How to Grant Full Access to Anonymous Users in OpenSearch Including System Indices

sukhbir947 · August 21, 2025, 9:49pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.1

Describe the issue:
I’m working on an OpenSearch setup where I want to allow anonymous users to access the system without any authentication. Specifically, I want these users to have full access — including admin-level permissions and access to system indices like .opendistro_security.

Despite configuring anonymous access, I keep encountering the following error:
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"},"status":403}.

Configuration:
I am sharing below the configurations that I am using. But it is still giving me the same error - security_exception.

config/opensearch-security/roles_mapping.yml file

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "opendistro_security_anonymous_backendrole"

config/opensearch.yml file

plugins.security.nodes_dn: ...

plugins.security.allow_default_init_securityindex: true
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.certificates_hot_reload.enabled: true
plugins.security.system_indices.permission.enabled: true
plugins.security.system_indices.enabled: true
plugins.security.restapi.admin.enabled: true

plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "anonymous_users_role"]

# plugins.security.cache.ttl_minutes: 1
plugins.security.ssl.http.enabled: false

plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.keystore_type: pkcs12
plugins.security.ssl.transport.keystore_filepath: keystore.pfx
plugins.security.ssl.transport.truststore_type: pkcs12
plugins.security.ssl.transport.truststore_filepath: truststore.pfx

plugins.security.ssl.transport.enabled_ciphers: ...
plugins.security.ssl.transport.enabled_protocols: ...

Relevant Logs or Screenshots

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]"},"status":403}.

Anthony · August 22, 2025, 10:03am

@sukhbir947 Giving a full admin access to anonymous user would not be possible if you are using security plugin, as even admin users have limitations and there is a good reason for this. Is there a reason you would like to have security enabled at all in this usecase?

sukhbir947 · August 22, 2025, 2:44pm

Yes, I am using security plugin in OpenSearch for mainly enabling TLS on transport layer. And since we don’t have any requirement for authentication on http layer, I have to deal with anonymous user.

@Anthony is it possible that at least I can give user all access to security index .opendistro-security. So that user can update cluster setting, index setting, can read docs present in that index, etc.

Topic		Replies	Views
Anonymous write to index Security	3	1640	September 9, 2020
Anonymous user is not working in Opensearch 2.x.x Security	3	1172	February 24, 2023
Opensearch-dashboard anonymous access OpenSearch discuss , troubleshoot , configure	0	638	June 19, 2022
Need help in setting up anonymous auth for opensearch and opensearch-dashboards OpenSearch configure , install	2	1015	December 12, 2022
"no permissions" exception for admin user OpenSearch	3	1463	June 23, 2023

How to Grant Full Access to Anonymous Users in OpenSearch Including System Indices

Related topics