Anonymous authentication
The Security plugin supports anonymous authentication, through which a user is able to access a cluster without providing credentials. This is useful in cases where you want lots of people to be able to access your cluster with a common set of privileges.
Configuration
To enable anonymous authentication, you need to modify the config.yml
file inside the opensearch-security
configuration subdirectory of your cluster.
In the config.yml
file, there is an http
section, which includes the anonymous_auth_enabled
setting:
http:
anonymous_auth_enabled: <true|false>
...
The following table describes the anonymous_auth_enabled
setting. For more information, see the configuration file overview.
Setting | Description |
---|---|
anonymous_auth_enabled | Either enables or disables anonymous authentication. When you enable anonymous authentication, all defined HTTP authenticators are non-challenging. See The challenge setting. |
If you disable anonymous authentication, you must provide at least one authc
in order for the Security plugin to initialize successfully.
OpenSearch Dashboards configuration
To enable anonymous authentication for OpenSearch Dashboards, you need to modify the opensearch_dashboards.yml
file in the configuration directory of your OpenSearch Dashboards installation.
Add the following setting to opensearch_dashboards.yml
:
opensearch_security.auth.anonymous_auth_enabled: true
Anonymous login for OpenSearch Dashboards requires anonymous authentication to be enabled on the OpenSearch cluster.
Defining anonymous authentication privileges
When anonymous authentication is enabled, your defined HTTP authenticators still try to find user credentials inside your HTTP request. If credentials are found, the user is authenticated. If none are found, the user is authenticated as an anonymous
user.
All anonymous users have the username anonymous
and a single role named anonymous_backendrole
.
You can configure the privileges associated with the opendistro_security_anonymous_backendrole
in the roles.yml file.
We recommend that your defined role have very limited privileges. Generally, an anonymous user should never be able to write to your cluster.
The following is an example role definition for an anonymous_users_role
. You can use this example as a reference for defining your own role in the roles.yml
file:
anonymous_users_role:
reserved: false
hidden: false
cluster_permissions:
- "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS"
index_permissions:
- index_patterns:
- "public_index_*"
allowed_actions:
- "read"
copy
Then, in the roles_mapping.yml
file, you can define the appropriate mapping for this new role:
anonymous_users_role:
reserved: false
hidden: false
backend_roles: ["opendistro_security_anonymous_backendrole"]
hosts: []
copy
Notice that the role is mapped to opendistro_security_anonymous_backendrole
, which means that all users with the anonymous user backend role will have these privileges.
Alternatively, you can complete these steps using the REST API or OpenSearch Dashboards.