Enable TLS communication and proceed with API communication without authentication

Mantas · November 28, 2023, 9:10am

**On behalf of a user of Slack **

hello. I have one question.
I can access my_opensearch_cluster with curl -u admin:admin http://localhost:9200/_cat/health
I want to access my_opensearch_cluster with curl http://localhost:9200/_cat/health.
If so, can’t I set anything other than plugins.security.disabled: true?
What I want is to enable TLS communication and proceed with API communication without authentication.

I can’t enable anonymous auth.
The login page still appears when accessing the OSD/

# config.yml (DataNode, MasterNode)

      data: #{}
        config.yml: |
          config:
            dynamic:
              http:
                anonymous_auth_enabled: true

        roles_mapping.yml: |-
          anonymous:
            backend_roles:
              - "opendistro_security_anonymous_backendrole"

        roles.yml: |-
          anonymous:
            cluster_permissions:
            - "cluster_composite_ops"
            - "cluster:monitor/main"
            index_permissions:
            - index_patterns:
              - "*"
              allowed_actions:
              - "read"

# opensearch_dashboard.yml ( OSD )
  config:
    opensearch_dashboards.yml: |
...

        opensearch_security:
          auth:
            anonymous_auth_enabled: true

Mantas · November 28, 2023, 10:10am

Hi 싸라엘라 (띠리뷔),

To run https://localhost:9200/_cat/health` as anonymous you will need to add cluster:monitor/health to your roles.yml: anonymous.cluster_permissions :

        roles.yml: |-
          anonymous:
            cluster_permissions:
            - "cluster_composite_ops"
            - "cluster:monitor/main"
            - "cluster:monitor/health"
            index_permissions:
            - index_patterns:
              - "*"
              allowed_actions:
              - "read"

Please make sure to use securityadmin.sh to apply your changes, see more here: Applying changes to configuration files - OpenSearch documentation

(Note: use fresh session on your browser (private/incognito) when testing newly applied changes)

Alternatively, for your use case, you could consider JWT authentication to skip the “The login page”,
please see more here: JSON Web Token - OpenSearch documentation

If any further questions on these topics, just let me know.

Best,
Mantas

Topic		Replies	Views
Query on opensearch security authetication/authorization Security	3	260	October 16, 2023
Have a problem to enable security OpenSearch discuss , troubleshoot , configure , install	6	1553	November 28, 2023
Is cluster communication encryption the basis for enabling user authentication? Security configure	1	218	January 18, 2023
Authentication finally failed for anonymous user over http randomly Security troubleshoot , configure	13	6494	May 12, 2022
Query: To run securityadmin.sh when TLS is disabled on Rest layer Security	1	679	July 18, 2022

Enable TLS communication and proceed with API communication without authentication

Related topics