Aiven Blog

Sep 6, 2023

Aiven for OpenSearch® introduces advanced security features

Aiven for OpenSearch® now includes OpenSearch Security, with SSO authentication, role-based access control, audit logging, and multi-tenant Dashboards


Hoang Minh Vo

|RSS Feed

Technical Product Manager

Authentication, Authorization, and Auditing (AAA) are the foundation of any robust security framework, responsible for controlling user access, enforcing policies, and monitoring resource usage. At Aiven, we understand the critical role these features play in safeguarding our customers’ environments. We are thrilled to announce the rollout of OpenSearch Security in Aiven for OpenSearch®, including single sign-on authentication, role-based access control, and audit logging.

It’s important to note up front that existing Aiven for OpenSearch® customers do not need to make any changes to their configuration in response to this release. OpenSearch Security is an opt-in feature.

Use cases for OpenSearch Security

OpenSearch Security will be of particular interest to organizations with centralized identity management or regulatory responsibilities. By enabling OpenSearch Security, customers can integrate their existing access controls with Aiven for OpenSearch. This not only helps centralize access, but role mapping ensures that permissions defined in providers like Okta or AWS can be associated with Aiven roles to ensure stakeholders across departments are automatically granted access only to the data they need, complete with multi-tenant dashboards for each teams’ unique requirements.

Audit logs provide feedback on whether those controls have been implemented properly. Events like a failed login or a user attempting to access content for which they aren’t authorized are captured and stored. Customers can further customize these logs to filter out edge cases or enable expanded logging for regulatory compliance. The results can then be visualized to make trends and outliers evident at a glance.

In the following sections, we’ll provide more detail about individual features, and provide links to helpful resources

OpenSearch single sign-on (SSO) authentication

In the past, Aiven for OpenSearch users relied on locally stored credentials (username/ password) for authentication against OpenSearch servers. Today, we introduce a new capability for centralized user authentication through Single Sign-On (SSO) using SAML / OIDC protocols. This integration allows you to use a centralized Identity and Access Management (IAM) solution for authentication, simplifying user management and access control.

With SSO, users authenticate directly with the IAM provider. They are then mapped to OpenSearch roles, enabling seamless access management for OpenSearch resources and data. Supported IAM providers include Okta, Auth0, and OneLogin.

Fine-grained role-based access control (RBAC) in OpenSearch

Aiven for OpenSearch access control enhancements takes security to the next level by offering fine-grained Role-Based Access Control (RBAC) to any Aiven for OpenSearch resources. This granular level of control empowers you to enforce your security policies effectively across teams with different access requirements. Additionally, SAML and OIDC users can use role mapping to tie Aiven for OpenSearch RBAC to existing access control definitions.

Key capabilities of fine-grained access control include:

  • Role-based cluster level access control
  • Role-based index level access control
  • Comprehensive user, role, and permission management
  • Document-level security
  • Field-level security
  • REST management API security

Audit logs for enhanced security and compliance

Maintaining a secure environment requires complete visibility into user activities. We've got you covered with our comprehensive audit logging. Audit logs allow you to monitor all user actions within Aiven for OpenSearch, providing valuable insights for compliance purposes and facilitating post-security breach investigations. In addition, these logs simplify debugging and troubleshooting potential issues in OpenSearch.

Audit logs are entirely customizable, enabling you to track various user activities, such as:

  • Authentication successes and failures
  • Requests to OpenSearch
  • Index changes
  • Incoming search queries

Audit logs are securely stored in an OpenSearch index within the same Aiven for OpenSearch cluster.

Flexible multi-tenant OpenSearch Dashboards

We recognize that different teams have unique requirements for data visualization, and that's why we are introducing multi-tenant OpenSearch Dashboards. Now you can set up distinct dashboards and visualizations for each team, ensuring a seamless and personalized experience.

Tenants in OpenSearch Dashboards act as dedicated spaces for saving index patterns, visualizations, and dashboards. You have full control over user and role privileges for each tenant, allowing you to tailor access permissions as needed.

For example, you can create dashboards for your own exploratory work, detailed analytics within your team, and a summary dashboard for corporate leadership. You can also provide individual dashboards to each of your customers and safely manage access using OpenSearch roles.

How to get started

To enable OpenSearch Security in Aiven for OpenSearch, navigate to your OpenSearch service in the Aiven Console and click on the Users tab. Select the Enable OpenSearch Security option. You will also need to create an OpenSearch Security Admin user for managing security. Note that once enabled, you cannot disable this feature yourself. Please contact our support team for assistance if you need to disable it.

The users configuration screen now includes an "Enable OpenSearch Security" dialog window.

To set up SSO integration, you can use Aiven’s Console, CLI, or API. RBAC, audit logging, and OpenSearch Dashboards multi-tenancy are configured in OpenSearch Dashboards. For more information on how to do this, please refer to our OpenSearch security documentation.

Compatibility Information

When OpenSearch Security is enabled, OpenSearch users, roles, and access control lists are managed by OpenSearch itself, not by the Aiven Platform. Therefore, you cannot use Aiven’s Console, CLI, API, or Aiven’s Terraform provider to manage these resources. Instead, changes are made via the OpenSearch Security Dashboard or OpenSearch Security API. For more detail, see our documentation on key considerations and system adaptation for OpenSearch® Security management.

If you are a Terraform user, there are third-party providers available that support the OpenSearch Security API. We’ll be publishing specific guidance on how to use those providers in concert with the Aiven provider in a forthcoming blog, so stay tuned for more updates soon.

Pricing and Availability

Aiven for OpenSearch is available on all major hyperscalers - AWS, Google Cloud and Microsoft Azure - in over 100 regions globally.

Aiven for OpenSearch plans range from single-instance configurations in the Hobbyist and Startup tiers to multi-instance clusters in the Business and Premium tiers. Full details can be found on the pricing page.

Aiven for OpenSearch is priced per hour, with prices starting at $0.026/hour ($19/month). OpenSearch Security can be enabled at no additional cost.

Subscribe to the Aiven newsletter

All things open source, plus our product updates and news in a monthly newsletter.

Related resources