Need help in setting up anonymous auth for opensearch and opensearch-dashboards

Docker image versions in use: opensearch-2.3.0 and opensearch-dashboards-2.3.0
Helm chart version: opensearch-2.6.2, opensearch-2.5.3

I am new to opensearch. I could bring up opensearch and opensearch-dashboards over https with basic auth (admin/admin)

We have our own PKI container that can help us generate the node and admin certs.

I have to further configure opensearch to work with anonymous user.

I tried following the opensearch documentation, but could not get opensearch work with anonymous user.

The given role, role_mappings and security config does not seem to get applied.

The opensearch APIs run well only while I pass username/password. Otherwise it would show ‘unauthorized’ error

[opensearch@opensearch-cluster-master-0 ~]$ curl -u admin:admin -k 'https://localhost:9200/_plugins/_security/authinfo?pretty'
{
  "user" : "User [name=admin, backend_roles=[admin], requestedTenant=null]",
  "user_name" : "admin",
  "user_requested_tenant" : null,
  "remote_address" : "127.0.0.1:44880",
  "backend_roles" : [
    "admin"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index",
    "all_access"
  ],
  "tenants" : {
    "global_tenant" : true,
    "admin_tenant" : true,
    "admin" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}


[opensearch@opensearch-cluster-master-0 ~]$ curl -k 'https://localhost:9200/_plugins/_security/authinfo?pretty'
Unauthorized[opensearch@opensearch-cluster-master-0 ~]$

Pls guide me on what could be wrong at my values.yaml

---
replicas: 1

singleNode: true

image:
  repository: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/opensearchproject/opensearch
  tag: 2.3.0
  pullPolicy: "IfNotPresent"

resources:
  requests:
    cpu: 1000m
    memory: 1000Mi
  limits:
    cpu: 12

opensearchJavaOpts: "-Xmx512m -Xms512m"

httpPort: 9200
masterService: "opensearch"

podSecurityContext:
  fsGroup: 1000
  runAsUser: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  runAsNonRoot: true
  runAsUser: 1000

startupProbe:
  tcpSocket:
    port: 9200
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 3
  failureThreshold: 30
readinessProbe:
  tcpSocket:
    port: 9200
  periodSeconds: 5
  timeoutSeconds: 3
  failureThreshold: 3

config:
  opensearch.yml: |
    cluster.name: opensearch-cluster

    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
    network.host: "_global_"
    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: opensearchnode.pem
            pemkey_filepath: opensearchnode-key.pem
            pemtrustedcas_filepath: root-ca.pem
            enforce_hostname_verification: false
          http:
            enabled: true
            clientauth_mode: OPTIONAL
            pemcert_filepath: opensearchnode.pem
            pemkey_filepath: opensearchnode-key.pem
            pemtrustedcas_filepath: root-ca.pem

        allow_unsafe_democertificates: false
        allow_default_init_securityindex: true
        nodes_dn:
          - CN=opensearch,O=CSF_Internal
        authcz:
          admin_dn:
            - CN=kirk,O=CSF_Internal
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]

securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  #configSecret: opensearch-cluster-master-securityconfig
  config:
    dataComplete: false
    data:
      config.yml: |-
        ---
        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
            http:
              anonymous_auth_enabled: true
              xff:
                enabled: false
           
      #Refer https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/api/#roles
      roles.yml: |-
        ---
        _meta:
          type: "config"
          config_version: 2

        anonymous_admin:
          reserved: false
          cluster_permissions:
            - '*'
          index_permissions:
            - index_patterns:
                - '*'
              allowed_actions:
                - '*'

        anonymous:
          cluster_permissions:
          - "cluster_composite_ops"
          - "cluster:monitor/main"
          index_permissions:
            - index_patterns:
              - '*'
              allowed_actions:
              - '*'

        anonymous_backendrole:
          cluster_permissions:
          - '*'
          index_permissions:
            - index_patterns:
              - '*'
              allowed_actions:
              - '*'

        opendistro_security_anonymous:
          cluster_permissions:
          - '*'
          index_permissions:
            - index_patterns:
              - '*'
              allowed_actions:
              - '*'

