Client certificate setting bypasses password requirements

[asifbashar]

When client authentication certificate is set as required in opensearch.yaml , and opensearch_dashboards.yml has "alwaysPresentCertficate" : true, browser login to dashboard does not validate password and allows login with any user/password. This allows for any user to view dashboard.

config.yaml example below

config:
dynamic:
authc:
basic_internal_auth_domain:
authentication_backend:
type: intern
description: Authenticate via HTTP Basic against internal users database
http_authenticator:
challenge: true
type: basic
http_enabled: true
order: 4
transport_enabled: true
clientcert_auth_domain:
authentication_backend:
type: noop
description: Authenticate via SSL client certificates
http_authenticator:
challenge: false
config:
username_attribute: ''
type: clientcert
http_enabled: true
order: 2
transport_enabled: false

[stephen-crawford]

[Triage] Hi @asifbashar thank you for filing this issue. I am not familiar with this configuration myself, so am not sure whether this is the expected behavior where the certificate setting bypasses the basic auth requirements. Someone will need to look into the intended use fo this setting and then address any issues found.

[asifbashar]

please assign to me user asifbashar

[shikharj05]

@asifbashar From what I know, I think it's expected if you have multiple authentication types enabled and alwaysPresentCertficate is set to true.

https://docs.opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/

opensearch.ssl.alwaysPresentCertificate 	Sends the client certificate to the OpenSearch cluster if set to true, which is necessary when mTLS is enabled in OpenSearch. Default is false.
opensearch.ssl.certificate 	If opensearch.ssl.alwaysPresentCertificate is set to true, specifies the full path to a valid client certificate for the OpenSearch cluster. You can [generate your own certificate](https://opensearch.org/docs/latest/security/configuration/generate-certificates/) or get one from a CA.
opensearch.ssl.key 	If opensearch.ssl.alwaysPresentCertificate is set to true, specifies the full path to the key for the client certificate. You can [generate your own certificate](https://opensearch.org/docs/latest/security/configuration/generate-certificates/) or get one from a CA.

Also, PKI authentication for dashboards is not supported- #1470

[asifbashar]

Until #1470 is supported , alwaysPresentCertficate set to true is required value because , When alwaysPresentCertficate set to false, dashboard login completely fails. But having it set to true, creates a security hole to dashboard where any user can login. This fix here is a workaround to at least allow basic authentication to really validate password , when Rest API access is strictly set to client cert authentication required mode. In this current state, dashboard cannot be used securely and many use cases would require that they have to completely disable dashboard usage .