OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. When combined with OpenSearch Security-Advanced Modules, it supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens, SAML, OpenID and more. It includes fine grained role-based access control to indices, documents and fields. It also provides multi-tenancy support in OpenSearch Dashboards.
- Features
- Installation
- Test and Build
- Config hot reloading
- Contributing
- Getting Help
- Code of Conduct
- Security
- License
- Copyright
- Full data in transit encryption
- Node-to-node encryption
- Certificate revocation lists
- Hot Certificate renewal
- Internal user database
- HTTP basic authentication
- PKI authentication
- Proxy authentication
- User Impersonation
- Active Directory / LDAP
- Kerberos / SPNEGO
- JSON web token (JWT)
- OpenID Connect (OIDC)
- SAML
- Role-based cluster level access control
- Role-based index level access control
- User-, role- and permission management
- Document-level security
- Field-level security
- REST management API
- Audit logging
- Compliance logging for GDPR, HIPAA, PCI, SOX and ISO compliance
- True OpenSearch Dashboards multi-tenancy
OpenSearch Security Plugin comes bundled by default as part of the OpenSearch distribution. Please refer to the installation guide and technical documentation for detailed information on installing and configuring the OpenSearch Security Plugin.
You can also see the developer guide which walks through the installation of the plugin for an OpenSearch server that doesn't initially have it.
Run all tests:
./gradlew clean test
Build artifacts (zip, deb, rpm):
./gradlew clean assemble
artifact_zip=`ls $(pwd)/build/distributions/opensearch-security-*.zip | grep -v admin-standalone`
./gradlew buildDeb buildRpm -ParchivePath=$artifact_zip
This produces:
build/releases/opensearch-security-<VERSION>.zip
build/distributions/opensearch-security-<VERSION>.deb
build/distributions/opensearch-security-<VERSION>.rpm
The Security Plugin configuration is stored in a dedicated index in OpenSearch itself. Changes to the configuration are pushed to this index via the command line tool. This triggers a reload of the configuration on all nodes automatically. This has several advantages over configuration via opensearch.yml
:
- Configuration is stored in a central place
- No configuration files on the nodes necessary
- Configuration changes do not require a restart
- Configuration changes take effect immediately
See developer guide and how to contribute to this project.
If you find a bug, or have a feature request, please don't hesitate to open an issue in this repository.
For more information, see project website and documentation. If you need help and are unsure where to open an issue, try forums.
This project has adopted the Amazon Open Source Code of Conduct. For more information see the Code of Conduct FAQ, or contact opensource-codeofconduct@amazon.com with any additional questions or comments.
If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our vulnerability reporting page. Please do not create a public GitHub issue.
This code is licensed under the Apache 2.0 License.
Copyright OpenSearch Contributors. See NOTICE for details.