Added new option skip_users to client cert authenticator issue #4378 (#10860)

asifabashar · natebower · web-flow · commit b772d5a3b2fd · 2025-08-28T07:01:25.000-04:00
* Added new option skip_users to client cert authenticator (clientcert_auth_domain.http_authenticator.config.skip_users in config.yml)[#4378] Signed-off-by: Asif Bashar <abashar@apple.com> * Added new option skip_users to client cert authenticator (clientcert_auth_domain.http_authenticator.config.skip_users in config.yml)[#4378] Signed-off-by: Asif Bashar <abashar@apple.com> * Apply suggestions from code review Signed-off-by: Nathan Bower <nbower@amazon.com> * Update _security/authentication-backends/client-auth.md Signed-off-by: Nathan Bower <nbower@amazon.com> --------- Signed-off-by: Asif Bashar <abashar@apple.com> Signed-off-by: Nathan Bower <nbower@amazon.com> Co-authored-by: Nathan Bower <nbower@amazon.com>
diff --git a/_security/authentication-backends/client-auth.md b/_security/authentication-backends/client-auth.md
@@ -36,6 +36,8 @@ clientcert_auth_domain:
     type: clientcert
     config:
       username_attribute: cn #optional, if omitted DN becomes username
+      skip_users:
+    	    - "DC=de,L=test,O=users,OU=bridge,CN=dashboard"
     challenge: false
   authentication_backend:
     type: noop
@@ -90,6 +92,22 @@ print(response.text)
 ```
 
 {% comment %}
+
+### (Advanced) Exclude certain users from client cert authentication
+
+If you are using multiple authentication methods, it can make sense to exclude certain users from the client cert authentication.
+
+Consider the following scenario for a typical OpenSearch Dashboards setup: OpenSearch Dashboard has basic auth setup and user login from a browser. However, you also have an OpenSearch Dashboards server user. OpenSearch Dashboards uses this user to manage stored objects and perform monitoring and maintenance tasks. You do not want to use this user certificate to log in a user who submitted basic auth logic from a browser.
+
+In this case, it makes sense to exclude the OpenSearch Dashboards server user from the client cert authentication so that the user who enters login information in the browser is validated. You can use the `skip_users` configuration setting to define which users should be skipped. Wildcards and regular expressions are supported:
+
+```yml
+
+skip_users:
+  - "DC=de,L=test,O=users,OU=bridge,CN=dashboard"
+
+```
+
 ## Configuring Beats
 
 You can also configure your Beats so that it uses a client certificate for authentication with OpenSearch. Afterwards, it can start sending output to OpenSearch.
