Version: 6.x-21
This is an older version of Search Guard. Switch to Latest version
Community

Anonymous authentication

Search Guard supports anonymous authentication. Usually, if no user credentials are provided, Search Guard will decline the request with a security exception. However, if you enable anonymous authentication, unauthenticated requests get assigned to a default user and backend role automatically.

For example, you can grant unauthenticated users read-only access to certain indices, while requiring authentication for all other requests.

Enabling anonymous authentication

To use anonymous authentication, enable it in sg_config.yml like:

searchguard:
  dynamic:
    ...
    http:
      anonymous_auth_enabled: true
Name Description
anonymous_auth_enabled Whether to enable anonymous authentication. Boolean. Default: false

User and role mapping

Anonymous users always have the username sg_anonymous and one backen role named sg_anonymous_backendrole.

You can use the role mapping to assign one or more Search Guard role to this user:

sg_roles_mapping.yml:

sg_anonymous:
  backendroles:
    - sg_anonymous_backendrole

sg_roles.yml:

sg_anonymous:
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    'public':
      '*':
        - READ