        opendistro_certs_role:
          cluster_permissions:
          - '*'
          index_permissions:
          - index_patterns:
            - '*'
            allowed_actions:
            - '*'

      roles_mapping.yml: |-
        ---
        _meta:
          type: "config"
          config_version: 2

        anonymous:
          backend_roles:
            - "opendistro_security_anonymous_backendrole"

        anonymous_admin:
          reserved: false
          backend_roles:
          - "anonymous_admin"
          - "admin"
          users:
          - "opendistro_security_anonymous"

        opendistro_security_anonymous:
          reserved: true
          backend_roles:
          - "anonymous_backendrole"
          - "opendistro_security_anonymous_backendrole"

        opendistro_certs_role:
          users:
          - "NSP_Internal"


persistence:
  enabled: false
  enableInitChown: false
  storageClass: "-"
  storageClassName: "local-storage"

priorityClassName: "nsp-high-priority"

extraEnvs:
  - name: DISABLE_INSTALL_DEMO_CONFIG
    value: "true"

extraVolumes:
  - name: shared-tls-volume
    emptyDir: {}
  - name: node-certs
    emptyDir: {}
  - name: opensearch-certs
    emptyDir: {}
  - name: nsp-tls-zip
    secret:
      secretName: nsp-tls
  - name: opensearch-data
    persistentVolumeClaim:
      claimName: "opensearch-data"

extraVolumeMounts:
  - name: shared-tls-volume
    mountPath: /opt/nsp/os/ssl
  - name: node-certs
    mountPath: /opt/nsp/os/nodecerts
  - name: opensearch-certs
    mountPath: /opt/nsp/os/opensearchcerts
  - name: opensearch-data
    mountPath: /usr/share/opensearch/data
    subPath: opensearch/data

extraInitContainers:
  - name: nspos-pki-node-certs
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/nspos-pki-container:23.4.0-rel.8
    imagePullPolicy: IfNotPresent
    env:
      - name: POD_NAME
        valueFrom:
          fieldRef:
            fieldPath: metadata.name
      - name: POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      - name: SAN_HOSTS
        value: "opensearch.default.svc.cluster.local"
      - name: CERT_MODE
        value: "0400"
      - name: KEY_MODE
        value: "0400"
      - name: INTERNAL_CN
        value: "opensearch"
    volumeMounts:
      - name: shared-tls-volume
        mountPath: /opt/nsp/os/ssl
      - name: nsp-tls-zip
        mountPath: /nspTls

  - name: busybox-container
    command:
      - "/bin/sh"
      - "-c"
      - cp -r /opt/nsp/os/ssl/* /opt/nsp/os/nodecerts/
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/busybox:1.35.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /opt/nsp/os/ssl
        name: shared-tls-volume
      - mountPath: /opt/nsp/os/nodecerts
        name: node-certs

  - name: nspos-pki-admin-certs
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/nspos-pki-container:23.4.0-rel.8
    imagePullPolicy: IfNotPresent
    env:
      - name: POD_NAME
        valueFrom:
          fieldRef:
            fieldPath: metadata.name
      - name: POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      - name: SAN_HOSTS
        value: "opensearch.default.svc.cluster.local"            
      - name: CERT_MODE
        value: "0400"
      - name: KEY_MODE
        value: "0400"
      - name: INTERNAL_CN
        value: "kirk"
    volumeMounts:
      - name: shared-tls-volume
        mountPath: /opt/nsp/os/ssl
      - name: nsp-tls-zip
        mountPath: /nspTls

