Ability to Have Read-Only for All Authenticated Users Except Admins

A use-case i’m after (using OpenID Connect if it matters) is to configure OpenDistro so that I can set some users as Admins/Users, but for all other authenticated users, have them be in a read-only role.

I am able to assign individual users to admins/users without issue. However, when i attempted to map the user “*” to kibana_read_only the role entire Kibana UI reverts to the read-only mode.

It seems like kibana_read_only when it’s mapped to the opendistro_security.readonly_mode.roles behaves according to special rules to modify the Kibana UI.

Is my understanding correct? Is there anyway to work around this? Basically say all authenticated user except for those w/ other roles will receive the locked down role?

If it’s simply not possible, does a feature suggestion to allow an additional property opendistro_security.readonly_mode.override_roles which would adjust the logic so for the read-only ui view to be "show the read only view if the user has a role in opendistro_security.readonly_mode.roles AND does not have a role in opendistro_security.readonly_mode.override_roles.