API

The Security plugin REST API lets you programmatically create and manage users, roles, role mappings, action groups, and tenants.



Access control for the API

Just like OpenSearch permissions, you control access to the Security plugin REST API using roles. Specify roles in opensearch.yml:

  1. plugins.security.restapi.roles_enabled: ["<role>", ...]

copy

If you’re working with APIs that manage Distinguished names or Certificates that require super admin access, enable the REST API admin configuration in your opensearch.yml file as shown in the following setting example:

  1. plugins.security.restapi.admin.enabled: true

copy

These roles can now access all APIs. To prevent access to certain APIs:

  1. plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: ["<method>", ...]

copy

Roles also allow you to control access to specific REST APIs. You can add individual or multiple cluster permissions to a role and grant users access to associated APIs when they are mapped to the role. The following list of cluster permissions includes the endpoints that correspond to the Security REST APIs:

PermissionAPIs grantedDescription
restapi:admin/actiongroups/actiongroup and /actiongroupsPermission to get, delete, create, and patch actions groups (including bulk updates).
restapi:admin/allowlist/allowlistPermission to add any endpoints and HTTP requests to a list of allowed endpoints and requests.
restapi:admin/internalusers/internaluser and /userPermission to add, retrieve, modify, and delete any user in the cluster.
restapi:admin/nodesdn/nodesdnPermission to add, retrieve, update, or delete any distinguished names from an allow list and enable communication between clusters and/or nodes.
restapi:admin/roles/rolesPermission to add, retrieve, modify, and delete any roles in the cluster.
restapi:admin/rolesmapping/rolesmappingPermission to add, retrieve, modify, and delete any roles-mapping.
restapi:admin/ssl/certs/info/ssl/certs/infoPermission to view current Transport and HTTP certificates.
restapi:admin/ssl/certs/reload/ssl/certs/reloadPermission to view reload Transport and HTTP certificates.
restapi:admin/tenants/tenantsPermission to get, delete, create, and patch tenants.

Possible values for endpoint are:

  • ACTIONGROUPS
  • ROLES
  • ROLESMAPPING
  • INTERNALUSERS
  • CONFIG
  • CACHE
  • SYSTEMINFO
  • NODESDN
  • SSL

Possible values for method are:

  • GET
  • PUT
  • POST
  • DELETE
  • PATCH

For example, the following configuration grants three roles access to the REST API, but then prevents test-role from making PUT, POST, DELETE, or PATCH requests to _plugins/_security/api/roles or _plugins/_security/api/internalusers:

  1. plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "test-role"]
  2. plugins.security.restapi.endpoints_disabled.test-role.ROLES: ["PUT", "POST", "DELETE", "PATCH"]
  3. plugins.security.restapi.endpoints_disabled.test-role.INTERNALUSERS: ["PUT", "POST", "DELETE", "PATCH"]

copy

To use the PUT and PATCH methods for the configuration APIs, add the following line to opensearch.yml:

  1. plugins.security.unsupported.restapi.allow_securityconfig_modification: true

copy

Reserved and hidden resources

You can mark users, role, role mappings, and action groups as reserved. Resources that have this flag set to true can’t be changed using the REST API or OpenSearch Dashboards.

To mark a resource as reserved, add the following flag:

  1. kibana_user:
  2. reserved: true

copy

Likewise, you can mark users, role, role mappings, and action groups as hidden. Resources that have this flag set to true are not returned by the REST API and not visible in OpenSearch Dashboards:

  1. kibana_user:
  2. hidden: true

copy

Hidden resources are automatically reserved.

To add or remove these flags, modify config/opensearch-security/internal_users.yml and run plugins/opensearch-security/tools/securityadmin.sh.


Account

Get account details

Introduced 1.0

Returns account details for the current user. For example, if you sign the request as the admin user, the response includes details for that user.

Request

  1. GET _plugins/_security/api/account

copy

Example response

  1. {
  2. "user_name": "admin",
  3. "is_reserved": true,
  4. "is_hidden": false,
  5. "is_internal_user": true,
  6. "user_requested_tenant": null,
  7. "backend_roles": [
  8. "admin"
  9. ],
  10. "custom_attribute_names": [],
  11. "tenants": {
  12. "global_tenant": true,
  13. "admin_tenant": true,
  14. "admin": true
  15. },
  16. "roles": [
  17. "all_access",
  18. "own_index"
  19. ]
  20. }

Change password

Introduced 1.0

Changes the password for the current user.

Path and HTTP methods

  1. PUT _plugins/_security/api/account

copy

Request body fields

FieldData typeDescriptionRequired
current_passwordStringThe current password.Yes
passwordStringThe new password to set.Yes
Example request
  1. PUT _plugins/_security/api/account
  2. {
  3. "current_password": "old-password",
  4. "password": "new-password"
  5. }

copy

Example response
  1. {
  2. "status": "OK",
  3. "message": "'test-user' updated."
  4. }

Response body fields

FieldData typeDescription
statusStringThe status of the operation.
messageStringA descriptive message.

