Tutorial: Configure a domain with the internal user database and HTTP basic authentication - Amazon OpenSearch Service

Tutorial: Configure a domain with the internal user database and HTTP basic authentication

This tutorial covers another popular fine-grained access control use case: a master user in the internal user database and HTTP basic authentication for OpenSearch Dashboards.

To get started with fine-grained access control

  1. Create a domain with the following settings:

    • OpenSearch 1.0 or later, or Elasticsearch 7.9 or later

    • Public access

    • Fine-grained access control with a master user in the internal user database (TheMasterUser for the rest of this tutorial)

    • Amazon Cognito authentication for Dashboards disabled

    • The following access policy:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Action": [
        "es:ESHttp*"
      ],
      "Resource": "arn:aws:es:region:account:domain/domain-name/*"
    }
  ]
}

    • HTTPS required for all traffic to the domain

    • Node-to-node encryption

    • Encryption of data at rest

  2. Navigate to OpenSearch Dashboards.

  3. Sign in using TheMasterUser.

  4. Choose Try our sample data.

  5. Add the sample flight data.

  6. Choose Security, Internal users, Create internal user.

  7. Name the user new-user and specify a password. Then choose Create.

  8. Choose Roles, Create role.

  9. Name the role new-role.

  10. For index permissions, specify dashboards_sample_data_fli* for the index pattern.

  11. For the action group, choose read.

  12. For Document level security, specify the following query:

    {
  "match": {
    "FlightDelay": true
  }
}

  13. For field-level security, choose Exclude and specify FlightNum.

  14. For Anonymization, specify Dest.

  15. Choose Create.

  16. Choose Mapped users, Manage mapping. Then add new-user to Users and choose Map.

  17. Return to the list of roles and choose opensearch_dashboards_user. Choose Mapped users, Manage mapping. Then add new-user to Users and choose Map.

  18. In a new, private browser window, navigate to Dashboards, sign in using new-user, and then choose Explore on my own.

  19. Go to Dev Tools and run the default search:

    GET _search
{
  "query": {
    "match_all": {}
  }
}

    Note the permissions error. new-user doesn't have permissions to run cluster-wide searches.

  20. Run another search:

    GET dashboards_sample_data_flights/_search
{
  "query": {
    "match_all": {}
  }
}

    Note that all matching documents have a FlightDelay field of true, an anonymized Dest field, and no FlightNum field.

  21. In your original browser window, signed in as TheMasterUser, choose Dev Tools and perform the same searches. Note the difference in permissions, number of hits, matching documents, and included fields.