2

I am trying to give anonymous user admin level privilege to write to certain indices on Opendistro bundle of Elasticsearch. I have updated the config.yml with http.anonymous_auth_enabled: true and also made required changes to role.yml for anonymous_backendrole role.

But I am still getting this error -

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"
  },
  "status": 403
}

Looking for here if anyone could provide correct way to setup the anonymous auth with Opendistro.

mana
  • 6,347
  • 6
  • 50
  • 70
Prabuddha Chakraborty
  • 518
  • 4
  • 12

3 Answers3

5

Backend roles is really just a confusing name for "roles imported from an external server." In this case, you can ignore them.

Instead, you want a "regular" role, which you can create in Kibana > Security > Roles (or using the REST API). Just make sure it has the same cluster and index permissions as the existing admin role. I named mine anonymous-admin and gave it UNLIMITED for cluster permissions and * for indices.

Then go to Security > Role Mappings > Add a new role mapping. Choose your anonymous-admin role, add the string opendistro_security_anonymous to the Users field, and hit Submit.

Before:

$ curl -XGET https://localhost:9200 -k
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=opendistro_security_anonymous, roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"},"status":403}

After:

$ curl -XGET https://localhost:9200 -k
{
  "name" : "W8ehfvx",
  "cluster_name" : "odfe-cluster",
  "cluster_uuid" : "Uk67h4MkSL-U_48NJwjeRg",
  "version" : {
    "number" : "6.5.4",
    "build_flavor" : "oss",
    "build_type" : "tar",
    "build_hash" : "d2ef93d",
    "build_date" : "2018-12-17T21:17:40.758843Z",
    "build_snapshot" : false,
    "lucene_version" : "7.5.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
aetter
  • 74
  • 1
  • 1
    Hi @eatter, could you please add some screenshots im still being unable to edit security setting with anonymous admin. Could it had anything to do with the fact that im trying yo add this role to a LDAP user? – Marco May 21 '19 at 12:26
  • that role setting really helped me! – Elad Sep 14 '20 at 13:28
3

After not being able to get the solution provided by @aetter working. I found a post by hardik-k-shah on Github with the detailed guide posted below.

https://github.com/opendistro-for-elasticsearch/security/issues/42

To enable anonymous access, you have to enable anonymous access in config.yml and kibana.yml. You also have to create one role for anonymous access with related permission (read permission to some indices in your case) and related role mapping for anonymous user. Anonymous requests always assigned with opendistro_security_anonymous as username and opendistro_security_anonymous_backendrole as backend role.

Detailed steps to enable anonymous access:

1. In config.yml enable anonymous access

opendistro_security:
    dynamic:
       http:
          anonymous_auth_enabled: false

2. Create anonymous role with required permission. (you can create this role either through kibana UI or through changing roles.yml file if you want to make role readonly) for ex:,

opendistro_security_anonymous:
readonly: true
cluster:
  - CLUSTER_COMPOSITE_OPS_RO
indices:
  '*':
    '*':
      - READ

3. Create role mapping for opendistro_security_anonymous_backendrole role. (you can create this role-mapping either through kibana UI or through changing roles_mapping.yml file)

opendistro_security_anonymous:
backend_roles:
  - opendistro_security_anonymous_backendrole

4. Use securityadmin tool to apply this config changes if your cluster is already up and running.

5. Update kibana.yml to enable anonymous access for kibana. You have to restart kibana process to apply this changes.

opendistro_security.auth.anonymous_auth_enabled: true
Anders Meidahl
  • 106
  • 4
1

I wanted anonymous access for just the health check A few additional notes might be helpful

setting anonymous_auth_enabled to true needs to be done in: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml

opendistro_security:
    dynamic:
       http:
          anonymous_auth_enabled: true

Roles now needs to look: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml

# allow anonymous access to /cluster
opendistro_security_anonymous:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'

Role mapping as described: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml

opendistro_security_anonymous:
  reserved: true
  backend_roles:
    - "opendistro_security_anonymous_backendrole"

I'd love to know why the role in role mapping doesn't match the new role defined but I'm not going to lose any sleep over it now it's working.

I'm presuming if you're interested in this you've already turned on security in: /usr/share/elasticsearch/config/elasticsearch.yml

opendistro_security.disabled: false
MSillence
  • 553
  • 6
  • 8