Action groups

Get action group

Introduced 1.0

Retrieves one action group.

  1. GET _plugins/_security/api/actiongroups/<action-group>

copy

Request

  1. GET _plugins/_security/api/actiongroups/custom_action_group

copy

Example response

  1. {
  2. "custom_action_group": {
  3. "reserved": false,
  4. "hidden": false,
  5. "allowed_actions": [
  6. "kibana_all_read",
  7. "indices:admin/aliases/get",
  8. "indices:admin/aliases/exists"
  9. ],
  10. "description": "My custom action group",
  11. "static": false
  12. }
  13. }

Get action groups

Introduced 1.0

Retrieves all action groups.

Request

  1. GET _plugins/_security/api/actiongroups/

copy

Example response

  1. {
  2. "read": {
  3. "reserved": true,
  4. "hidden": false,
  5. "allowed_actions": [
  6. "indices:data/read*",
  7. "indices:admin/mappings/fields/get*",
  8. "indices:admin/resolve/index"
  9. ],
  10. "type": "index",
  11. "description": "Allow all read operations",
  12. "static": true
  13. },
  14. "cluster_all": {
  15. "reserved": true,
  16. "hidden": false,
  17. "allowed_actions": [
  18. "cluster:*"
  19. ],
  20. "type": "cluster",
  21. "description": "Allow everything on cluster level",
  22. "static": true
  23. },
  24. ...
  25. }

Delete action group

Introduced 1.0

Request

  1. DELETE _plugins/_security/api/actiongroups/<action-group>

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"actiongroup SEARCH deleted."
  4. }

Create action group

Introduced 1.0

Creates or replaces the specified action group.

Request

  1. PUT _plugins/_security/api/actiongroups/<action-group>
  2. {
  3. "allowed_actions": [
  4. "indices:data/write/index*",
  5. "indices:data/write/update*",
  6. "indices:admin/mapping/put",
  7. "indices:data/write/bulk*",
  8. "read",
  9. "write"
  10. ]
  11. }

copy

Example response

  1. {
  2. "status": "CREATED",
  3. "message": "'my-action-group' created."
  4. }

Patch action group

Introduced 1.0

Updates individual attributes of an action group.

Request

  1. PATCH _plugins/_security/api/actiongroups/<action-group>
  2. [
  3. {
  4. "op": "replace", "path": "/allowed_actions", "value": ["indices:admin/create", "indices:admin/mapping/put"]
  5. }
  6. ]

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"actiongroup SEARCH deleted."
  4. }

Patch action groups

Introduced 1.0

Creates, updates, or deletes multiple action groups in a single call.

Request

  1. PATCH _plugins/_security/api/actiongroups
  2. [
  3. {
  4. "op": "add", "path": "/CREATE_INDEX", "value": { "allowed_actions": ["indices:admin/create", "indices:admin/mapping/put"] }
  5. },
  6. {
  7. "op": "remove", "path": "/CRUD"
  8. }
  9. ]

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"actiongroup SEARCH deleted."
  4. }

Users

These calls let you create, update, and delete internal users. If you use an external authentication backend, you probably don’t need to worry about internal users.

Get user

Introduced 1.0

Request

  1. GET _plugins/_security/api/internalusers/<username>

copy

Example response

  1. {
  2. "kirk": {
  3. "hash": "",
  4. "roles": [ "captains", "starfleet" ],
  5. "attributes": {
  6. "attribute1": "value1",
  7. "attribute2": "value2",
  8. }
  9. }
  10. }

Get users

Introduced 1.0

Request

  1. GET _plugins/_security/api/internalusers/

copy

Example response

  1. {
  2. "kirk": {
  3. "hash": "",
  4. "roles": [ "captains", "starfleet" ],
  5. "attributes": {
  6. "attribute1": "value1",
  7. "attribute2": "value2",
  8. }
  9. }
  10. }

Delete user

Introduced 1.0

Request

  1. DELETE _plugins/_security/api/internalusers/<username>

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"user kirk deleted."
  4. }

Create user

Introduced 1.0

Creates or replaces the specified user. You must specify either password (plain text) or hash (the hashed user password). If you specify password, the Security plugin automatically hashes the password before storing it.

Note that any role you supply in the opendistro_security_roles array must already exist for the Security plugin to map the user to that role. To see predefined roles, refer to the list of predefined roles. For instructions on how to create a role, refer to creating a role.

