Well, the answer very much depends on what exact scenario you want to implement. Let me explain:
If you want to mix authentication and anonymous access, the question is how you want to ask users for their credentials (for authenticated users) and allow usage without any credentials (anonymous users) at the same time? That’s where the “challenge” flag comes into play.
If set to true, it basically says: “If there are no credentials in the request, ask the user to provide them”. In case of HTTP Basic Auth, this would trigger the Basic Auth dialogue in the browser. Now, you cannot set challenge to true and still have anonymous access, since when no credentials are provided, we simply do not know if we should trigger the Basic Auth dialogue to ask for credentials, or treat the request as anonymous.
In other words, if you want to allow anonymous access, you have to use pre-authentication and cannot use a challenging authenticator.
This is what the “anonymous_auth_enabled” flag in sg_config does. If you set this to true:
- Search Guard will not challenge, regardless of the settings in sg_config
- In other words, it acts like every “challenge” flag is set to “false”
- Search Guard will look for credentials in the HTTP request
- This could be username:password in case of Basic Auth, or a JWT token, or a Kerberos ticket
- This depends on the authenticator(s) you configured
- If credentials are found, Search Guard uses them to authenticate the user
- If no credentials are found, the user will be treated as anonymous
- username is “sg_anonymous”
- role is “sg_anonymous_backendrole”
You can then use this username and role to configure any permissions on any index you like. So technically this is relatively easy to achieve.
The question here is: What should the user flow be like? Let’s say you open Kibana for the first time - how do you want to distinguish between authenticated and anonymous access? For example, you could also simply configure a “guest” user in the SG internal user database with password “guest”, and simply configure read-only access to all or some indices. You would not need the “anonymous” feature for that at all.
So, to answer the question in more detail, please tell me what user flow you want to implement exactly.
On Tuesday, April 25, 2017 at 6:26:07 PM UTC+2, Saša Tomić wrote:
How odd… I was just about to post the same question.
Could an official please provide some guidelines on this?
But please it a bit more generic as to allow public/non-authenticated read-only access to any pre-defined indices.
Thanks a lot!
On Tuesday, April 25, 2017 at 1:42:11 PM UTC+2, Павел Гончарук wrote:
I use elasticsearch and kibana 5.2.2.
I successfully configured searchguard to grant authenticated users required privileges.
Now i want to give access to some indices from kibana for users without authentication.
It seems it shouldn’t be difficult but i can’t understand how it could be done…
I tried to use anonymous user for this purpose, but not succeed…