This is an old revision of the document!
Table of Contents
Opensearch installation
Docker install
Execute these on host machine first:
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
add plugins.security.ssl.http.enabled=false
to environment key in compose file, to disable ssl.
Set initial password
export OPENSEARCH_INITIAL_ADMIN_PASSWORD=mypwd_1
Run compose:
docker-compose up -d
Generate certs
If you don't have a Certificate authority already, you can use the script here to generate all the necessary certs.
If you don't want a separate cert for each node you can set
plugins.security.ssl.transport.enforce_hostname_verification: false
in opensearch.yml config and use just the node1 certs from below.
If you have existing CA create new node and admin certs using that.
Node certs are used to secure communication between the nodes. The admin.pem is used by the securityadmin.sh script that applies the configuration from config files into the OS indices.
When the cluster is running ok you should see the following the line in the logs
opensearch-node2 | [2024-07-29T13:02:30,748][INFO ][o.o.c.r.a.AllocationService] [opensearch-node2] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.plugins-ml-config][0]]]).
Also check the API endpoint e.g.
root@debian12-12:[/opt/opensearch]: curl "https://localhost:9200/_cluster/health?pretty" -ku admin:admin
{
"cluster_name" : "opensearch-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 2,
"number_of_data_nodes" : 2,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 5,
"active_shards" : 10,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Example opensearch.yml
# Bind to all interfaces because we don't know what IP address Docker will assign to us. network.host: 0.0.0.0 plugins.security.ssl.transport.pemcert_filepath: opensearch-node.crt plugins.security.ssl.transport.pemkey_filepath: opensearch-node.key plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.crt # use the same certificate on every node plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.http.enabled: true plugins.security.ssl.http.pemcert_filepath: opensearch-node.crt plugins.security.ssl.http.pemkey_filepath: opensearch-node.key plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.crt plugins.security.allow_default_init_securityindex: true plugins.security.authcz.admin_dn: - 'EMAILADDRESS=dev@example.com,CN=osadmin,OU=IT,O=COMPANY,L=ST,ST=SD,C=HR' plugins.security.nodes_dn: - 'EMAILADDRESS=dev@example.com,CN=opensearch-node1,OU=IT,O=COMPANY,L=Split,ST=SD,C=HR' plugins.security.audit.type: internal_opensearch plugins.security.enable_snapshot_restore_privilege: true plugins.security.check_snapshot_restore_write_privileges: true plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] cluster.routing.allocation.disk.threshold_enabled: false opendistro_security.audit.config.disabled_rest_categories: NONE opendistro_security.audit.config.disabled_transport_categories: NONE
The CN field in plugins.security.nodes_dn must be the same as in SAN extension file step e.g.
echo 'subjectAltName=DNS:opensearch-node1' > node1.ext
in this example
Creating Opensearch Dashboards users
You can use UI and create new users then assign roles to this user in Management>Security>Internal users. If you are using Docker and the volume is deleted obviously this will not persist.
Another way is to add the users directly in config file /usr/share/opensearch/config/opensearch-security/internal_users.yml:
user1: hash: "$2y$12$g3/Gb1guZeeY3cDoJVNgvuVhQLx7OQyYkM3BdweWEQGOxYWYU55/C" reserved: true backend_roles: - "reports_read_access" description: "testing user"
If the Opensearch is already running and you add the above in config file you need to run the securityadmin.sh (which will be deprecated in the next major release https://github.com/opensearch-project/security/issues/1755)
cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem
Take care when running this because any users created through web UI will be destroyed (https://opensearch.org/docs/latest/security/configuration/security-admin/#a-word-of-caution) as the command will apply changes from the config files. Make a backup first with
cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -backup my-backup -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem
then add the user to internal_users.yml file.
Troubleshooting
... opensearch-node1 | [2024-07-29T12:23:32,528][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-node1] Wait for cluster to be available ... opensearch-node1 | [2024-07-29T12:23:33,533][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-node1] Wait for cluster to be available ... ...
If running in docker, make sure you have the line
network.host: 0.0.0.0
in opensearch.yml
Can't login into Dashboards?
If you are not using https this option needs to be set
opensearch_security.cookie.secure: false
opensearch_dashboars.yml no SSL example
server.host: '0.0.0.0' server.ssl.enabled: false opensearch.hosts: ["https://localhost:9200"] opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" opensearch.ssl.verificationMode: none opensearch.requestHeadersAllowlist: [ authorization,securitytenant ] opensearch_security.multitenancy.enabled: true opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] opensearch_security.readonly_mode.roles: ["kibana_read_only"] opensearch_security.cookie.secure: false opensearch_security.auth.type: ["basicauth"] # cosmetics opensearchDashboards.branding: useExpandedHeader: false
Tested on
- Opensearch 2.15