[BUG] It's possible to login to Opensearch Dashboards without any Opensearch roles #1389
Comments
|
[Triage] Hi @Martin-Kemp, thank you for taking the time to file this issue. Currently, there is not a permission for accessing OpenSearch Dashboards/Kibana. There are no plans to add an additional permission configuration for this option, but we would be curious to hear what alternative you would be interested in. It may be helpful to consult @shanilpa or @opensearch-project/dashboards-anywhere-contributor. Thank you. |
|
Thank you for your feedback. I understand that this is not a bug, but rather a feature of the current RBAC implementation. As an alternative, I propose showing an "access denied" page or a similar notification to users whose authorization returns no roles. This would immediately inform them that although their login credentials are correct, they do not currently have access to any data or dashboards. To provide a bit more context: In our organization, we have many non-technical users who request access to OpenSearch Dashboards via a company portal. When they attempt to log in and succeed, they naturally assume that their access request was successful. If, for some reason, their request didn't go through correctly (e.g., they requested access to the wrong application), they are confused because they can log in but see no data or dashboards. I believe this alternative solution would not only resolve the confusion for our users, but it could potentially improve the user experience for other organizations that use OpenSearch Dashboards in a similar context. However, I understand if this behavior is by design and there is no current interest in changing it. In that case, feel free to close this issue. Thank you again for your time and consideration. |
|
@Martin-Kemp The proposed workspaces feature might be better suited to handle this messaging - as its focused around the OpenSearch Dashboards website experience |
What is the bug?
With LDAP authentication and authorization it's possible to login to Opensearch Dashboards even if the use doesn't have any roles. If authentication succeeds but authorization returns no AD groups, and therefore the user has no Opensearch roles, the user is still logged in. The user is not able to see any data or interact with the cluster in any way so I don't think it's a security risk, it's just strange behavior because it can lead to confusion from users that think they have access when in fact they don't.
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
Login should fail since user has no rights.
Do you have any additional context?
How this was handled in Kibana: elastic/kibana#75538
The text was updated successfully, but these errors were encountered: