Link Search Menu Expand Document Documentation Menu

Anonymous authentication

The Security plugin supports anonymous authentication, through which a user is able to access a cluster without providing credentials. This is useful in cases where you want lots of people to be able to access your cluster with a common set of privileges.


To enable anonymous authentication, you need to modify the config.yml file inside the opensearch-security configuration subdirectory of your cluster.

In the config.yml file, there is an http section, which includes the anonymous_auth_enabled setting:

  anonymous_auth_enabled: <true|false>

The following table describes the anonymous_auth_enabled setting. For more information, see the configuration file overview.

Setting Description
anonymous_auth_enabled Either enables or disables anonymous authentication. When you enable anonymous authentication, all defined HTTP authenticators are non-challenging. See The challenge setting.

If you disable anonymous authentication, you must provide at least one authc in order for the Security plugin to initialize successfully.

Defining anonymous authentication privileges

When anonymous authentication is enabled, your defined HTTP authenticators still try to find user credentials inside your HTTP request. If credentials are found, the user is authenticated. If none are found, the user is authenticated as an anonymous user.

All anonymous users have the username anonymous and a single role named anonymous_backendrole.

You can configure the privileges associated with the opendistro_security_anonymous_backendrole in the roles.yml file.

We recommend that your defined role have very limited privileges. Generally, an anonymous user should never be able to write to your cluster.

The following is an example role definition for an anonymous_users_role. You can use this example as a reference for defining your own role in the roles.yml file:

  reserved: false
  hidden: false
  - index_patterns:
    - "public_index_*"
    - "read"

Then, in the roles_mapping.yml file, you can define the appropriate mapping for this new role:

  reserved: false
  hidden: false
  backend_roles: ["opendistro_security_anonymous_backendrole"]
  hosts: []

Notice that the role is mapped to opendistro_security_anonymous_backendrole, which means that all users with the anonymous user backend role will have these privileges.

Alternatively, you can complete these steps using the REST API or OpenSearch Dashboards.

350 characters left

Have a question? .

Want to contribute? or .