yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
93d856d5c56dc6a5b27380fe001d75f16fabcfb6
doc-exports/docs/css/umn/css_01_0248.html
zhengxiu 93d856d5c5 css umn 25.6.0 version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: zhengxiu <zhengxiu@huawei.com>
Co-committed-by: zhengxiu <zhengxiu@huawei.com>
2025-11-25 11:34:43 +00:00

164 lines
26 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000002003441200"></a><a name="EN-US_TOPIC_0000002003441200"></a>
<h1 class="topictitle1">Accessing an OpenSearch Cluster Using LDAP</h1>
<div id="body0000002003441200"><p id="EN-US_TOPIC_0000002003441200__p165411423172414">The Light Directory Access Protocol (LDAP) is a lightweight version of the directory access protocol based on the X.500 standard. An LDAP service provides user authentication and authorization. Using the Security plugin for Open Distro for Elasticsearch, CSS adds Active Directory as an authentication backend for clusters, connecting them seamlessly to the LDAP service. This topic describes the steps needed to connect a CSS cluster to an LDAP service.</p>
<p id="EN-US_TOPIC_0000002003441200__p177949162181">It also describes how to enable LDAP authentication for an OpenSearch cluster to allow access by LDAP users of specific roles.</p>
<div class="section" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_section1492122914118"><h4 class="sectiontitle">Preparations</h4><ul id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_ul115524012184"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_li181191829144220">A security-mode OpenSearch cluster has been created in CSS and its status is available.</li><li id="EN-US_TOPIC_0000002003441200__li174051125172815">The LDAP service that is in the same VPC as the OpenSearch cluster and the necessary user data have been prepared. For details, see <a href="https://www.openldap.org/doc/admin24/quickstart.html" target="_blank" rel="noopener noreferrer">the OpenLDAP document: A Quick-Start Guide</a>.</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_section04055477115"><h4 class="sectiontitle">Accessing a Cluster</h4><ol id="EN-US_TOPIC_0000002003441200__ol3820537123018"><li id="EN-US_TOPIC_0000002003441200__li8820037193015"><span>Install an LDAP service on an ECS. If the LDAP service and user data have already been prepared, skip this step.</span><p><ol type="a" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_ol52981356193310"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_li18792558794">Create an ECS. The ECS must run a Windows OS and must be in the same VPC and security group as the security-mode Elasticsearch cluster of CSS. The Windows Server running on the ECS provides the built-in Active Directory service that supports the LDAP protocol.</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_li5731185614343">Log in to the ECS, and enable the Active Directory service. Create a domain, administrator, users, and user groups.</li></ol>
</p></li><li id="EN-US_TOPIC_0000002003441200__li6735482334"><span>Modify the parameter settings of the security-mode OpenSearch cluster on CSS. Configure a static parameter in <span class="filepath" id="EN-US_TOPIC_0000002003441200__filepath669732110112"><b>opensearch.yml</b></span> to connect the cluster to the LDAP service.</span><p><ol type="a" id="EN-US_TOPIC_0000002003441200__ol159291592501"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_li1142971461017"><span id="EN-US_TOPIC_0000002003441200__ph4222205142920">Log in to the CSS management console.</span></li><li id="EN-US_TOPIC_0000002003441200__li106203711104">In the navigation pane on the left, choose <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol101664889983947"><b>Clusters &gt; OpenSearch</b></span>.</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_li174291147108">In the cluster list, click the name of the target cluster. The cluster information page is displayed.</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_li1277611425215">Choose <strong id="EN-US_TOPIC_0000002003441200__b11956184383947">Cluster Settings</strong> &gt; <strong id="EN-US_TOPIC_0000002003441200__b17995471983947">Parameter Settings</strong>, and click <strong id="EN-US_TOPIC_0000002003441200__b20699907883947">Edit</strong>. Expand <span class="parmname" id="EN-US_TOPIC_0000002003441200__parmname132028994983947"><b>Custom</b></span>, and add the following parameter and value.<ul id="EN-US_TOPIC_0000002003441200__ul45504492037"><li id="EN-US_TOPIC_0000002003441200__li35501249837"><strong id="EN-US_TOPIC_0000002003441200__b174678804542427">Parameter</strong>: plugins.security.unsupported.restapi.allow_securityconfig_modification</li><li id="EN-US_TOPIC_0000002003441200__li15501549737"><strong id="EN-US_TOPIC_0000002003441200__b6450723142427">Value</strong>: true</li></ul>
</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_li12682102113577">Click <strong id="EN-US_TOPIC_0000002003441200__b19421286142427">Submit</strong> above. In the displayed <strong id="EN-US_TOPIC_0000002003441200__b3421463542427">Submit Configuration</strong> dialog box, select the box that says "I understand that the modification will take effect after the cluster is restarted." and click <strong id="EN-US_TOPIC_0000002003441200__b34975888942427">Yes</strong>.<p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_p0505822115818">If <strong id="EN-US_TOPIC_0000002003441200__b147778208642427">Status</strong> is <strong id="EN-US_TOPIC_0000002003441200__b152130578442427">Succeeded</strong> in the parameter change list, the change has been saved. Up to 20 change records can be displayed.</p>
