In the recent articles available on our website, we discussed in detail the installation of OpenSearch on Debian and Ubuntu Linux system. OpenSearch has an in-built feature that allows for basic user authentication to ensure there is access control to the OpenSearch cluster and for data security. In this tutorial we give you an overview of how to configure basic user authentication in your OpenSearch cluster. Authentication mechanism in OpenSearch is provided by the OpenSearch Security plugin.
OpenSearch security plugin has support for multiple authentication backends like Windows Active Directory, Linux/Unix LDAP, or the basic authentication as used in this article. In basic user authentication, user related information is stored in the internal user database. The purpose of user authentication is to ensure that only authorized users or systems get access to view and modify data stored in the cluster.
Modify OpenSearch configuration file
Before we can modify OpenSearch configuration file, first perform a backup.
sudo cp /etc/opensearch/opensearch.yml{,.bak}If in your previous installation you disabled the Security plugin in opensearch.yml, re-enable it by editing the file.
$ sudo vim /etc/opensearch/opensearch.yml
plugins.security.disabled: falseIf you’re working on a new installation and a single node of OpenSearch, set discovery.type to single-node, or the bootstrap checks will fail when you try to start the service.
discovery.type: single-nodeYou can also set the bind address to all interfaces if external connectivity outside localhost is required.
network.host: 0.0.0.0Changing admin user password
Change your current working directory to the Security plugins tools.
cd /usr/share/opensearch/plugins/opensearch-security/toolsGenerate a new password for the admin user
# OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
[Password:] <TYPE-PASSWORD-TO-USE>
$2y$12$WBY/iwGveKxMAh0k6ZfXQ.gGBd78Ip3vnrr.HkidTwkG2JZ8WtjnKTake not of generated hashed password. Then edit internal_users.yml and specify generated password for the admin user
sudo vim /etc/opensearch/opensearch-security/internal_users.ymlLocate admin admin user section and update hash value.
admin:
hash: "$2y$12$WBY/iwGveKxMAh0k6ZfXQ.gGBd78Ip3vnrr.HkidTwkG2JZ8WtjnK"
reserved: true
backend_roles:
- "admin"
description: "Admin User"Restart OpenSearch service for the changes to be applied.
sudo systemctl restart opensearchTest if it works while replacing the value of the NewPasswordSet with the password you hashed and set earlier.
$ curl -kX GET https://localhost:9200 -u 'admin:NewPasswordSet'
{
"name" : "jammy",
"cluster_name" : "opensearch",
"cluster_uuid" : "0UrvTjvaQZauv5guclhdpw",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.0",
"build_type" : "deb",
"build_hash" : "4dcad6dd1fd45b6bd91f041a041829c8687278fa",
"build_date" : "2023-10-13T02:57:02.526977318Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}This confirms the new password was updated.
Creating a new user
Confirm that OpenSearch service is running.
$ systemctl status opensearch
● opensearch.service - OpenSearch
Loaded: loaded (/lib/systemd/system/opensearch.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2023-11-30 18:00:00 UTC; 6min ago
Docs: https://opensearch.org/
Main PID: 10890 (java)
Tasks: 71 (limit: 4524)
Memory: 1.3G
CPU: 57.386s
CGroup: /system.slice/opensearch.service
└─10890 /usr/share/opensearch/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt>
Nov 30 17:59:43 jammy systemd[1]: Starting OpenSearch...
Nov 30 18:00:00 jammy systemd[1]: Started OpenSearch.New users in OpenSearch can be created from the OpenSearch Dashboards, by directly editing internal_users.yml, or through the use of REST API.
When creating a new user, mapping of the user to roles can be done. But only from CLI or REST API since the feature is not currently available in OpenSearch Dashboards. You can see complete list of available user roles included in the Security plugin.
Generate the password for the new user to be added.
cd /usr/share/opensearch/plugins/opensearch-security/tools
OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./hash.shInput the password to be hashed.
[Password:] <INPUT-PASSWORD>
$2y$12$8twkFagjlnBArrnBWWxOEujNqe9d5nLRjbb.kORjuO95BW2qc6.JaOpen internal_users.yml file which contains initial users to be added to the Security plugin’s internal user database.
sudo vim /etc/opensearch/opensearch-security/internal_users.ymlIn our example we’re creating a user with the following details.
- Username: computingforgeeks
- Hashed password value: $2y$12$8twkFagjlnBArrnBWWxOEujNqe9d5nLRjbb.kORjuO95BW2qc6.Ja
- User role: all_access, you can add more if you need
computingforgeeks:
hash: "$2y$12$8twkFagjlnBArrnBWWxOEujNqe9d5nLRjbb.kORjuO95BW2qc6.Ja"
reserved: false
backend_roles:
- "all_access"
description: "Computingforgeeks User"The “all_access” role grants full access to the cluster, including all cluster-wide operations, permission to write to all cluster indexes, and permission to write to all tenants.
Role mappings are configured in the file /etc/opensearch/opensearch-security/roles_mapping.yml
Restart OpenSearch service after making the changes.
sudo systemctl restart opensearchWe hope with out guide you were able to create a user in OpenSearch with the principle of least privilege (PoLP). Stay connected for more OpenSearch articles that will be dropping soon.
