The Security plugin supports anonymous authentication, through which a user is able to access a cluster without providing credentials. This is useful in cases where you want lots of people to be able to access your cluster with a common set of privileges.
To enable anonymous authentication, you need to modify the
config.yml file inside the
opensearch-security configuration subdirectory of your cluster.
config.yml file, there is an
http section, which includes the
The following table describes the
anonymous_auth_enabled setting. For more information, see the configuration file overview.
|Either enables or disables anonymous authentication. When you enable anonymous authentication, all defined HTTP authenticators are non-challenging. See The challenge setting.
If you disable anonymous authentication, you must provide at least one
authc in order for the Security plugin to initialize successfully.
Defining anonymous authentication privileges
When anonymous authentication is enabled, your defined HTTP authenticators still try to find user credentials inside your HTTP request. If credentials are found, the user is authenticated. If none are found, the user is authenticated as an
All anonymous users have the username
anonymous and a single role named
You can configure the privileges associated with the
opendistro_security_anonymous_backendrole in the roles.yml file.
We recommend that your defined role have very limited privileges. Generally, an anonymous user should never be able to write to your cluster.
The following is an example role definition for an
anonymous_users_role. You can use this example as a reference for defining your own role in the
Then, in the
roles_mapping.yml file, you can define the appropriate mapping for this new role:
Notice that the role is mapped to
opendistro_security_anonymous_backendrole, which means that all users with the anonymous user backend role will have these privileges.
Alternatively, you can complete these steps using the REST API or OpenSearch Dashboards.