</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_li195461759181418">After the changes are saved, click <strong id="EN-US_TOPIC_0000002003441200__b4376102575618">Restart</strong> in the upper right corner to restart the cluster, thus applying the changes.<ul id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_ul772201251714"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_li97281231719">You need to restart the cluster after the change, or <strong id="EN-US_TOPIC_0000002003441200__b34581429144014">Configuration not updated</strong> will be displayed in the <strong id="EN-US_TOPIC_0000002003441200__b145812919401">Task Status</strong> column in the cluster list.</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001268594501_li77261231712">If you restart the cluster after the change, and <strong id="EN-US_TOPIC_0000002003441200__b126012335403">Task Status</strong> displays <strong id="EN-US_TOPIC_0000002003441200__b4604339406">Configuration error</strong> in the cluster list, the parameter configuration file has failed to be modified.</li></ul>
</li></ol>
</p></li><li id="EN-US_TOPIC_0000002003441200__li102711655125018"><span>Configure a route for an OpenSearch cluster on the CSS console to connect the cluster to the LDAP service.</span><p><ol type="a" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_ol1799124310910"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001223434436_li199516595219">On the cluster information page, click the <strong id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_b19338111313311">Overview</strong> tab.</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001223434464_li11859201313213">In the <strong id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_b15220133212332">Configuration</strong> area, click <strong id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_b6793173810333">Add Route</strong> next to <strong id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_b1378113419338">Cluster Route</strong>.</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001223434464_li3368124411273">In the displayed dialog box, configure the route information.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_table045192184911" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Adding a route</caption><thead align="left"><tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_row17462021174915"><th align="left" class="cellrowborder" valign="top" width="30%" id="mcps1.3.4.2.3.2.1.3.1.2.3.1.1"><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_p1246321134918">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="70%" id="mcps1.3.4.2.3.2.1.3.1.2.3.1.2"><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_p846122184910">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_row14682120495"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.4.2.3.2.1.3.1.2.3.1.1 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_p1546192154912">IP Address</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.4.2.3.2.1.3.1.2.3.1.2 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_p144622184916">Enter the IP address of the LDAP server. If the LDAP service on the ECS is used, enter the IP address of the ECS.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_row54642164919"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.4.2.3.2.1.3.1.2.3.1.1 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_p1546142119499">Subnet Mask</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.4.2.3.2.1.3.1.2.3.1.2 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_p1028315174317">Enter the subnet mask of the LDAP server. If the LDAP service on the ECS is used, enter the subnet mask of the ECS.</p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001223434464_li1539419308514">Click OK.</li></ol>
</p></li><li id="EN-US_TOPIC_0000002003441200__li56310371195"><span>Configure LDAP authentication for a security-mode OpenSearch cluster.</span><p><ol type="a" id="EN-US_TOPIC_0000002003441200__ol124574417618"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001223594408_li1274916552817">On the cluster information page, click <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol1877744010403"><b>Dashboards</b></span> in the upper-right corner to log in to OpenSearch Dashboards.</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001223594408_li927171291011">On OpenSearch Dashboards, expand the menu in the upper-left corner, and choose <strong id="EN-US_TOPIC_0000002003441200__b74493397242427">Dev Tools</strong>.</li><li id="EN-US_TOPIC_0000002003441200__li14711134142520">Run the following commands to configure LDAP authentication.<div class="note" id="EN-US_TOPIC_0000002003441200__note884613445342"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_ul132691950164211"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_li1344814304355">Concepts used in an X.500 directory access protocol (including LDAP):<ul id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_ul2365133313513"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_li162696507428">CN = Common Name</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_li1126995044215">OU = Organizational Unit</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_li1726917504420">DC = Domain Component</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_li1657511354554">DN = Distinguished Name</li></ul>
<p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_p182607365355">The CN, OU, and DC must be provided in the correct order. Otherwise, authentication will fail.</p>
