We rolled out X-Pack to our Elasticsearch cluster after users were already actively using it. In order to lessen the burden on our end users, we approached the introduction of X-Pack as follows:
- Enable the anonymous user with heightened privileges in the lower environments, which would allow the end users to continue to use the app without requiring any changes on their side.
- Configure Authentication and RBAC
- Work with end users to utilize credentials with potentially fewer privileges than the heightened anonymous user
- Verify access controls with new user credentials
- Disable anonymous access
However in testing out this approach, we discovered that authenticated user privileges are a union of the authenticated user and the anonymous user. This prevents us from discovering any privilege issues until we disable the anonymous user.
is this the expected behavior of combining anonymous and authenticated users? Is there a more graceful approach to rolling out and working through authorization requirements?