Request

  1. PUT _plugins/_security/api/internalusers/<username>
  2. {
  3. "password": "kirkpass",
  4. "opendistro_security_roles": ["maintenance_staff", "database_manager"],
  5. "backend_roles": ["role 1", "role 2"],
  6. "attributes": {
  7. "attribute1": "value1",
  8. "attribute2": "value2"
  9. }
  10. }

copy

Example response

  1. {
  2. "status":"CREATED",
  3. "message":"User kirk created"
  4. }

Patch user

Introduced 1.0

Updates individual attributes of an internal user.

Request

  1. PATCH _plugins/_security/api/internalusers/<username>
  2. [
  3. {
  4. "op": "replace", "path": "/backend_roles", "value": ["klingons"]
  5. },
  6. {
  7. "op": "replace", "path": "/opendistro_security_roles", "value": ["ship_manager"]
  8. },
  9. {
  10. "op": "replace", "path": "/attributes", "value": { "newattribute": "newvalue" }
  11. }
  12. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "'kirk' updated."
  4. }

Patch users

Introduced 1.0

Creates, updates, or deletes multiple internal users in a single call.

Request

  1. PATCH _plugins/_security/api/internalusers
  2. [
  3. {
  4. "op": "add", "path": "/spock", "value": { "password": "testpassword1", "backend_roles": ["testrole1"] }
  5. },
  6. {
  7. "op": "add", "path": "/worf", "value": { "password": "testpassword2", "backend_roles": ["testrole2"] }
  8. },
  9. {
  10. "op": "remove", "path": "/riker"
  11. }
  12. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "Resource updated."
  4. }

Roles

Get role

Introduced 1.0

Retrieves one role.

Request

  1. GET _plugins/_security/api/roles/<role>

copy

Example response

  1. {
  2. "test-role": {
  3. "reserved": false,
  4. "hidden": false,
  5. "cluster_permissions": [
  6. "cluster_composite_ops",
  7. "indices_monitor"
  8. ],
  9. "index_permissions": [{
  10. "index_patterns": [
  11. "movies*"
  12. ],
  13. "dls": "",
  14. "fls": [],
  15. "masked_fields": [],
  16. "allowed_actions": [
  17. "read"
  18. ]
  19. }],
  20. "tenant_permissions": [{
  21. "tenant_patterns": [
  22. "human_resources"
  23. ],
  24. "allowed_actions": [
  25. "kibana_all_read"
  26. ]
  27. }],
  28. "static": false
  29. }
  30. }

Get roles

Introduced 1.0

Retrieves all roles.

Request

  1. GET _plugins/_security/api/roles/

copy

Example response

  1. {
  2. "manage_snapshots": {
  3. "reserved": true,
  4. "hidden": false,
  5. "description": "Provide the minimum permissions for managing snapshots",
  6. "cluster_permissions": [
  7. "manage_snapshots"
  8. ],
  9. "index_permissions": [{
  10. "index_patterns": [
  11. "*"
  12. ],
  13. "fls": [],
  14. "masked_fields": [],
  15. "allowed_actions": [
  16. "indices:data/write/index",
  17. "indices:admin/create"
  18. ]
  19. }],
  20. "tenant_permissions": [],
  21. "static": true
  22. },
  23. ...
  24. }

Delete role

Introduced 1.0

Request

  1. DELETE _plugins/_security/api/roles/<role>

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"role test-role deleted."
  4. }

Create role

Introduced 1.0

Creates or replaces the specified role.

Request

  1. PUT _plugins/_security/api/roles/<role>
  2. {
  3. "cluster_permissions": [
  4. "cluster_composite_ops",
  5. "indices_monitor"
  6. ],
  7. "index_permissions": [{
  8. "index_patterns": [
  9. "movies*"
  10. ],
  11. "dls": "",
  12. "fls": [],
  13. "masked_fields": [],
  14. "allowed_actions": [
  15. "read"
  16. ]
  17. }],
  18. "tenant_permissions": [{
  19. "tenant_patterns": [
  20. "human_resources"
  21. ],
  22. "allowed_actions": [
  23. "kibana_all_read"
  24. ]
  25. }]
  26. }

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "'test-role' updated."
  4. }

Due to word boundaries associated with Unicode special characters, the Unicode standard analyzer cannot index a text field type value as a whole value when it includes one of these special characters. As a result, a text field value that includes a special character is parsed by the standard analyzer as multiple values separated by the special character, effectively tokenizing the different elements on either side of it.

For example, since the values in the fields "user.id": "User-1" and "user.id": "User-2" contain the hyphen/minus sign, this special character will prevent the analyzer from distinguishing between the two different users for user.id and interpret them as one and the same. This can lead to unintentional filtering of documents and potentially compromise control over their access.

To avoid this circumstance, you can use a custom analyzer or map the field as keyword, which performs an exact-match search. See Keyword field type for the latter option.

