OpenSearch Security for Aiven for OpenSearch®
OpenSearch Security is a powerful feature that enhances the security of your OpenSearch service. By enabling OpenSearch Security management, you can implement fine-grained access controls, SAML authentication, and audit logging to track and analyze activities within your OpenSearch environment.
With OpenSearch Security enabled, you can manage user access and permissions directly from the OpenSearch Dashboard, giving you full control over your service's security.
- Once you have enabled OpenSearch Security management, you can no longer use Aiven Console, Aiven API, Aiven CLI, Aiven Terraform provider or Aiven Operator for Kubernetes® to manage access controls.
- You must use the OpenSearch Security Dashboard or OpenSearch Security API for managing user authentication and access control after enabling OpenSearch Security management.
- Once enabled, OpenSearch Security management cannot be disabled. If you need assistance disabling OpenSearch Security management, contact Aiven support.
To implement basic and simplified access control, you can use Aiven's Access Control Lists (ACL) to manage user roles and permissions.
OpenSearch Security use cases
OpenSearch Security is a versatile and valuable feature that can meet the needs of a wide range of customers. Some common use cases for this feature include:
-
Single Sign-On integration:
If you use an identity management software like Okta or Azure AD, you can use SAML integration to access your OpenSearch Dashboard through your identity provider. With this feature, you won't need to create and manage separate login credentials for OpenSearch, simplifying the authentication process.
-
Advanced access control:
If you need different levels of access controls for your employees, OpenSearch Security's Role-Based Access Control (RBAC) can help. With RBAC, you can set up different roles with different access levels and map them to different users. Role mapping is also available with SAML integration, making this feature ideal for enterprises.
-
Compliance and audit logging:
If OpenSearch is a critical database in your system, you may need to document a historical record of activity for compliance purposes and other business policy enforcement. OpenSearch Security includes an audit logs feature to help you meet these needs.
-
Multi-tenancy:
If you're a reseller or have many smaller departments, you may need different tenants on your OpenSearch Dashboard. OpenSearch Security provides multi-tenancy capabilities, ensuring that each tenant's data is kept separate and secure.
Key OpenSearch Security features
OpenSearch Security in Aiven for OpenSearch service offers a range of features to manage the security and access control of your OpenSearch service. These include:
-
Role-based access controls: With OpenSearch Security, you can set up role-based access controls and advanced level security, such as document-level security, field-level security, user and role mapping, and field masking to control access to sensitive data.
noteUser impersonation and cross-cluster search are not supported for the beta release.
-
SAML integration: Aiven for OpenSearch provides basic SAML integration. This allows you to access your OpenSearch Dashboard through the identity provider of your choice.
noteAiven for OpenSearch provides basic SAML integration for the beta release, and certain features, such as logout support and request signing, is not be included.
-
OpenID Connect integration: Aiven for OpenSearch enables you to securely authenticate and authorize users through OpenID Connect, enhancing authentication options.
-
OpenSearch Dashboard multi-tenancy: OpenSearch Security provides OpenSearch Dashboard multi-tenancy, which allows you to have different tenants on your OpenSearch Dashboard.
-
OpenSearch audit-logs: Aiven for OpenSearch Security includes OpenSearch Audit-logs, which allow you to document a historical record of activity for compliance purposes and other business policy enforcement.
OpenSearch Security management changes and impacts
Enabling OpenSearch Security management on your Aiven for OpenSearch service through the Aiven console triggers several changes:
- Users and role-based access control will be managed through the OpenSearch Security dashboard or OpenSearch Security API.
- The
os-sec-admin
user will initially be mapped to the pre-defined roleservice_security_admin_access
, which provides unrestricted access to the service, including the OpenSearch Security API and OpenSearch Security dashboard. - As an
os-sec-admin
user, you can add or remove users from pre-defined roles, and create new roles and assignments, but some pre-defined roles cannot be changed or deleted. - All service users defined before enabling OS Security management are
included in OpenSearch's internal users, with the attribute
provider_managed: False
. However, the usersavnadmin
andos-sec-admin
, are still managed by the service platform and have the attributeprovider_managed:true
. While service platform management of these users is limited to password changes, they can still be assigned to different roles as needed in the OpenSearch Security dashboard.
For information on how to enable OpenSearch Security management on Aiven Console, see Enable OpenSearch® Security management for Aiven for OpenSearch®.