Search Guard - Enterprise Security for Elasticsearch
Version: SG FLX
Community

Anonymous authentication

Content

Search Guard supports anonymous authentication. Usually, if no user credentials are provided, Search Guard will decline the request. However, with anonymous authentication, you can grant basic rights to unauthenticated requests.

For example, you can grant unauthenticated users read-only access to certain indices, while requiring authentication for all other requests.

You can choose to enable anonymous authentication only for specific source IPs.

Search Guard setup

To use anonymous authentication, edit sg_authc.yml and append an authentication domain of type anonymous to the end of the list of authentication domains:

auth_domains:
- type: basic/internal_users_db
- type: anonymous
  user_mapping.user_name.static: anon
  user_mapping.roles.static: anon_role

You use the options user_mapping.user_name.static and user_mapping.roles.static to define which user name and which roles shall be assigned to the anonymous user.

You can also use the client IP address as the name of the anonymous user:

auth_domains:
- type: basic/internal_users_db
- type: anonymous
  user_mapping.user_name.from: request.originating_ip_address
  user_mapping.roles.static: anon_role

Then, use sg_roles_mapping.yml and sg_roles.yml to assign the desired privileges to the anon_role:

sg_roles_mapping.yml:

sg_anonymous:
  backend_roles:
    - anon_role

sg_roles.yml:

sg_anonymous:
  cluster:
    - SGS_CLUSTER_COMPOSITE_OPS_RO
  indices:
    'public':
      - SGS_READ

Client IP specific anonymous users

If you want to activate anonymous authentication only for specific source IPs, you can use the standard accept.ips config option of authentication domains:

auth_domains:
- type: basic/internal_users_db
- type: anonymous
  accept.ips: "10.12.123.0/24"
  user_mapping.user_name.from: request.originating_ip_address
  user_mapping.roles.static: anon_role

Using this method, you can even define different privilege levels for anonymous users, based on their origin IP. Just define several anonymous auth domains for different CIDR subnets:

auth_domains:
- type: basic/internal_users_db
- type: anonymous
  accept.ips: "10.12.123.0/24"
  user_mapping.user_name.from: request.originating_ip_address
  user_mapping.roles.static: anon_role_low_rights
- type: anonymous
  accept.ips: "172.10.1.0/24"
  user_mapping.user_name.from: request.originating_ip_address
  user_mapping.roles.static: anon_role_elevated_rights

Activate the setup

After having applied the changes to sg_authc.yml, use sgctl to upload the file to Search Guard:

$ ./sgctl.sh update-config sg_authc.yml

That’s it. If you navigate in a browser to your Elasticsearch instance, you should get a basic authentication popup asking for your username and password. If you then click on “Cancel”, you should be logged in as anonymous user.

Questions? Drop us a note!

Not what you were looking for? Try the search.