Revert "Merge pull request #8 from kylehounslow/feat/helm-anon-auth"

This reverts commit 00169ec, reversing
changes made to d33c863.
Signed-off-by: Kyle Hounslow <kylhouns@amazon.com>

Author: kylehounslow

charts/observability-stack/README.md

@@ -162,10 +162,6 @@ Sources: [OpenSearch shard sizing](https://opensearch.org/blog/optimize-opensear
 See `values.yaml` for all options. Notable settings:
 
 ```yaml
-# Anonymous auth — skip login page for demos/workshops
-anonymousAuth:
-  enabled: false  # Set true to allow access without credentials
-
 # Credentials (update opensearchPassword before any real deployment)
 opensearchUsername: "admin"
 opensearchPassword: "My_password_123!@#"
@@ -183,30 +179,6 @@ prometheus:
     # ... etc
 ```
 
-## Anonymous Authentication
-
-By default, OpenSearch Dashboards requires login. Enable anonymous auth to skip the login page — useful for demos, workshops, or shared dev environments.
-
-```bash
-helm install obs-stack charts/observability-stack \
-  --set anonymousAuth.enabled=true \
-  --set global.anonymousAuth.enabled=true
-```
-
-> **Note:** Both `anonymousAuth.enabled` and `global.anonymousAuth.enabled` must be set. The `global` value is needed because the OpenSearch Dashboards subchart config uses Go templating and can only access global values.
-
-**What anonymous users can do:**
-- Browse all data (logs, traces, metrics)
-- View, create, and modify saved objects (visualizations, dashboards, saved queries)
-- Explore traces and service maps
-- Run queries and access the OpenSearch REST API
-
-**What anonymous users cannot do:**
-- Delete existing saved objects
-- Perform admin operations (user management, security config)
-
-**To disable:** Remove the `--set` flags (or set both to `false`) and redeploy.
-
 ## OpenTelemetry Demo (Optional)
 
 The [OpenTelemetry Demo](https://opentelemetry.io/docs/demo/) is available as an optional subchart. It deploys a full microservices e-commerce app (20+ services) that generates realistic telemetry — useful for load testing and showcasing the stack.

charts/observability-stack/files/init-opensearch-dashboards.py

@@ -15,7 +15,6 @@
 PROMETHEUS_PORT = os.getenv("PROMETHEUS_PORT", "9090")
 _opensearch_protocol = os.getenv("OPENSEARCH_PROTOCOL", "https")
 OPENSEARCH_ENDPOINT = f"{_opensearch_protocol}://{os.getenv('OPENSEARCH_HOST', 'opensearch')}:{os.getenv('OPENSEARCH_PORT', '9200')}"
-ANONYMOUS_AUTH_ENABLED = os.getenv("OPENSEARCH_ANONYMOUS_AUTH_ENABLED", "false").lower() == "true"
 
 def wait_for_dashboards():
     """Wait for OpenSearch Dashboards to be ready"""
@@ -233,7 +232,7 @@ def create_prometheus_datasource(workspace_id):
 
     payload = {
         "name": datasource_name,
-        "allowedRoles": ["all_access", "opendistro_security_anonymous_role"] if ANONYMOUS_AUTH_ENABLED else ["all_access"],
+        "allowedRoles": [],
         "connector": "prometheus",
         "properties": {
             "prometheus.uri": prometheus_endpoint,

charts/observability-stack/templates/init-dashboards-job.yaml

@@ -44,8 +44,6 @@ spec:
               value: "80"
             - name: OPENSEARCH_ENDPOINT
               value: "https://opensearch-cluster-master:9200"
-            - name: OPENSEARCH_ANONYMOUS_AUTH_ENABLED
-              value: {{ .Values.anonymousAuth.enabled | quote }}
           volumeMounts:
             - name: init-script
               mountPath: /scripts

charts/observability-stack/templates/opensearch-security-config.yaml

@@ -1,13 +1,6 @@
 # Default values for observability-stack umbrella chart
 # Mirrors the docker-compose setup for Kubernetes deployment
 
-# -- Anonymous authentication (skip login page for demos/workshops)
-# When enabled, users can access OpenSearch Dashboards without logging in.
-# Anonymous users can browse data, create/modify saved objects, but cannot
-# delete existing saved objects or perform admin operations.
-anonymousAuth:
-  enabled: false
-
 # -- OpenSearch
 # Sizing guide:
 #   Storage: daily_ingest_GB × 1.45 × (replicas + 1) × retention_days
@@ -42,9 +35,6 @@ opensearch:
   config:
     opensearch.yml: |
       plugins.query.datasources.encryption.masterkey: "BTqK4Ytdz67La1kShIKV3Pu9"
-  securityConfig:
-    config:
-      securityConfigSecret: "opensearch-security-config"
 
 # -- OpenSearch Dashboards
 opensearch-dashboards:
@@ -91,7 +81,6 @@ opensearch-dashboards:
       opensearch.requestHeadersAllowlist: ["authorization", "securitytenant"]
       opensearch_security.multitenancy.enabled: false
       opensearch_security.readonly_mode.roles: ["kibana_read_only"]
-      opensearch_security.auth.anonymous_auth_enabled: {{ .Values.global.anonymousAuth.enabled }}
       console.enabled: true
       server.maxPayloadBytes: 1048576
       savedObjects.maxImportPayloadBytes: 26214400
@@ -101,11 +90,6 @@ opensearch-dashboards:
       explore.discoverMetrics.enabled: true
       explore.agentTraces.enabled: true
       workspace.enabled: true
-      {{- if .Values.global.anonymousAuth.enabled }}
-      savedObjects.permission.enabled: false
-      {{- else }}
-      savedObjects.permission.enabled: true
-      {{- end }}
       data_source.enabled: true
       data_source.ssl.verificationMode: none
       datasetManagement.enabled: true
@@ -522,10 +506,3 @@ gateway:
   #   host: dashboards.example.com
   #   annotations:
   #     application-networking.k8s.aws/certificate-arn: arn:aws:acm:REGION:ACCOUNT:certificate/ID
-
-# -- Global values (accessible to all subcharts via .Values.global)
-# Used to pass anonymousAuth.enabled to opensearch-dashboards subchart config
-# which uses tpl() for Go template rendering.
-global:
-  anonymousAuth:
-    enabled: false

charts/observability-stack/tests/anonymous_auth_test.yaml

@@ -163,22 +163,6 @@ resource "helm_release" "observability_stack" {
     }
   }
 
-  # --- Anonymous auth (conditional) ---
-  dynamic "set" {
-    for_each = var.anonymous_auth ? [1] : []
-    content {
-      name  = "anonymousAuth.enabled"
-      value = "true"
-    }
-  }
-  dynamic "set" {
-    for_each = var.anonymous_auth ? [1] : []
-    content {
-      name  = "global.anonymousAuth.enabled"
-      value = "true"
-    }
-  }
-
   depends_on = [
     helm_release.aws_lb_controller,
   ]