Security

Security in OpenSearch is managed by the OpenSearch security plugin. The security plugin can be configured in spec.clusterConfig.security and is enabled by default:

---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
metadata:
  name: opensearch
spec:
  clusterConfig:
    security:
      enabled: true

Settings

The configuration of the security plugin is stored in the security index. When a new cluster is created, the security index is initialized from the following configuration files:

action_groups.yml: user-defined action groups
allowlist.yml: list of allowed HTTP endpoints
audit.yml: settings for audit logging
config.yml: configuration of the security backend
internal_users.yml: the internal users database
nodes_dn.yml: distinguished names (DNs) of nodes to allow communication between nodes and clusters
roles.yml: definition of roles in the security plugin
roles_mapping.yml: role mappings to users or backend roles
tenants.yml: OpenSearch Dashboards tenants

These configuration files can be specified in spec.clusterConfig.security.settings:

---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
metadata:
  name: opensearch
spec:
  clusterConfig:
    security:
      settings:
        actionGroups: ...
        allowList: ...
        audit: ...
        config: ...
        internalUsers: ...
        nodesDn: ...
        roles: ...
        rolesMapping: ...
        tenants: ...

If any setting remains undefined, a default configuration will be deployed with no permissions. Therefore, it is okay to only define some settings and leave the others unspecified.

A setting can be defined either inline, via Secret or ConfigMap:

spec:
  clusterConfig:
    security:
      settings:
        config:
          managedBy: API
          content:
            value: # defined inline
              _meta:
                type: config
                config_version: 2
              ...
        internalUsers:
          managedBy: API
          content:
            valueFrom:
              secretKeyRef: # defined via Secret
                name: opensearch-security-config-secret
                key: internal_users.yml
        rolesMapping:
          managedBy: API
          content:
            valueFrom:
              configMapKeyRef: # defined via ConfigMap
                name: opensearch-security-config-configmap
                key: roles_mapping.yml

By default, the security settings are only used to initialize the security index:

spec:
  clusterConfig:
    security:
      settings:
        config:
          managedBy: API
          ...

Later changes are ignored, because usually, the index is managed via the security configuration API and it should not be overridden by the operator. However, if you prefer to manage some settings in the OpenSearchCluster specification, you can set managedBy to operator:

spec:
  clusterConfig:
    security:
      settings:
        config:
          managedBy: operator
          ...

While it is possible to change managedBy from API to operator after cluster creation, be cautious as this will discard all API-made changes.

All settings managed by the operator are updated by the role group defined in spec.clusterConfig.security.managingRoleGroup which defaults to security-config:

spec:
  clusterConfig:
    security:
      managingRoleGroup: security-config

If this role group is not defined, it will be created by the operator.

TLS

TLS is also managed by the OpenSearch security plugin, therefore TLS is only available if the security plugin was not disabled. The internal and client communication at the REST API can be encrypted with TLS. This requires the Secret Operator to be running in the Kubernetes cluster providing certificates. The used certificates can be changed in a cluster-wide config and are configured using SecretClasses. TLS encryption on the REST API may be disabled, while it is always enabled for the internal communication between nodes using the transport port.

---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
metadata:
  name: opensearch
spec:
  image:
    productVersion: 3.4.0
  clusterConfig:
    tls:
      serverSecretClass: tls (1)
      internalSecretClass: opensearch-internal-tls (2)
  nodes:
    config:
      requestedSecretLifetime: 7d (3)
    roleGroups:
      default:
        replicas: 3

1	The `spec.clusterConfig.tls.serverSecretClass` refers to the client-to-server encryption at the REST API. Defaults to the `tls` SecretClass and can be disabled by setting `serverSecretClass` to `null`.
2	The `spec.clusterConfig.tls.internalSecretClass` refers to the internal encryption between OpenSearch nodes using mTLS (transport). Defaults to the `tls` SecretClass and can’t be disabled.
3	The lifetime for autoTls certificates generated by the secret operator. Only a lifetime up to the `maxCertificateLifetime` setting in the SecretClass is applied.

The operator sets the configuration plugins.security.nodes_dn to ["CN=generated certificate for pod"], which provides weak authentication between nodes. For enhanced security, use certificates that uniquely identify the OpenSearch nodes. In this case, you must also adapt the plugins.security.nodes_dn setting via configOverrides.

Disabling security

The OpenSearch security plugin can be disabled as follows:

---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
metadata:
  name: opensearch
spec:
  clusterConfig:
    security:
      enabled: false

Once disabled, all other security and TLS settings will be disregarded.

If the security plugin was previously enabled, the security index will become accessible like any other indices.

OpenSearch Dashboards require the security plugin to be enabled.