

In the case of 2) what should the behavior be?

@DarshitChanpura recently fixed a bug where SAML auth + Anonymous auth were incompatible: #1731

The fix for that issue introduced the change in behavior you are seeing.

The behavior now is that if multiple sign in options are configured then it doesn't automatically login and instead displays the sign in options including a button for "Log in as Anonymous".

There was a separate bug that @DarshitChanpura addressed when fixing the SAML + Anon incompatibility which was that if a user logged in as a regular user (regular meaning not anonymous, so basic auth user, SAML user, etc) and logged out. On log out they were being automatically logged in as anonymous instead of being presented with the sign on options.

@kamingleung Any thoughts on this issue?

from security-dashboards-plugin.

Users should not be automatically logged in as anonymous.

Having said that, this feature can be enabled via feature-flag and can be cluster specific. The original PR fixed an important bug, where after logging out as SAML user it would automatically log you in as anonymous. This is not a good user experience.

Reasoning for the observed behavior:
When multi-auth is enabled, user will still be automatically logged in as anonymous when anonymous auth is enabled, given that the setting opensearch_security.auth.type: is present with only 1 type ["basicauth"] or the setting is not present at all. [1][2]

When more than one option is passed for multi-auth, the Multi-Auth handler kicks in and the block similar to [2] is not present in handleUnauthedRequest to automatically login as anonymous when url is /. Hence, we see the login screen instead of auto-login as anonymous. This change was required otherwise this would automatically login as anonymous upon log-out.

[1] - https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/auth_handler_factory.ts#L64
[2] - https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/basic/basic_auth.ts#L119-L125

from security-dashboards-plugin.

where after logging out as SAML user it would automatically log you in as anonymous. This is not a good user experience. which is anonymous feature flag purpose, right? this is default behavior behind this feature flag opensearch_security.auth.anonymous_auth_enabled: true if I understand correctly. Can you give more info about This is not a good user experience.
If users don't want to enable anonymous login, they should refrain from enabling this feature flag.

from security-dashboards-plugin.

[Triage] @Flyingliuhub @kamingleung do you have any more comments?

from security-dashboards-plugin.

adding @seraphjiang @BionIT here for more comments

from security-dashboards-plugin.