For a list of characters that should be avoided when field type is text, see Word Boundaries.

Patch role

Introduced 1.0

Updates individual attributes of a role.

Request

  1. PATCH _plugins/_security/api/roles/<role>
  2. [
  3. {
  4. "op": "replace", "path": "/index_permissions/0/fls", "value": ["myfield1", "myfield2"]
  5. },
  6. {
  7. "op": "remove", "path": "/index_permissions/0/dls"
  8. }
  9. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "'<role>' updated."
  4. }

Patch roles

Introduced 1.0

Creates, updates, or deletes multiple roles in a single call.

Request

  1. PATCH _plugins/_security/api/roles
  2. [
  3. {
  4. "op": "replace", "path": "/role1/index_permissions/0/fls", "value": ["myfield*", "~myfield1"]
  5. },
  6. {
  7. "op": "remove", "path": "/role1/index_permissions/0/dls"
  8. },
  9. {
  10. "op": "add", "path": "/role2/cluster_permissions/-", "value": {
  11. "index_patterns": ["test_index"],
  12. "allowed_actions": ["indices:data/read/scroll/clear"]
  13. }
  14. }
  15. ]

copy

You can use - to insert a new permission to the end of the array of permissions.

Example response

  1. {
  2. "status": "OK",
  3. "message": "Resource updated."
  4. }

Role mappings

Get role mapping

Introduced 1.0

Retrieves one role mapping.

Request

  1. GET _plugins/_security/api/rolesmapping/<role>

copy

Example response

  1. {
  2. "role_starfleet" : {
  3. "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
  4. "hosts" : [ "*.starfleetintranet.com" ],
  5. "users" : [ "worf" ]
  6. }
  7. }

Get role mappings

Introduced 1.0

Retrieves all role mappings.

Request

  1. GET _plugins/_security/api/rolesmapping

copy

Example response

  1. {
  2. "role_starfleet" : {
  3. "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
  4. "hosts" : [ "*.starfleetintranet.com" ],
  5. "users" : [ "worf" ]
  6. }
  7. }

Delete role mapping

Introduced 1.0

Deletes the specified role mapping.

Request

  1. DELETE _plugins/_security/api/rolesmapping/<role>

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "'my-role' deleted."
  4. }

Create role mapping

Introduced 1.0

Creates or replaces the specified role mapping.

Request

  1. PUT _plugins/_security/api/rolesmapping/<role>
  2. {
  3. "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
  4. "hosts" : [ "*.starfleetintranet.com" ],
  5. "users" : [ "worf" ]
  6. }

copy

Example response

  1. {
  2. "status": "CREATED",
  3. "message": "'my-role' created."
  4. }

Patch role mapping

Introduced 1.0

Updates individual attributes of a role mapping.

Request

  1. PATCH _plugins/_security/api/rolesmapping/<role>
  2. [
  3. {
  4. "op": "replace", "path": "/users", "value": ["myuser"]
  5. },
  6. {
  7. "op": "replace", "path": "/backend_roles", "value": ["mybackendrole"]
  8. }
  9. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "'my-role' updated."
  4. }

Patch role mappings

Introduced 1.0

Creates or updates multiple role mappings in a single call.

Request

  1. PATCH _plugins/_security/api/rolesmapping
  2. [
  3. {
  4. "op": "add", "path": "/human_resources", "value": { "users": ["user1"], "backend_roles": ["backendrole2"] }
  5. },
  6. {
  7. "op": "add", "path": "/finance", "value": { "users": ["user2"], "backend_roles": ["backendrole2"] }
  8. }
  9. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "Resource updated."
  4. }

Allowlist

Get allowlist

Retrieves the current allowlist configuration.

Request

  1. GET _plugins/_security/api/allowlist

copy

Example response

  1. {
  2. "config" : {
  3. "enabled" : true,
  4. "requests" : {
  5. "/_cat/nodes" : [
  6. "GET"
  7. ],
  8. "/_cat/indices" : [
  9. "GET"
  10. ],
  11. "/_plugins/_security/whoami" : [
  12. "GET"
  13. ]
  14. }
  15. }
  16. }

Create allowlist

Creates an allowlist configuration.

Request

  1. PUT _plugins/_security/api/allowlist
  2. {
  3. "enabled": true,
  4. "requests": {
  5. "/_cat/nodes": ["GET"],
  6. "/_cat/indices": ["GET"],
  7. "/_plugins/_security/whoami": ["GET"]
  8. }
  9. }

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"'config' updated."
  4. }

Update allowlist

Updates an allowlist configuration.

Request

  1. PATCH _plugins/_security/api/allowlist
  2. [
  3. {
  4. "op": "add",
  5. "path": "/config/requests",
  6. "value": {
  7. "/_cat/nodes": ["POST"]
  8. }
  9. }
  10. ]

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"Resource updated."
  4. }

Tenants

Get tenant

Introduced 1.0

Retrieves one tenant.