</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_li1565012471357">The configuration file consists of two parts: <span class="parmname" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_parmname16848553123515"><b>authc</b></span> and <span class="parmname" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_parmname1563615614354"><b>authz</b></span>.<ul id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_ul4259160369"><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_li108116318362"><strong id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_b178491657130">authc</strong> (authentication): verifies whether a user is truly who they claim they are (password verification).</li><li id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_li08126315366"><strong id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_b2020819765214">authz</strong> (authorization): verifies what the current user has access to.</li></ul>
</li></ul>
</div></div>
<pre class="screen" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_screen1763319230389">PUT _plugins/_security/api/securityconfig/config
{
"dynamic": {
"authc": {
"basic_internal_auth_domain": {
"description": "Authenticate via HTTP Basic against internal users database",
"http_enabled": true,
"transport_enabled": true,
"order": 1,
"http_authenticator": {
"type": "basic",
"challenge": true
},
"authentication_backend": {
"type": "intern"
}
},
"ldap": {
"description": "Authenticate via LDAP or Active Directory",
"http_enabled": true,
"transport_enabled": true,
"order": 2,
"http_authenticator": {
"type": "basic",
"challenge": false
},
"authentication_backend": {
"type": "ldap",
"config": {
"enable_ssl": false,
"enable_start_tls": false,
"enable_ssl_client_auth": false,
"verify_hostnames": true,
<strong id="EN-US_TOPIC_0000002003441200__b862465712614">"hosts": ["10.0.XXX.XXX:389"],</strong>
<strong id="EN-US_TOPIC_0000002003441200__b93870152717">"bind_dn": "CN=adminAD,DC=test,DC=ldap,DC=com",</strong>
<strong id="EN-US_TOPIC_0000002003441200__b52121952270">"password": "&lt;password&gt;",</strong>
<strong id="EN-US_TOPIC_0000002003441200__b650931012710">"userbase": "OU=ITDepartment,DC=test,DC=ldap,DC=com",</strong>
"usersearch": "(sAMAccountName={0})",
"username_attribute": "uid"
}
}
}
},
"authz": {
"roles_from_myldap": {
"description": "Authorize via LDAP or Active Directory",
"http_enabled": true,
"transport_enabled": true,
"authorization_backend": {
"type": "ldap",
"config": {
"enable_ssl": false,
"enable_start_tls": false,
"enable_ssl_client_auth": false,
"verify_hostnames": true,
<strong id="EN-US_TOPIC_0000002003441200__b128232051112711">"hosts": ["10.0.XXX.XXX:389"],</strong>
<strong id="EN-US_TOPIC_0000002003441200__b15792154192717">"bind_dn": "CN=adminAD,DC=test,DC=ldap,DC=com",</strong>
<strong id="EN-US_TOPIC_0000002003441200__b3366155811275">"password": "&lt;password&gt;",</strong>
<strong id="EN-US_TOPIC_0000002003441200__b1998915300276">"rolebase": "OU=groups,DC=test,DC=ldap,DC=com",</strong>
"rolesearch": "(member={0})",
"userroleattribute": null,
"userrolename": "disabled",
"rolename": "CN",
"resolve_nested_roles": true,
<strong id="EN-US_TOPIC_0000002003441200__b1292011112288">"userbase": "OU=ITDepartment,DC=test,DC=ldap,DC=com",</strong>
"usersearch": "(uid={0})"
}
}
}
}
}
}</pre>
<p id="EN-US_TOPIC_0000002003441200__p168786396285">The parameters in <a href="#EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_table111741414338">Table 2</a> need to be modified based on the actual environment.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_table111741414338"></a><a name="en-us_topic_0000001934179690_table111741414338"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_table111741414338" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameter description</caption><thead align="left"><tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_row91731411337"><th align="left" class="cellrowborder" valign="top" width="30%" id="mcps1.3.4.2.4.2.1.3.4.2.3.1.1"><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p417131412333">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="70%" id="mcps1.3.4.2.4.2.1.3.4.2.3.1.2"><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p1263718492465">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_row192601805113"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p42611819514">hosts</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p19866933485">Address of the LDAP service. The port number is 389. If the LDAP service on the ECS is used, enter the IP address of the ECS.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_row73721818175113"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p16372318165118">bind_dn</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p2226185484720">It is similar to the LDAP user name (CN - OU - DC) and is used to access the LDAP server. Select a user name from the user data of the LDAP service.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_row131711473319"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p111791417336">password</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p1965182024815">Password of the LDAP user configured using <span class="parmname" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_parmname10910162783016"><b>bind_dn</b></span>.