Incoming requests to Elasticsearch are considered to beanonymous if no authentication token can be extracted from the incoming request. By default, anonymous requests are rejected and an authentication error is returned (status code401).

To enable anonymous access, you assign one or more roles to anonymous users in theelasticsearch.yml configuration file. For example, the following configuration assigns anonymous usersrole1 androle2:

xpack.security.authc:  anonymous:    username: anonymous_user    roles: role1, role2    authz_exception: true

1. The username/principal of the anonymous user. Defaults to_es_anonymous_user if not specified.
2. The roles to associate with the anonymous user. If no roles are specified, anonymous access is disabled—anonymous requests will be rejected and return an authentication error.
3. Whentrue, a 403 HTTP status code is returned if the anonymous user does not have the permissions needed to perform the requested action and the user will NOT be prompted to provide credentials to access the requested resource. Whenfalse, a 401 HTTP status code is returned if the anonymous user does not have the necessary permissions and the user is prompted for credentials to access the requested resource. If you are using anonymous access in combination with HTTP, you might need to setauthz_exception tofalse if your client does not support preemptive basic authentication. Defaults totrue.