Error connecting to OpenSearch server with selective anonymous access permitted

[jgough]

I don't know if OpenSearch is officially supporte by Cerebro but it seems to be 100% compatible. I am having an issue though when anonymous access is enabled. I suspect the same error below would also be present on Elasticsearch given the similarity.

To reproduce:

1. Set up an OpenSearch cluster with anonymous access permitted where the anonymous user does not have full permissions
2. Try to connect via Cerebro:

Result:
Cerebro tries to connect anonymously without authentication and returns the error Unexpected response status: [403]
This is because the server can be accessed but the anonymous user is not allowed to monitor the health of the cluster - that requires a user with the correct permissions

OpenSearch itself is returns a 403 response to the request with the message
no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]

In this situation I would expect cerebro to present me with a login to allow me to enter credentials for access, since the anonymous access didn't have sufficient permissions.

This seems to be because the code is not expecting a 403 response and will only treat a 401 as the situation to ask for credentials:
https://github.com/lmenezes/cerebro/blob/main/public/js/app.js#L606

I've experimented with the source code and it seems if I add case 403: here then it seems to fix this issue and presents me with the typical login screen.

[jgough]

Looks like the 403 response is probably a bug in OpenSearch and it should be returning a 401. I have filed an issue here opensearch-project/security#1825

[jonkerw85]

@jgough This might not apply to you. But I'm running OpenSearch with an Nginx proxy in front of it. Nginx is configured with basic auth. This works flawlessly.

[jgough]

@wjonkerhulst I believe this is specifically related to the anonymous auth (setting anonymous_auth_enabled: true) so may not actually be a bug in Cerebro. Without anonymous auth enabled it works 100%.

[bkimbrough88]

I don't know about anonymous auth, but I found this error when I connected cerebro up to my OpenSearch cluster. I can view the nodes, but the overview page simply won't load:

{
  "error": "Failure for [_stats/docs,store?ignore_unavailable=true]"
}

Note I'm currently running OpenSearch 1.3.2 and connected to the cluster using my admin user and password with basic auth.

[jgough]

@bkimbrough88 That issue seems unrelated to this issue which is specifically around the HTTP response code 403 when anonymous_auth_enable is set to true. I have no issues with OpenSearch 1.3.2 and Cerebro when this is not set and can open the Overview page with no problem.

As an aside, try making a curl request to your database and check the user you are using to log in has permission to access e.g.
curl -u "username:password" http://myserver/_stats/docs,store?ignore_unavailable=true. If you get an error with a security exception then you may need to check the permissions of the user you are using.