Authenticated user inherits anonymous users roles?

We rolled out X-Pack to our Elasticsearch cluster after users were already actively using it. In order to lessen the burden on our end users, we approached the introduction of X-Pack as follows:

  1. Enable the anonymous user with heightened privileges in the lower environments, which would allow the end users to continue to use the app without requiring any changes on their side.
  2. Configure Authentication and RBAC
  3. Work with end users to utilize credentials with potentially fewer privileges than the heightened anonymous user
  4. Verify access controls with new user credentials
  5. Disable anonymous access

However in testing out this approach, we discovered that authenticated user privileges are a union of the authenticated user and the anonymous user. This prevents us from discovering any privilege issues until we disable the anonymous user.

is this the expected behavior of combining anonymous and authenticated users? Is there a more graceful approach to rolling out and working through authorization requirements?

Yes. For most users, it would be very confusing if they lost access rights by logging in, relative to what they had when they were unauthenticated.
The anonymous role should be understood more like a public role than an unauthenticated role.

I don't have any great suggestions for you I'm afraid. If you're on a platinum license, then you might be able to get the result you want through a custom realm, but that's the only idea I can some up with for your situation.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.