OpenSearch Security Access Control

NetApp announces intent to acquire Instaclustr Read the announcement

Documentation

Security Access Control

The Security plugin is enabled for all Instaclustr managed OpenSearch clusters. It gives richer access control as well as TLS for both transport and rest ports. Hence when using clients including cURL, java, python or C# to use OpenSearch REST API, you will need to specify the CA files(cluster-ca-certificate.pem, truststore.jks). The following are few API examples calls

Create User:

The following cURL command shows you how to create a user with username my_user and password ChangeMe. Make sure to change cluster-ca-certificate.pem to your own path for the CA file you downloaded from the connection info page.


curl -X PUT -u icopensearch:&lt;Password&gt; --cacert cluster-ca-certificate.pem https://54.147.117.149:9200/_plugins/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'
{
    "password": "my_password",
    "backend_roles": [],
    "attributes": {}
}'

curl -X PUT -u icopensearch:<Password> --cacert cluster-ca-certificate.pem https://54.147.117.149:9200/_plugins/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'

{

"password": "my_password",

"backend_roles": [],

"attributes": {}


curl -X PUT -u icopensearch:&lt;Password&gt; --cacert cluster-ca-certificate.pem https://54.147.117.149:9200/_plugins/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'
{
    "password": "my_new_password"
}'

curl -X PUT -u icopensearch:<Password> --cacert cluster-ca-certificate.pem https://54.147.117.149:9200/_plugins/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'

{

"password": "my_new_password"

Create Role:

The following cURL command shows you how to add a new role named my_role. You can specify what index the role has access to with index_permissions.index_patterns and what action is allowed with index_permissions.allowed_actions.

curl -X PUT -u icelasticsearch:&lt;Password&gt; --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_plugins/_security/api/roles/my_role -H 'Content-Type: application/json' -d'
 
'{
 
  "cluster_permissions": [
 
    "cluster_composite_ops",
 
    "indices_monitor"
 
  ],
 
  "index_permissions": [{
 
    "index_patterns": [
 
      "*"
 
    ],
 
    "dls": "",
 
    "fls": [],
 
    "masked_fields": [],
 
    "allowed_actions": [
 
      "read"
 
    ]
 
  }],
 
}'

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_plugins/_security/api/roles/my_role -H 'Content-Type: application/json' -d'

"cluster_permissions": [

"cluster_composite_ops",

"indices_monitor"

"index_permissions": [{

"index_patterns": [

"*"

"dls": "",

"fls": [],

"masked_fields": [],

"allowed_actions": [

"read"

]

}],

Create Role Mapping:

The following cURL command shows you how to map the role my_role we created above to the user we created in the previous example.

curl -X PUT -u icelasticsearch:&lt;Password&gt; --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_plugins/_security/api/rolesmapping/my_role -H 'Content-Type: application/json' -d'

{

    "users" : [ "my_user" ]

}'

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_plugins/_security/api/rolesmapping/my_role -H 'Content-Type: application/json' -d'

{

"users" : [ "my_user" ]

By Instaclustr Support

Previous Article OpenSearch Connecting to a Cluster Next Article OpenSearch Dashboards

Need Support?

Learn More

Experiencing difficulties on the website or console?

Status page for known incidents

Already have an account?

Need help with your cluster?

Contact Support

Why sign up?

To experience the ease of creating and managing clusters via the Instaclustr Console

Spin up a cluster in minutes

Free Trial