elasticsearchelasticsearch-opendistro

Opendistro Elasticsearch Give admin level privilege to anonymous user


I am trying to give anonymous user admin level privilege to write to certain indices on Opendistro bundle of Elasticsearch. I have updated the config.yml with http.anonymous_auth_enabled: true and also made required changes to role.yml for anonymous_backendrole role.

But I am still getting this error -

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"
  },
  "status": 403
}

Looking for here if anyone could provide correct way to setup the anonymous auth with Opendistro.


Solution

  • Backend roles is really just a confusing name for "roles imported from an external server." In this case, you can ignore them.

    Instead, you want a "regular" role, which you can create in Kibana > Security > Roles (or using the REST API). Just make sure it has the same cluster and index permissions as the existing admin role. I named mine anonymous-admin and gave it UNLIMITED for cluster permissions and * for indices.

    Then go to Security > Role Mappings > Add a new role mapping. Choose your anonymous-admin role, add the string opendistro_security_anonymous to the Users field, and hit Submit.

    Before:

    $ curl -XGET https://localhost:9200 -k
    {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"},"status":403}
    

    After:

    $ curl -XGET https://localhost:9200 -k
    {
      "name" : "W8ehfvx",
      "cluster_name" : "odfe-cluster",
      "cluster_uuid" : "Uk67h4MkSL-U_48NJwjeRg",
      "version" : {
        "number" : "6.5.4",
        "build_flavor" : "oss",
        "build_type" : "tar",
        "build_hash" : "d2ef93d",
        "build_date" : "2018-12-17T21:17:40.758843Z",
        "build_snapshot" : false,
        "lucene_version" : "7.5.0",
        "minimum_wire_compatibility_version" : "5.6.0",
        "minimum_index_compatibility_version" : "5.0.0"
      },
      "tagline" : "You Know, for Search"
    }