Request

  1. GET _plugins/_security/api/tenants/<tenant>

copy

Example response

  1. {
  2. "human_resources": {
  3. "reserved": false,
  4. "hidden": false,
  5. "description": "A tenant for the human resources team.",
  6. "static": false
  7. }
  8. }

Get tenants

Introduced 1.0

Retrieves all tenants.

Request

  1. GET _plugins/_security/api/tenants/

copy

Example response

  1. {
  2. "global_tenant": {
  3. "reserved": true,
  4. "hidden": false,
  5. "description": "Global tenant",
  6. "static": true
  7. },
  8. "human_resources": {
  9. "reserved": false,
  10. "hidden": false,
  11. "description": "A tenant for the human resources team.",
  12. "static": false
  13. }
  14. }

Delete tenant

Introduced 1.0

Deletes the specified tenant.

Request

  1. DELETE _plugins/_security/api/tenants/<tenant>

copy

Example response

  1. {
  2. "status":"OK",
  3. "message":"tenant human_resources deleted."
  4. }

Create tenant

Introduced 1.0

Creates or replaces the specified tenant.

Request

  1. PUT _plugins/_security/api/tenants/<tenant>
  2. {
  3. "description": "A tenant for the human resources team."
  4. }

copy

Example response

  1. {
  2. "status":"CREATED",
  3. "message":"tenant human_resources created"
  4. }

Patch tenant

Introduced 1.0

Add, delete, or modify a single tenant.

Request

  1. PATCH _plugins/_security/api/tenants/<tenant>
  2. [
  3. {
  4. "op": "replace", "path": "/description", "value": "An updated description"
  5. }
  6. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "Resource updated."
  4. }

Patch tenants

Introduced 1.0

Add, delete, or modify multiple tenants in a single call.

Request

  1. PATCH _plugins/_security/api/tenants/
  2. [
  3. {
  4. "op": "replace",
  5. "path": "/human_resources/description",
  6. "value": "An updated description"
  7. },
  8. {
  9. "op": "add",
  10. "path": "/another_tenant",
  11. "value": {
  12. "description": "Another description."
  13. }
  14. }
  15. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "Resource updated."
  4. }

Configuration

Get configuration

Introduced 1.0

Retrieves the current Security plugin configuration in JSON format.

Request

  1. GET _plugins/_security/api/securityconfig

copy

Update configuration

Introduced 1.0

Creates or updates the existing configuration using the REST API. This operation can easily break your existing configuration, so we recommend using securityadmin.sh instead, which is far safer. See Access control for the API for how to enable this operation.

Request

  1. PUT _plugins/_security/api/securityconfig/config
  2. {
  3. "dynamic": {
  4. "filtered_alias_mode": "warn",
  5. "disable_rest_auth": false,
  6. "disable_intertransport_auth": false,
  7. "respect_request_indices_options": false,
  8. "opensearch-dashboards": {
  9. "multitenancy_enabled": true,
  10. "server_username": "kibanaserver",
  11. "index": ".opensearch-dashboards"
  12. },
  13. "http": {
  14. "anonymous_auth_enabled": false
  15. },
  16. "authc": {
  17. "basic_internal_auth_domain": {
  18. "http_enabled": true,
  19. "transport_enabled": true,
  20. "order": 0,
  21. "http_authenticator": {
  22. "challenge": true,
  23. "type": "basic",
  24. "config": {}
  25. },
  26. "authentication_backend": {
  27. "type": "intern",
  28. "config": {}
  29. },
  30. "description": "Authenticate via HTTP Basic against internal users database"
  31. }
  32. },
  33. "auth_failure_listeners": {},
  34. "do_not_fail_on_forbidden": false,
  35. "multi_rolespan_enabled": true,
  36. "hosts_resolver_mode": "ip-only",
  37. "do_not_fail_on_forbidden_empty": false
  38. }
  39. }

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "'config' updated."
  4. }

Patch configuration

Introduced 1.0

Updates the existing configuration using the REST API. This operation can easily break your existing configuration, so we recommend using securityadmin.sh instead, which is far safer. See Access control for the API for how to enable this operation.

Before you can execute the operation, you must first add the following line to opensearch.yml:

  1. plugins.security.unsupported.restapi.allow_securityconfig_modification: true

copy

Request

  1. PATCH _plugins/_security/api/securityconfig
  2. [
  3. {
  4. "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
  5. }
  6. ]

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "Resource updated."
  4. }

Configuration upgrade check

Introduced 2.14

Checks the current configuration bundled with the host’s Security plugin and compares it to the version of the OpenSearch Security plugin the user downloaded. Then, the API responds indicating whether or not an upgrade can be performed and what resources can be updated.

