Security Access Control
The Security plugin is enabled for all Instaclustr managed OpenSearch clusters. It gives richer access control as well as TLS for both transport and rest ports. Hence when using clients including cURL, java, python or C# to use OpenSearch REST API, you will need to specify the CA files(cluster-ca-certificate.pem, truststore.jks). The following are few API examples calls
Create User:
The following cURL command shows you how to create a user with username my_user and password ChangeMe. Make sure to change cluster-ca-certificate.pem to your own path for the CA file you downloaded from the connection info page.
1 2 3 4 5 6 7 8 | curl -X PUT -u icopensearch:<Password> --cacert cluster-ca-certificate.pem https://54.147.117.149:9200/_plugins/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d' { "password": "my_password", "backend_roles": [], "attributes": {} }' |
1 2 3 4 5 6 | curl -X PUT -u icopensearch:<Password> --cacert cluster-ca-certificate.pem https://54.147.117.149:9200/_plugins/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d' { "password": "my_new_password" }' |
Create Role:
The following cURL command shows you how to add a new role named my_role. You can specify what index the role has access to with index_permissions.index_patterns and what action is allowed with index_permissions.allowed_actions.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | curl -X PUT -u icopensearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_plugins/_security/api/roles/my_role -H 'Content-Type: application/json' -d' '{ "cluster_permissions": [ "cluster_composite_ops", "indices_monitor" ], "index_permissions": [{ "index_patterns": [ "*" ], "dls": "", "fls": [], "masked_fields": [], "allowed_actions": [ "read" ] }], }' |
Create Role Mapping:
The following cURL command shows you how to map the role my_role we created above to the user we created in the previous example.
1 2 3 4 5 6 7 8 | curl -X PUT -u icopensearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_plugins/_security/api/rolesmapping/my_role -H 'Content-Type: application/json' -d' { "users" : [ "my_user" ] }' |