OpenSearch User Account Management - mata-elang-stable/MataElang-Platform GitHub Wiki
Create User
- Choose Security, Internal Users, and Create internal user.
- Provide a username and password. The security plugin automatically hashes the password and stores it in the .opendistro_security index.
- If desired, specify user attributes. Attributes are optional user properties that you can use for variable substitution in index permissions or document-level security.
- Choose Submit.
Create Role
- Choose Security, Roles, and Create role.
- Provide a name for the role.
- Add permissions as desired. For example, you might give a role no cluster permissions, read permissions to two indices, unlimited permissions to a third index, and read permissions to the analysts tenant.
- Choose Submit.
Map User for Role
- Choose Security, Roles, and a role.
- Choose the Mapped users tab and Manage mapping.
- Specify users or external identities (also known as backend roles).
- Choose Map.
Predefined Roles
The security plugin includes several predefined roles that serve as useful defaults.
| Role | Description |
|---|---|
| alerting_ack_alerts | Grants permissions to view and acknowledge alerts, but not modify destinations or monitors. |
| alerting_full_access | Grants full permissions to all alerting actions. |
| alerting_read_access | Grants permissions to view alerts, destinations, and monitors, but not acknowledge alerts or modify destinations or monitors. |
| anomaly_full_access | Grants full permissions to all anomaly detection actions. |
| anomaly_read_access | Grants permissions to view detectors, but not create, modify, or delete detectors. |
| all_access | Grants full access to the cluster: all cluster-wide operations, write to all indices, write to all tenants. |
| cross_cluster_replication_follower_full_access | Grants full access to perform cross-cluster replication actions on the follower cluster. |
| cross_cluster_replication_leader_full_access | Grants full access to perform cross-cluster replication actions on the leader cluster. |
| opensearch_dashboards_read_only | A special role that prevents users from making changes to visualizations, dashboards, and other OpenSearch Dashboards objects. See opensearch_security.readonly_mode.roles in opensearch_dashboards.yml. Pair with the opensearch_dashboards_user role. |
| opensearch_dashboards_user | Grants permissions to use OpenSearch Dashboards: cluster-wide searches, index monitoring, and write to various OpenSearch Dashboards indices. |
| logstash | Grants permissions for Logstash to interact with the cluster: cluster-wide searches, cluster monitoring, and write to the various Logstash indices. |
| manage_snapshots | Grants permissions to manage snapshot repositories, take snapshots, and restore snapshots. |
| readall | Grants permissions for cluster-wide searches like msearch and search permissions for all indices. |
| readall_and_monitor | Same as readall, but with added cluster monitoring permissions. |
| security_rest_api_access | A special role that allows access to the REST API. See plugins.security.restapi.roles_enabled in opensearch.yml and Access control for the API. |
| reports_read_access | Grants permissions to generate on-demand reports, download existing reports, and view report definitions, but not to create report definitions. |
| reports_instances_read_access | Grants permissions to generate on-demand reports and download existing reports, but not to view or create report definitions. |
| reports_full_access | Grants full permissions to reports. |
| asynchronous_search_full_access | Grants full permissions to all asynchronous search actions. |
| asynchronous_search_read_access | Grants permissions to view asynchronous searches, but not to submit, modify, or delete async searches. |
| index_management_full_access | Grants full permissions to all index management actions, including ISM, transforms, and rollups. |
Sample Roles
The following examples show how you might set up a read-only and a bulk access role.
Set up a read-only user
Create a new read_only_index role:
- Open OpenSearch Dashboards.
- Choose Security, Roles.
- Create a new role named read_only_index.
- For Cluster permissions, add the cluster_composite_ops_ro action group.
- For Index Permissions, add an index pattern. For example, you might specify my-index-*.
- For index permissions, add the read action group.
- Choose Create.
Map three roles to the read-only user:
- Choose the Mapped users tab and Manage mapping.
- For Internal users, add your read-only user.
- Choose Map.
- Repeat these steps for the opensearch_dashboards_user and opensearch_dashboards_read_only roles.
Set up a bulk access role in OpenSearch Dashboards
Create a new bulk_access role:
- Open OpenSearch Dashboards.
- Choose Security, Roles.
- Create a new role named bulk_access.
- For Cluster permissions, add the cluster_composite_ops action group.
- For Index Permissions, add an index pattern. For example, you might specify my-index-*.
- For index permissions, add the write action group.
- Choose Create.
Map the role to your user:
- Choose the Mapped users tab and Manage mapping.
- For Internal users, add your bulk access user.
- Choose Map.