With each new OpenSearch version, there are changes to the default security configuration. This endpoint helps cluster operators determine whether the cluster is missing defaults or has stale definitions of defaults.

Request

  1. GET _plugins/_security/api/_upgrade_check

copy

Example response

  1. {
  2. "status" : "OK",
  3. "upgradeAvailable" : true,
  4. "upgradeActions" : {
  5. "roles" : {
  6. "add" : [ "flow_framework_full_access" ]
  7. }
  8. }
  9. }

Response body fields

FieldData typeDescription
upgradeAvailableBooleanResponds with true when an upgrade to the security configuration is available.
upgradeActionsObject listA list of security objects that would be modified when upgrading the host’s Security plugin.

Configuration upgrade

Introduced 2.14

Adds and updates resources on a host’s existing security configuration from the configuration bundled with the latest version of the Security plugin.

These bundled configuration files can be found in the <OPENSEARCH_HOME>/security/config directory. Default configuration files are updated when OpenSearch is upgraded, whereas the cluster configuration is only updated by the cluster operators. This endpoint helps cluster operator upgrade missing defaults and stale default definitions.

Request

  1. POST _plugins/_security/api/_upgrade_perform
  2. {
  3. "configs" : [ "roles" ]
  4. }

copy

Request body fields

FieldData typeDescriptionRequired
configsArraySpecifies the configurations to be upgraded. This field can include any combination of the following configurations: actiongroups,allowlist, audit, internalusers, nodesdn, roles, rolesmappings, tenants.
Default is all supported configurations.
No

Example response

  1. {
  2. "status" : "OK",
  3. "upgrades" : {
  4. "roles" : {
  5. "add" : [ "flow_framework_full_access" ]
  6. }
  7. }
  8. }

Response body fields

FieldData typeDescription
upgradesObjectA container for the upgrade results, organized by configuration type, such as roles. Each changed configuration type will be represented as a key in this object.
rolesObjectContains a list of role-based action keys of objects modified by the upgrade.

Distinguished names

These REST APIs let a super admin (or a user with sufficient permissions to access this API) add, retrieve, update, or delete any distinguished names from an allow list to enable communication between clusters and/or nodes.

Before you can use the REST API to configure the allow list, you must first add the following line to opensearch.yml:

  1. plugins.security.nodes_dn_dynamic_config_enabled: true

copy

Get distinguished names

Retrieves all distinguished names in the allow list.

Request

  1. GET _plugins/_security/api/nodesdn

copy

Example response

  1. {
  2. "cluster1": {
  3. "nodes_dn": [
  4. "CN=cluster1.example.com"
  5. ]
  6. }
  7. }

To get the distinguished names from a specific cluster’s or node’s allow list, include the cluster’s name in the request path.

Request

  1. GET _plugins/_security/api/nodesdn/<cluster-name>

copy

Example response

  1. {
  2. "cluster3": {
  3. "nodes_dn": [
  4. "CN=cluster3.example.com"
  5. ]
  6. }
  7. }

Update distinguished names

Adds or updates the specified distinguished names in the cluster’s or node’s allow list.

Request

  1. PUT _plugins/_security/api/nodesdn/<cluster-name>
  2. {
  3. "nodes_dn": [
  4. "CN=cluster3.example.com"
  5. ]
  6. }

copy

Example response

  1. {
  2. "status": "CREATED",
  3. "message": "'cluster3' created."
  4. }

Update all distinguished names

Makes a bulk update for the list of distinguished names.

Path and HTTP methods

  1. PATCH _plugins/_security/api/nodesdn

copy

Request body fields

FieldData typeDescriptionRequired
opstringThe operation to perform on the action group. Possible values: remove,add, replace, move, copy, test.Yes
pathstringThe path to the resource.Yes
valueArrayThe new values used for the update.Yes
Example request
  1. PATCH _plugins/_security/api/nodesdn
  2. [
  3. {
  4. "op":"replace",
  5. "path":"/cluster1/nodes_dn/0",
  6. "value": ["CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM", "CN=George Wall,CN=admin,DC=corp,DC=Fabrikam,DC=COM"]
  7. }
  8. ]

copy

Example response
  1. {
  2. "status":"OK",
  3. "message":"Resources updated."
  4. }

Response body fields

FieldData typeDescription
statusstringThe response status.
messagestringResponse message.

Delete distinguished names

Deletes all distinguished names in the specified cluster’s or node’s allow list.

Request

  1. DELETE _plugins/_security/api/nodesdn/<cluster-name>

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "'cluster3' deleted."
  4. }

Certificates

Get certificates

Introduced 1.0

Retrieves the cluster’s security certificates.