  - name: generate-opensearch-certs
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/opensearchproject/opensearch:2.3.0
    imagePullPolicy: IfNotPresent
    command:
      - "/bin/sh"
      - "-c"
      - |
        cp /opt/nsp/os/ssl/internal_ca_cert.pem /opt/nsp/os/opensearchcerts/root-ca.pem
        cp /opt/nsp/os/nodecerts/certs/nsp/nsp_internal.pem /opt/nsp/os/opensearchcerts/opensearchnode.pem
        cp /opt/nsp/os/nodecerts/nsp_internal.key /opt/nsp/os/opensearchcerts/opensearchnode-key.pem
        cp /opt/nsp/os/ssl/certs/nsp/nsp_internal.pem /opt/nsp/os/opensearchcerts/kirk.pem
        cp /opt/nsp/os/ssl/nsp_internal.key /opt/nsp/os/opensearchcerts/kirk-key.pem
        cp /opt/nsp/os/nodecerts/nsp_internal.keystore  /opt/nsp/os/opensearchcerts/keystore.jks
        cp /opt/nsp/os/nodecerts/nsp_internal.truststore /opt/nsp/os/opensearchcerts/truststore.jks
        cp /opt/nsp/os/ssl/nsp_internal.keystore /opt/nsp/os/opensearchcerts/client-keystore.jks
        keytool -delete -noprompt -alias nsp_internal-ca -keystore /opt/nsp/os/opensearchcerts/keystore.jks -storepass $KS_PWD
        keytool -delete -noprompt -alias nsp_internal-ca -keystore /opt/nsp/os/opensearchcerts/client-keystore.jks -storepass $KS_PWD
        chmod 777 /opt/nsp/os/opensearchcerts/*
    volumeMounts:
      - name: shared-tls-volume
        mountPath: /opt/nsp/os/ssl
      - name: node-certs
        mountPath: /opt/nsp/os/nodecerts
      - name: opensearch-certs
        mountPath: /opt/nsp/os/opensearchcerts

lifecycle:
  postStart:
    exec:
      command:
        - bash
        - -c
        - |
          cp -r /opt/nsp/os/opensearchcerts/* /usr/share/opensearch/config/
          chmod 600 /usr/share/opensearch/config/*store*
          chmod 600 /usr/share/opensearch/config/*node*
          chmod 600 /usr/share/opensearch/config/*kirk*

extraObjects:
  - apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: "opensearch-data"
    spec:
      storageClassName: "local-storage"
      capacity:
        storage: 50Gi
      volumeMode: Filesystem
      accessModes:
        - ReadWriteMany
      local:
        path: /opt/nsp/volumes
      nodeAffinity:
        required:
          nodeSelectorTerms:
            - matchExpressions:
                - key: opensearch
                  operator: In
                  values:
                    - "true"

  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: "opensearch-data"
      labels:
        app: opensearch
        release: "opensearch"
        heritage: "Helm"
    spec:
      storageClassName: "local-storage"
      accessModes:
        - ReadWriteMany
      volumeName: "opensearch-data"
      resources:
        requests:
          storage: 50Gi

One of my team member could make the anonymous auth work with below config

---
replicas: 1

singleNode: true

image:
  repository: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/opensearchproject/opensearch
  tag: 2.3.0
  pullPolicy: "IfNotPresent"

resources:
  requests:
    cpu: 1000m
    memory: 1000Mi
  limits:
    cpu: 12

opensearchJavaOpts: "-Xmx512m -Xms512m"

httpPort: 9200
masterService: "opensearch"

podSecurityContext:
  fsGroup: 1000
  runAsUser: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  runAsNonRoot: true
  runAsUser: 1000

startupProbe:
  tcpSocket:
    port: 9200
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 3
  failureThreshold: 30
readinessProbe:
  tcpSocket:
    port: 9200
  periodSeconds: 5
  timeoutSeconds: 3
  failureThreshold: 3

config:
  opensearch.yml: |
    cluster.name: opensearch-cluster

    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
    network.host: "_global_"
    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: opensearchnode.pem
            pemkey_filepath: opensearchnode-key.pem
            pemtrustedcas_filepath: root-ca.pem
            enforce_hostname_verification: false
          http:
            enabled: true
            pemcert_filepath: opensearchnode.pem
            pemkey_filepath: opensearchnode-key.pem
            pemtrustedcas_filepath: root-ca.pem
            clientauth_mode: OPTIONAL
        allow_unsafe_democertificates: false
        allow_default_init_securityindex: true
        nodes_dn:
          - CN=opensearch,O=CSF_Internal
        authcz:
          admin_dn:
            - CN=kirk,O=CSF_Internal
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]

