{{tag>elasticsearch kibana opensearch}}

====== Opensearch installation ======

===== Docker install =====

Execute these on host machine first:
  echo "vm.max_map_count=262144" >> /etc/sysctl.conf



add ''plugins.security.ssl.http.enabled=false''
to environment key in compose file, to disable ssl.

Set initial password
  export OPENSEARCH_INITIAL_ADMIN_PASSWORD=mypwd_1

Run compose:
  docker-compose up -d


==== Generate certs ====

If you don't have a Certificate authority already, you can use the script [[https://opensearch.org/docs/latest/security/configuration/generate-certificates/#sample-script-to-generate-self-signed-pem-certificates|here]] to generate all the necessary certs.


If you don't want a separate cert for each node you can set
''plugins.security.ssl.transport.enforce_hostname_verification: false''

in opensearch.yml config and use just the node1 certs from below.

If you  have existing CA [[wiki:creating_ca_and_signing_server_and_client_certs_with_openssl#create_a_ssl_client_certificate|create new node and admin certs]] using that. 

Node certs are used to secure communication between the nodes. The admin.pem is used by the securityadmin.sh script that applies the configuration
from config files into the OS indices.

When the cluster is running ok you should see the following the line in the logs

  opensearch-node2       | [2024-07-29T13:02:30,748][INFO ][o.o.c.r.a.AllocationService] [opensearch-node2] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.plugins-ml-config][0]]]).

Also check the API endpoint e.g.
<code>
root@debian12-12:[/opt/opensearch]: curl "https://localhost:9200/_cluster/health?pretty" -ku admin:admin
{
  "cluster_name" : "opensearch-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 2,
  "number_of_data_nodes" : 2,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 5,
  "active_shards" : 10,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
</code>

Example opensearch.yml
<code>
# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0

plugins.security.ssl.transport.pemcert_filepath: opensearch-node.crt
plugins.security.ssl.transport.pemkey_filepath: opensearch-node.key
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.crt

# use the same certificate on every node
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: opensearch-node.crt
plugins.security.ssl.http.pemkey_filepath: opensearch-node.key
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.crt
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - 'EMAILADDRESS=dev@example.com,CN=osadmin,OU=IT,O=COMPANY,L=ST,ST=SD,C=HR'
plugins.security.nodes_dn:
  - 'EMAILADDRESS=dev@example.com,CN=opensearch-node1,OU=IT,O=COMPANY,L=Split,ST=SD,C=HR'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE

</code> 
The CN field in plugins.security.nodes_dn must be the same as in  SAN extension file step e.g.

  echo 'subjectAltName=DNS:opensearch-node1' > node1.ext

in this example


==== Troubleshooting ====
<code>
...
opensearch-node1       | [2024-07-29T12:23:32,528][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-node1] Wait for cluster to be available ...
opensearch-node1       | [2024-07-29T12:23:33,533][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-node1] Wait for cluster to be available ...
...
</code>

If running in docker, make sure you have the line
  network.host: 0.0.0.0

in opensearch.yml

=== Can't login into Dashboards? ===

If you are not using https this option needs to be set

  opensearch_security.cookie.secure: false

**opensearch_dashboars.yml no SSL example**

<code>
 
server.host: '0.0.0.0'
server.ssl.enabled: false
opensearch.hosts: ["https://localhost:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: none
opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: false
opensearch_security.auth.type: ["basicauth"]

# cosmetics
opensearchDashboards.branding:
  useExpandedHeader: false
</code> 

=== Can't login and you get a json 401 response ===
E.g.

  {"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"}

This might happen if you are proxying connections to OS Dashboard for example, using nginx + auth_basic for authentication. It seems the username/passwd set for auth_basic gets passed to OS and that user/pwd most likely does not exist in the internal database.

There might be a solution for this [[https://opensearch.org/docs/2.15/security/authentication-backends/proxy/|here]].

====== Tested on ======
  * Opensearch 2.15

====== See also ======
  * [[wiki:logstash_setup|logstash setup]]
  * [[wiki:creating_opensearch_dashboards_users|Creating Opensearch Dashboards users]]

====== References ======
  * https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/#install-docker-and-docker-compose
  * https://raw.githubusercontent.com/opensearch-project/documentation-website/2.15/assets/examples/docker-compose.yml
  * http://grokconstructor.appspot.com