Getting started with OpenSearch security

The demo configuration is the most straightforward way to get started with OpenSearch security. OpenSearch comes bundled with a number of useful scripts, including install_demo_configuration.sh (or install_demo_configuration.bat for Windows).

This script is located in plugins/opensearch-security/tools and performs the following actions:

  • Creates demo certificates for TLS encryption on both the transport and REST layers.
  • Configures demo users, roles, and role mappings.
  • Configures the Security plugin to use an internal database for authentication and authorization.
  • Updates the opensearch.yml file with the basic configuration needed to start the cluster.

You can find more information about the demo configuration and how to quickly get started at Setting up a demo configuration.

Certain aspects of this configuration, such as demo certificates and default passwords, should never be used in production. These parts of the demo configuration should be replaced with your custom information before proceeding to production.

Setting up the demo configuration

Prior to running the install_demo_configuration.sh script, you must create an environment variable named OPENSEARCH_INITIAL_ADMIN_PASSWORD with a strong password. This will be used as the password for the admin user to authenticate with OpenSearch. Use the online tool Zxcvbn to test the strength of any password. After this, you can execute install_demo_configuration.sh and follow the terminal prompt to enter necessary details.

After the script is executed, you can start OpenSearch and test the configuration by running the following command:

  1. curl -k -XGET -u admin:<password> https://<opensearch-ip>:9200

copy

You should see output similar to the following:

  1. {
  2. "name" : "smoketestnode",
  3. "cluster_name" : "opensearch",
  4. "cluster_uuid" : "0a5DYAk0Rbi14wqT3TqMiQ",
  5. "version" : {
  6. "distribution" : "opensearch",
  7. "number" : "2.13.0",
  8. "build_type" : "tar",
  9. "build_hash" : "7ec678d1b7c87d6e779fdef94e33623e1f1e2647",
  10. "build_date" : "2024-03-26T00:04:51.025238748Z",
  11. "build_snapshot" : false,
  12. "lucene_version" : "9.10.0",
  13. "minimum_wire_compatibility_version" : "7.10.0",
  14. "minimum_index_compatibility_version" : "7.0.0"
  15. },
  16. "tagline" : "The OpenSearch Project: https://opensearch.org/"
  17. }

Setting up OpenSearch Dashboards

In order to quickly get started with OpenSearch Dashboards, you can add the following configuration to opensearch_dashboards.yml:

  1. opensearch.hosts: [https://localhost:9200]
  2. opensearch.ssl.verificationMode: none
  3. opensearch.username: kibanaserver
  4. opensearch.password: kibanaserver
  5. opensearch.requestHeadersWhitelist: [authorization, securitytenant]
  6. opensearch_security.multitenancy.enabled: true
  7. opensearch_security.multitenancy.tenants.preferred: [Private, Global]
  8. opensearch_security.readonly_mode.roles: [kibana_read_only]
  9. # Use this setting if you are running opensearch-dashboards without https
  10. opensearch_security.cookie.secure: false

copy

You can start the binary or service, depending on which method was used to install OpenSearch and OpenSearch Dashboards.

When using binary, you need to supply --no-base-path to yarn start command to set a URL without a base path. If this is not set, a random three-letter base path will be added.

After starting OpenSearch Dashboards, you should see the following two log lines:

  1. [info][listening] Server running at http://localhost:5601
  2. [info][server][OpenSearchDashboards][http] http server running at http://localhost:5601

copy

You can now access OpenSearch Dashboards using http://localhost:5601 in your browser. Use the username admin and the password that was configured in the OPENSEARCH_INITIAL_ADMIN_PASSWORD environment variable.

Adding users

There are three ways to add users, roles, and other security-related configurations:

  • Updating appropriate configuration files (internal_users.yml for adding/updating/removing users)
  • Using the API
  • Using the OpenSearch Dashboards UI

Security configuration files are located in the config/opensearch-security directory.

You can add an OpenSearch Dashboards user by updating the internal_users.yml file with the following settings:

  1. test-user:
  2. hash: "$2y$12$CkxFoTAJKsZaWv/m8VoZ6ePG3DBeBTAvoo4xA2P21VCS9w2RYumsG"
  3. backend_roles:
  4. - "test-backend-role"
  5. - "kibanauser"
  6. description: "test user user"

copy

The hash string is generated using the hash.sh script located in the plugins/opensearch-security/tools/ directory. In this case, the hash of the string secretpassword was used.

Note the use of the built-in backend role kibanauser, which provides the user permissions needed to navigate OpenSearch Dashboards.

Creating roles

Roles contained in roles.yml use the following structure:

  1. <rolename>:
  2. cluster_permissions:
  3. - <cluster permission>
  4. index_permissions:
  5. - index_patterns:
  6. - <index pattern>
  7. allowed_actions:
  8. - <index permissions>

copy

Using this structure, you can configure a new role to provide access to specific indexes, such as the role configured in the following example:

  1. human_resources:
  2. index_permissions:
  3. - index_patterns:
  4. - "humanresources"
  5. allowed_actions:
  6. - "READ"

copy

Note that the cluster permissions are not listed in this example because these are provided by the built-in role kibana_user, which is already mapped using the kibanauser backend role.

Mapping users to roles

When a user logs in to OpenSearch, they need to be mapped to the appropriate role in order to obtain the correct permissions. This mapping is performed using the roles_mapping.yml file with the following structure:

  1. <role_name>:
  2. users:
  3. - <username>
  4. - ...
  5. backend_roles:
  6. - <rolename>

copy

In order to map the newly created user test-user to the role human_resources, you can use the following configuration in the roles_mapping.yml file:

  1. human_resources:
  2. backend_roles:
  3. - test-backend-role

copy

As an additional example, the roles_mappings.yml file includes the backend role kibanauser that has been mapped to the kibana_user role:

  1. kibana_user:
  2. reserved: false
  3. backend_roles:
  4. - "kibanauser"
  5. description: "Maps kibanauser to kibana_user"

copy

Uploading the configuration to a security index

The final step in configuring a user, role, or any other security configuration is uploading it to a OpenSearch security index. Only updating the files, without uploading them, will not change the configuration of an already running OpenSearch cluster.

To upload a configuration, the following command can be used with the admin certificate that was generated during install_demo_configuration.sh execution:

  1. ./plugins/opensearch-security/tools/securityadmin.sh -cd "config/opensearch-security" -icl -key "../kirk-key.pem" -cert "../kirk.pem" -cacert "../root-ca.pem" -nhnv

copy

Next steps

The Best practices for OpenSearch security guide covers 10 things to consider when getting started with OpenSearch security.

The Security configuration overview provides the basic steps for setting up security in your OpenSearch implementation and includes links to information about customizing security for your business needs.