securityConfig:
  enabled: true
  path: "/usr/share/opensearch/plugins/opensearch-security/securityconfig"
  config:
    dataComplete: true
    data:
      config.yml: |
        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
            http:
              anonymous_auth_enabled: true
            authc:
              basic_internal_auth_domain:
                description: "Authenticate via HTTP Basic against internal users database"
                http_enabled: true
                transport_enabled: true
                order: 4
                http_authenticator:
                  type: basic
                  challenge: true
                authentication_backend:
                  type: intern
              clientcert_auth_domain:
                description: "Authenticate via SSL client certificates"
                http_enabled: true
                transport_enabled: true
                order: 1
                http_authenticator:
                  type: clientcert
                  config:
                    username_attribute: cn #optional, if omitted DN becomes username
                  challenge: false
                authentication_backend:
                  type: noop
      action_groups.yml: |
        _meta:
          type: "actiongroups"
          config_version: 2
      audit.yml: |
        _meta:
          type: "audit"
          config_version: 2
        config:
          # enable/disable audit logging
          enabled: false
      internal_users.yml: |
        _meta:
          type: "internalusers"
          config_version: 2
        admin:
          hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
          reserved: true
          backend_roles:
          - "admin"
          description: "Demo admin user"
      nodes_dn.yml: |
        _meta:
          type: "nodesdn"
          config_version: 2
        opensearch-cluster:
          nodes_dn:
              - CN=*
      roles.yml: |
        _meta:
          type: "roles"
          config_version: 2
        full_access:
          reserved: true
          cluster_permissions:
            - 'cluster_monitor'
            - 'cluster:admin/*'
          index_permissions:
            - index_patterns:
                - '*'
              allowed_actions:
                - '*'
      roles_mapping.yml: |
        _meta:
          type: "rolesmapping"
          config_version: 2
        all_access:
          reserved: false
          backend_roles:
          - "admin"
          description: "Maps admin to all_access"
        full_access:
          reserved: true
          users:
          - "opendistro_security_anonymous"
          description: "Maps opendistro_security_anonymous to all_access"
      tenants.yml: |
        _meta:
          type: "tenants"
          config_version: 2
      whitelist.yml: |
        _meta:
          type: "whitelist"
          config_version: 2
        config:
          enabled: false

persistence:
  enabled: false
  enableInitChown: false
  storageClass: "-"
  storageClassName: "local-storage"

priorityClassName: "nsp-high-priority"

extraEnvs:
  - name: DISABLE_INSTALL_DEMO_CONFIG
    value: "true"

extraVolumes:
  - name: shared-tls-volume
    emptyDir: {}
  - name: node-certs
    emptyDir: {}
  - name: opensearch-certs
    emptyDir: {}
  - name: nsp-tls-zip
    secret:
      secretName: nsp-tls
  - name: opensearch-data
    persistentVolumeClaim:
      claimName: "opensearch-data"

extraVolumeMounts:
  - name: shared-tls-volume
    mountPath: /opt/nsp/os/ssl
  - name: node-certs
    mountPath: /opt/nsp/os/nodecerts
  - name: opensearch-certs
    mountPath: /opt/nsp/os/opensearchcerts
  - name: opensearch-data
    mountPath: /usr/share/opensearch/data
    subPath: opensearch/data

extraInitContainers:
  - name: nspos-pki-node-certs
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/nspos-pki-container:23.4.0-rel.8
    imagePullPolicy: IfNotPresent
    env:
      - name: POD_NAME
        valueFrom:
          fieldRef:
            fieldPath: metadata.name
      - name: POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      - name: SAN_HOSTS
        value: "opensearch.default.svc.cluster.local"
      - name: CERT_MODE
        value: "0400"
      - name: KEY_MODE
        value: "0400"
      - name: INTERNAL_CN
        value: "opensearch"
    volumeMounts:
      - name: shared-tls-volume
        mountPath: /opt/nsp/os/ssl
      - name: nsp-tls-zip
        mountPath: /nspTls

  - name: busybox-container
    command:
      - "/bin/sh"
      - "-c"
      - cp -r /opt/nsp/os/ssl/* /opt/nsp/os/nodecerts/
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/busybox:1.35.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /opt/nsp/os/ssl
        name: shared-tls-volume
      - mountPath: /opt/nsp/os/nodecerts
        name: node-certs

