Search Guard - Enterprise Security for Elasticsearch
Version: 7.x-47.0.0
Community

Anonymous authentication

Content

Search Guard supports anonymous authentication. Usually, if no user credentials are provided, Search Guard will decline the request with a security exception. However, if you enable anonymous authentication, unauthenticated requests get assigned to a default user and backend role automatically.

For example, you can grant unauthenticated users read-only access to certain indices, while requiring authentication for all other requests.

Enabling anonymous authentication

To use anonymous authentication, enable it in sg_config.yml like:

_sg_meta:
  type: "config"
  config_version: 2

sg_config:
  dynamic:
    ...
    http:
      anonymous_auth_enabled: true
Name Description
anonymous_auth_enabled Whether to enable anonymous authentication. Boolean. Default: false

User and role mapping

Anonymous users always have the username sg_anonymous and one backen role named sg_anonymous_backendrole.

You can use the role mapping to assign one or more Search Guard role to this user:

sg_roles_mapping.yml:

sg_anonymous:
  backend_roles:
    - sg_anonymous_backendrole

sg_roles.yml:

sg_anonymous:
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    'public':
      '*':
        - READ
Questions? Drop us a note!

Not what you were looking for? Try the search.