Request

  1. GET _plugins/_security/api/ssl/certs

copy

Example response

  1. {
  2. "http_certificates_list": [
  3. {
  4. "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
  5. "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
  6. "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
  7. "not_before": "2018-04-22T03:43:47Z",
  8. "not_after": "2028-04-19T03:43:47Z"
  9. }
  10. ],
  11. "transport_certificates_list": [
  12. {
  13. "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
  14. "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
  15. "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
  16. "not_before": "2018-04-22T03:43:47Z",
  17. "not_after": "2028-04-19T03:43:47Z"
  18. }
  19. ]
  20. }

Reload transport certificates

Reload transport layer communication certificates. These REST APIs let a super admin (or a user with sufficient permissions to access this API) reload transport layer certificates.

Path and HTTP methods

  1. PUT /_plugins/_security/api/ssl/transport/reloadcerts

copy

Example request
  1. curl -X PUT "https://your-opensearch-cluster/_plugins/_security/api/ssl/transport/reloadcerts"

copy

Example response
  1. {
  2. "status": "OK",
  3. "message": "updated transport certs"
  4. }

Response body fields

FieldData typeDescription
statusStringIndicates the status of the operation. Possible values: “OK” or an error message.
messageStringAdditional information about the operation.

Reload HTTP certificates

Reload HTTP layer communication certificates. These REST APIs let a super admin (or a user with sufficient permissions to access this API) reload HTTP layer certificates.

Path and HTTP methods

  1. PUT /_plugins/_security/api/ssl/http/reloadcerts

copy

Example request
  1. curl -X PUT "https://your-opensearch-cluster/_plugins/_security/api/ssl/http/reloadcerts"

copy

Example response
  1. {
  2. "status": "OK",
  3. "message": "updated http certs"
  4. }

Response body fields

FieldData typeDescription
statusStringThe status of the API operation. Possible value: “OK”.
messageStringA message indicating that the HTTP certificates have been updated.

Cache

Flush cache

Introduced 1.0

Flushes the Security plugin user, authentication, and authorization cache.

Request

  1. DELETE _plugins/_security/api/cache

copy

Example response

  1. {
  2. "status": "OK",
  3. "message": "Cache flushed successfully."
  4. }

Health

Health check

Introduced 1.0

Checks to see if the Security plugin is up and running. If you operate your cluster behind a load balancer, this operation is useful for determining node health and doesn’t require a signed request.

Request

  1. GET _plugins/_security/health

copy

Example response

  1. {
  2. "message": null,
  3. "mode": "strict",
  4. "status": "UP"
  5. }

Audit logs

The following API is available for audit logging in the Security plugin.

Enable audit logs

This API allows you to enable or disable audit logging, define the configuration for audit logging and compliance, and make updates to settings.

For details on using audit logging to track access to OpenSearch clusters, as well as information on further configurations, see Audit logs.

You can do an initial configuration of audit logging in the audit.yml file, found in the opensearch-project/security/config directory. Thereafter, you can use the REST API or Dashboards for further changes to the configuration.

Request body fields

FieldData typeDescription
enabledBooleanEnables or disables audit logging. Default is true.
auditObjectContains fields for audit logging configuration.
audit.ignore_usersArrayUsers to be excluded from auditing. Wildcard patterns are supported
Example: ignore_users: [“test-user”, employee-“]
audit.ignore_requestsArrayRequests to be excluded from auditing. Wildcard patterns are supported.
Example: ignore_requests: [“indices:data/read/“, “SearchRequest”]
audit.disabled_rest_categoriesArrayCategories to exclude from REST API auditing. Default categories are AUTHENTICATED, GRANTED_PRIVILEGES.
audit.disabled_transport_categoriesArrayCategories to exclude from Transport API auditing. Default categories are AUTHENTICATED, GRANTED_PRIVILEGES.
audit.log_request_bodyBooleanIncludes the body of the request (if available) for both REST and the transport layer. Default is true.
audit.resolve_indicesBooleanLogs all indexes affected by a request. Resolves aliases and wildcards/date patterns. Default is true.
audit.resolve_bulk_requestsBooleanLogs individual operations in a bulk request. Default is false.
audit.exclude_sensitive_headersBooleanExcludes sensitive headers from being included in the logs. Default is true.
audit.enable_transportBooleanEnables/disables Transport API auditing. Default is true.
audit.enable_restBooleanEnables/disables REST API auditing. Default is true.
complianceObjectContains fields for compliance configuration.
compliance.enabledBooleanEnables or disables compliance. Default is true.
compliance.write_log_diffsBooleanLogs only diffs for document updates. Default is false.
compliance.read_watched_fieldsObjectMap of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields.
compliance.read_ignore_usersArrayList of users to ignore for read events. Wildcard patterns are supported.
Example: read_ignore_users: [“test-user”, “employee-“]
compliance.write_watched_indicesArrayList of indexes to watch for write events. Wildcard patterns are supported.
Example: write_watched_indices: [“twitter”, “logs-“]
compliance.write_ignore_usersArrayList of users to ignore for write events. Wildcard patterns are supported.
Example: write_ignore_users: [“test-user”, “employee-*”]
compliance.read_metadata_onlyBooleanLogs only metadata of the document for read events. Default is true.
compliance.write_metadata_onlyBooleanLog only metadata of the document for write events. Default is true.
compliance.external_configBooleanLogs external configuration files for the node. Default is false.
compliance.internal_configBooleanLogs updates to internal security changes. Default is true.