  - name: nspos-pki-admin-certs
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/nspos-pki-container:23.4.0-rel.8
    imagePullPolicy: IfNotPresent
    env:
      - name: POD_NAME
        valueFrom:
          fieldRef:
            fieldPath: metadata.name
      - name: POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      - name: SAN_HOSTS
        value: "opensearch.default.svc.cluster.local"            
      - name: CERT_MODE
        value: "0400"
      - name: KEY_MODE
        value: "0400"
      - name: INTERNAL_CN
        value: "kirk"
    volumeMounts:
      - name: shared-tls-volume
        mountPath: /opt/nsp/os/ssl
      - name: nsp-tls-zip
        mountPath: /nspTls

  - name: generate-opensearch-certs
    image: blr-orbw-artifactory.in.alcatel-lucent.com:8081/orbw-artifactory-docker-mirror/opensearchproject/opensearch:2.3.0
    imagePullPolicy: IfNotPresent
    command:
      - "/bin/sh"
      - "-c"
      - |
        cp /opt/nsp/os/ssl/internal_ca_cert.pem /opt/nsp/os/opensearchcerts/root-ca.pem
        cp /opt/nsp/os/nodecerts/certs/nsp/nsp_internal.pem /opt/nsp/os/opensearchcerts/opensearchnode.pem
        cp /opt/nsp/os/nodecerts/nsp_internal.key /opt/nsp/os/opensearchcerts/opensearchnode-key.pem
        cp /opt/nsp/os/ssl/certs/nsp/nsp_internal.pem /opt/nsp/os/opensearchcerts/kirk.pem
        cp /opt/nsp/os/ssl/nsp_internal.key /opt/nsp/os/opensearchcerts/kirk-key.pem
        cp /opt/nsp/os/nodecerts/nsp_internal.keystore  /opt/nsp/os/opensearchcerts/keystore.jks
        cp /opt/nsp/os/nodecerts/nsp_internal.truststore /opt/nsp/os/opensearchcerts/truststore.jks
        cp /opt/nsp/os/ssl/nsp_internal.keystore /opt/nsp/os/opensearchcerts/client-keystore.jks
        keytool -delete -noprompt -alias nsp_internal-ca -keystore /opt/nsp/os/opensearchcerts/keystore.jks -storepass $KS_PWD
        keytool -delete -noprompt -alias nsp_internal-ca -keystore /opt/nsp/os/opensearchcerts/client-keystore.jks -storepass $KS_PWD
        chmod 777 /opt/nsp/os/opensearchcerts/*
    volumeMounts:
      - name: shared-tls-volume
        mountPath: /opt/nsp/os/ssl
      - name: node-certs
        mountPath: /opt/nsp/os/nodecerts
      - name: opensearch-certs
        mountPath: /opt/nsp/os/opensearchcerts

lifecycle:
  postStart:
    exec:
      command:
        - bash
        - -c
        - |
          cp -r /opt/nsp/os/opensearchcerts/* /usr/share/opensearch/config/
          chmod 700 /usr/share/opensearch/config
          chmod 600 /usr/share/opensearch/config/*store*
          chmod 600 /usr/share/opensearch/config/*.pem
          cp -r /usr/share/opensearch/plugins/opensearch-security/securityconfig/..data/* /usr/share/opensearch/config/opensearch-security/

extraObjects:
  - apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: "opensearch-data"
    spec:
      storageClassName: "local-storage"
      capacity:
        storage: 50Gi
      volumeMode: Filesystem
      accessModes:
        - ReadWriteMany
      local:
        path: /opt/nsp/volumes
      nodeAffinity:
        required:
          nodeSelectorTerms:
            - matchExpressions:
                - key: opensearch
                  operator: In
                  values:
                    - "true"

  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: "opensearch-data"
      labels:
        app: opensearch
        release: "opensearch"
        heritage: "Helm"
    spec:
      storageClassName: "local-storage"
      accessModes:
        - ReadWriteMany
      volumeName: "opensearch-data"
      resources:
        requests:
          storage: 50Gi

The config looks the same as the first post.