Tutorial: Configure a domain with the internal user database and HTTP basic authentication
This tutorial covers another popular fine-grained access control use case: a master user in the internal user database and HTTP basic authentication for OpenSearch Dashboards. The master user can then sign in to OpenSearch Dashboards, create an internal user, map the user to a role, and use fine-grained access control to limit the user's permissions.
You'll complete the following steps in this tutorial:
Step 1: Create a domain
Navigate to the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home/
-
OpenSearch 1.0 or later, or Elasticsearch 7.9 or later
-
Public access
-
Fine-grained access control with a master user in the internal user database (
TheMasterUser
for the rest of this tutorial) -
Amazon Cognito authentication for Dashboards disabled
-
The following access policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
{account-id}
:root" }, "Action": [ "es:ESHttp*" ], "Resource": "arn:aws:es:{region}
:{account-id}
:domain/{domain-name}
/*" } ] } -
HTTPS required for all traffic to the domain
-
Node-to-node encryption
-
Encryption of data at rest
Step 2: Create an internal user in OpenSearch Dashboards
Now that you have a domain, you can sign in to OpenSearch Dashboards and create an internal user.
-
Go back to the OpenSearch Service console and navigate to the OpenSearch Dashboards URL for the domain you created. The URL follows this format:
.domain-endpoint
/_dashboards/ -
Sign in with the
TheMasterUser
. -
Choose Add sample data and add the sample flight data.
-
In the left navigation pane, choose Security, Internal users, Create internal user.
-
Name the user
new-user
and specify a password. Then choose Create.
Step 3: Map roles in OpenSearch Dashboards
Now that your user is configured, you can map your user to a role.
-
Stay in the Security section of OpenSearch Dashboards and choose Roles, Create role.
-
Name the role
new-role
. -
For Index, specify
opensearch_dashboards_sample_data_fli*
(kibana_sample_data_fli*
on Elasticsearch domains) for the index pattern. -
For the action group, choose read.
-
For Document level security, specify the following query:
{ "match": { "FlightDelay": true } }
-
For field-level security, choose Exclude and specify
FlightNum
. -
For Anonymization, specify
Dest
. -
Choose Create.
-
Choose Mapped users, Manage mapping. Then add
new-user
to Users and choose Map. -
Return to the list of roles and choose opensearch_dashboards_user. Choose Mapped users, Manage mapping. Then add
new-user
to Users and choose Map.
Step 4: Test the permissions
When your roles are mapped correctly, you can sign in as the limited user and test the permissions.
-
In a new, private browser window, navigate to the OpenSearch Dashboards URL for the domain, sign in using the
new-user
credentials, and choose Explore on my own. -
Go to Dev Tools and run the default search:
GET _search { "query": { "match_all": {} } }
Note the permissions error.
new-user
doesn't have permissions to run cluster-wide searches. -
Run another search:
GET dashboards_sample_data_flights/_search { "query": { "match_all": {} } }
Note that all matching documents have a
FlightDelay
field oftrue
, an anonymizedDest
field, and noFlightNum
field. -
In your original browser window, signed in as
TheMasterUser
, choose Dev Tools and perform the same searches. Note the difference in permissions, number of hits, matching documents, and included fields.