Initial commit for multiple authentication

[aoguan1990]

Signed-off-by: Aozixuan Priscilla Guan aoguan@amazon.com

Description

The purpose of this project is to leverage functionalities to allow OpenSearch Dashboards (OSD) users to Login/ Logout from the integrated Login/Logout UI with different authentication methodologies. OSD administer can enable single or multiple authentication type(s) on demand by setting up OpenSearch Dashboards configuration YML. For OpenSearch Dashboards with Security Plugin enabled, at least one authentication type is required.

Category

[New Feature]

Why these changes are required?

As for now, OpenSearch Dashboards supports many types of authentications including Basic, OIDC, SAML, LDAP, Proxy and Client-Certificate based authentication. However, only one authentication type can be configured in OpenSearch Dashboard while there is a high demand shows the opposite way. After capturing and analyzing customer requests from both GitHub and OpenSearch Community, the great value of enabling multiple authentication types simultaneously in OpenSearch Dashboards is self-evident.

Related Customer Request

GitHub Issues:
#1112
#2099
#74

OpenSeach Community Issues:
#354
#3164
#10553
#10233
#7015

What is the old behavior before changes and new behavior after changes?

Currently, OpenSearch Dashboards only allows users to login with single authentication type. Users can either use built-in login with username and password, or use single sign-on with external SAML/OIDC IDP. The following pain-points are observed:

• OpenSearch Dashboards does not support users to login with built-in login and single sign-on approaches simultaneously
• OpenSearch Dashboards does not provide built-in Login UI for single sign-on approach

In order to address the pain-points, this project proposes to utilize integrated and customizable Login/Logout UI to allow users to login/logout OpenSearch Dashboards with multiple authentication types, including Basic, SAML, OIDC and Anonymous.

Issues Resolved

• Resolves [Feature-Proposal] Enable Multiple Authentication for OpenSearch Dashboard OpenSearch-Dashboards#2100

Testing

[unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 62.82051% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.82%. Comparing base (6236fe2) to head (4165aba).
⚠️ Report is 285 commits behind head on main.

Files with missing lines	Patch %	Lines
public/apps/login/login-page.tsx	80.39%	6 Missing and 4 partials ⚠️
public/apps/account/utils.tsx	0.00%	9 Missing ⚠️
public/apps/account/account-app.tsx	44.44%	3 Missing and 2 partials ⚠️
public/apps/account/log-out-button.tsx	66.66%	2 Missing ⚠️
public/utils/logout-utils.tsx	0.00%	2 Missing ⚠️
public/plugin.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1110      +/-   ##
==========================================
- Coverage   72.07%   71.82%   -0.26%     
==========================================
  Files          88       88              
  Lines        1959     2023      +64     
  Branches      258      268      +10     
==========================================
+ Hits         1412     1453      +41     
- Misses        490      508      +18     
- Partials       57       62       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cliu123]

CI failed.
@peterzhuamazon Is 2.4.0 security plugin artifact available?

[peternied]

Great feature for Dashboard users - thanks for this effort!

I think you found some problems with the previous conventions where switch/casing is used instead of something like an 'authentication handler' interface. This is causing lots of potential gaps where functionality could be missing / broken and its hard to know if it is being exercised. Lets look at a couple of this places with different behavior patterns and see if we can generalize. Then a single auth handler or multiple will look identical at the different code touchpoints and it will be trivial to add more auth types in the future.

Note; I only managed to review ~50% of the file so I might have more feedback when I get time to do the final pass

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-1110-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 eee08a5f1d91850c741a0085ea5f2beccaf0c343
# Push it to GitHub
git push --set-upstream origin backport/backport-1110-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-1110-to-2.x.