Changes to the _readonly property result in a 409 error, as indicated in the response below.

  1. {
  2. "status" : "error",
  3. "reason" : "Invalid configuration",
  4. "invalid_keys" : {
  5. "keys" : "_readonly,config"
  6. }
  7. }

Example request

GET

A GET call retrieves the audit configuration.

  1. GET /_opendistro/_security/api/audit

copy

PUT

A PUT call updates the audit configuration.

  1. PUT /_opendistro/_security/api/audit/config
  2. {
  3. "enabled": true,
  4. "audit": {
  5. "ignore_users": [],
  6. "ignore_requests": [],
  7. "disabled_rest_categories": [
  8. "AUTHENTICATED",
  9. "GRANTED_PRIVILEGES"
  10. ],
  11. "disabled_transport_categories": [
  12. "AUTHENTICATED",
  13. "GRANTED_PRIVILEGES"
  14. ],
  15. "log_request_body": false,
  16. "resolve_indices": false,
  17. "resolve_bulk_requests": false,
  18. "exclude_sensitive_headers": true,
  19. "enable_transport": false,
  20. "enable_rest": true
  21. },
  22. "compliance": {
  23. "enabled": true,
  24. "write_log_diffs": false,
  25. "read_watched_fields": {},
  26. "read_ignore_users": [],
  27. "write_watched_indices": [],
  28. "write_ignore_users": [],
  29. "read_metadata_only": true,
  30. "write_metadata_only": true,
  31. "external_config": false,
  32. "internal_config": true
  33. }
  34. }

copy

PATCH

A PATCH call is used to update specified fields in the audit configuration. The PATCH method requires an operation, a path, and a value to complete a valid request. For details on using the PATCH method, see the following Patching resources description at Wikipedia.

Using the PATCH method also requires a user to have a security configuration that includes admin certificates for encryption. To find out more about these certificates, see Configuring admin certificates.

  1. curl -X PATCH -k -i --cert <admin_cert file name> --key <admin_cert_key file name> <domain>/_opendistro/_security/api/audit -H 'Content-Type: application/json' -d'[{"op":"add","path":"/config/enabled","value":"true"}]'

copy

OpenSearch Dashboards Dev Tools do not currently support the PATCH method. You can use curl, Postman, or another alternative process to update the configuration using this method. To follow the GitHub issue for support of the PATCH method in Dashboards, see issue #2343.

Example response

The GET call produces a response that appears similar to the following:

  1. {
  2. "_readonly" : [
  3. "/audit/exclude_sensitive_headers",
  4. "/compliance/internal_config",
  5. "/compliance/external_config"
  6. ],
  7. "config" : {
  8. "compliance" : {
  9. "enabled" : true,
  10. "write_log_diffs" : false,
  11. "read_watched_fields" : { },
  12. "read_ignore_users" : [ ],
  13. "write_watched_indices" : [ ],
  14. "write_ignore_users" : [ ],
  15. "read_metadata_only" : true,
  16. "write_metadata_only" : true,
  17. "external_config" : false,
  18. "internal_config" : true
  19. },
  20. "enabled" : true,
  21. "audit" : {
  22. "ignore_users" : [ ],
  23. "ignore_requests" : [ ],
  24. "disabled_rest_categories" : [
  25. "AUTHENTICATED",
  26. "GRANTED_PRIVILEGES"
  27. ],
  28. "disabled_transport_categories" : [
  29. "AUTHENTICATED",
  30. "GRANTED_PRIVILEGES"
  31. ],
  32. "log_request_body" : true,
  33. "resolve_indices" : true,
  34. "resolve_bulk_requests" : true,
  35. "exclude_sensitive_headers" : true,
  36. "enable_transport" : true,
  37. "enable_rest" : true
  38. }
  39. }
  40. }

The PUT request produces a response that appears similar to the following:

  1. {
  2. "status" : "OK",
  3. "message" : "'config' updated."
  4. }

The PATCH request produces a response similar to the following:

  1. HTTP/1.1 200 OK
  2. content-type: application/json; charset=UTF-8
  3. content-length: 45