Anonymous authentication

The Security plugin supports anonymous authentication, through which a user is able to access a cluster without providing credentials. This is useful in cases where you want lots of people to be able to access your cluster with a common set of privileges.

Configuration

To enable anonymous authentication, you need to modify the config.yml file inside the opensearch-security configuration subdirectory of your cluster.

In the config.yml file, there is an http section, which includes the anonymous_auth_enabled setting:

  1. http:
  2. anonymous_auth_enabled: <true|false>
  3. ...

The following table describes the anonymous_auth_enabled setting. For more information, see the configuration file overview.

SettingDescription
anonymous_auth_enabledEither enables or disables anonymous authentication. When you enable anonymous authentication, all defined HTTP authenticators are non-challenging. See The challenge setting.

If you disable anonymous authentication, you must provide at least one authc in order for the Security plugin to initialize successfully.

OpenSearch Dashboards configuration

To enable anonymous authentication for OpenSearch Dashboards, you need to modify the opensearch_dashboards.yml file in the configuration directory of your OpenSearch Dashboards installation.

Add the following setting to opensearch_dashboards.yml:

  1. opensearch_security.auth.anonymous_auth_enabled: true

Anonymous login for OpenSearch Dashboards requires anonymous authentication to be enabled on the OpenSearch cluster.

Defining anonymous authentication privileges

When anonymous authentication is enabled, your defined HTTP authenticators still try to find user credentials inside your HTTP request. If credentials are found, the user is authenticated. If none are found, the user is authenticated as an anonymous user.

All anonymous users have the username anonymous and a single role named anonymous_backendrole.

You can configure the privileges associated with the opendistro_security_anonymous_backendrole in the roles.yml file.

We recommend that your defined role have very limited privileges. Generally, an anonymous user should never be able to write to your cluster.

The following is an example role definition for an anonymous_users_role. You can use this example as a reference for defining your own role in the roles.yml file:

  1. anonymous_users_role:
  2. reserved: false
  3. hidden: false
  4. cluster_permissions:
  5. - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS"
  6. index_permissions:
  7. - index_patterns:
  8. - "public_index_*"
  9. allowed_actions:
  10. - "read"

copy

Then, in the roles_mapping.yml file, you can define the appropriate mapping for this new role:

  1. anonymous_users_role:
  2. reserved: false
  3. hidden: false
  4. backend_roles: ["opendistro_security_anonymous_backendrole"]
  5. hosts: []

copy

Notice that the role is mapped to opendistro_security_anonymous_backendrole, which means that all users with the anonymous user backend role will have these privileges.

Alternatively, you can complete these steps using the REST API or OpenSearch Dashboards.