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_row161711420338"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p11713147339">userbase</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p152562403482">After the LDAP service is connected, the DN that the user belongs to is obtained. In this example, all user information in the <span class="parmvalue" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_parmvalue423519113114"><b>ITDepartment</b></span> directory is synchronized.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_row77231225134911"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.1 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p98881546115115">rolebase</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.4.2.4.2.1.3.4.2.3.1.2 "><p id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_en-us_topic_0000001934179690_p2453105825015">The collection of permissions that can be configured for the <span class="parmname" id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001945377014_parmname133892043123217"><b>userbase</b></span> user group of the LDAP service.</p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ol>
</p></li><li id="EN-US_TOPIC_0000002003441200__li20757162262412"><span>Configure the mapping between LDAP user permissions and OpenSearch permissions in the OpenSearch security-mode cluster to enable fine-grained access control.</span><p><p id="EN-US_TOPIC_0000002003441200__p10988121516394">The rolebase permissions group of the LDAP server must be mapped to the roles in the OpenSearch cluster. <a href="#EN-US_TOPIC_0000002003441200__fig196302320392">Figure 1</a> illustrates the mapping. For details about the configuration, see <a href="css_01_0329.html">Creating Users for an OpenSearch Cluster and Granting Cluster Access</a>.</p>
<div class="fignone" id="EN-US_TOPIC_0000002003441200__fig196302320392"><a name="EN-US_TOPIC_0000002003441200__fig196302320392"></a><a name="fig196302320392"></a><span class="figcap"><b>Figure 1 </b>Permissions mapping</span><br><span><img id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_image02822048175411" src="figure/en-us_image_0000002003441216.png"></span></div>
<ol type="a" id="EN-US_TOPIC_0000002003441200__ol86081414119"><li id="EN-US_TOPIC_0000002003441200__li932238114110">On OpenSearch Dashboards, expand the menu in the upper-left corner, and choose <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol2666827124110"><b>Security</b></span>. The <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol18667172734113"><b>Security</b></span> page is displayed.</li><li id="EN-US_TOPIC_0000002003441200__li12898131717474"><a name="EN-US_TOPIC_0000002003441200__li12898131717474"></a><a name="li12898131717474"></a>Click <strong id="EN-US_TOPIC_0000002003441200__b87750887142427">Roles</strong> to go to the Open Distro Security Roles page. Click <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol65407455742427"><b>Create Role</b></span>, set <strong id="EN-US_TOPIC_0000002003441200__b192244717942427">Name</strong>, <strong id="EN-US_TOPIC_0000002003441200__b165766042042427">Cluster Permissions</strong>, <strong id="EN-US_TOPIC_0000002003441200__b60924609942427">Index Permissions</strong>, and <strong id="EN-US_TOPIC_0000002003441200__b163553182242427">Tenant Permissions</strong>. Then click <strong id="EN-US_TOPIC_0000002003441200__b57169590942427">Save Role Definition</strong> to save the role settings. The parameters are as follows:<ul id="EN-US_TOPIC_0000002003441200__ul131906224139"><li id="EN-US_TOPIC_0000002003441200__li722115417133">Name (name of the role)</li><li id="EN-US_TOPIC_0000002003441200__li1048916410147">Cluster Permissions</li><li id="EN-US_TOPIC_0000002003441200__li172781023161411">Index permissions</li><li id="EN-US_TOPIC_0000002003441200__li71911522191312">Tenant permissions</li></ul>
</li><li id="EN-US_TOPIC_0000002003441200__li165251846104819">Click the newly created role, select <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol54852860883526"><b>Mapped users</b></span>, enter a permissions group of the LDAP service in <span class="parmname" id="EN-US_TOPIC_0000002003441200__parmname31200854283526"><b>Backend roles</b></span>, and click <strong id="EN-US_TOPIC_0000002003441200__b52135636183526">Map</strong>.</li><li id="EN-US_TOPIC_0000002003441200__li1408144916524"><a name="EN-US_TOPIC_0000002003441200__li1408144916524"></a><a name="li1408144916524"></a>Check the configuration result.<div class="fignone" id="EN-US_TOPIC_0000002003441200__fig897723218524"><span class="figcap"><b>Figure 2 </b>Permissions mapping</span><br><span><img id="EN-US_TOPIC_0000002003441200__en-us_topic_0000001934179690_image1868416179479" src="figure/en-us_image_0000002039680337.png"></span></div>
</li><li id="EN-US_TOPIC_0000002003441200__li089153085417">Repeat <a href="#EN-US_TOPIC_0000002003441200__li12898131717474">5.b</a> to <a href="#EN-US_TOPIC_0000002003441200__li1408144916524">5.d</a> to map other permissions groups.</li></ol>
</p></li><li id="EN-US_TOPIC_0000002003441200__li143972029397"><span>Log in to OpenSearch Dashboards using the LDAP user to verify the configuration.</span><p><ol type="a" id="EN-US_TOPIC_0000002003441200__ol11135275717"><li id="EN-US_TOPIC_0000002003441200__li13908191555712"><span id="EN-US_TOPIC_0000002003441200__ph16390144011017">Log in to the CSS management console.</span></li><li id="EN-US_TOPIC_0000002003441200__li59081915125720">In the navigation pane on the left, choose <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol457515114118"><b>Clusters &gt; OpenSearch</b></span>.</li><li id="EN-US_TOPIC_0000002003441200__li690871513577">In the cluster list, find the target cluster, and click <span class="uicontrol" id="EN-US_TOPIC_0000002003441200__uicontrol13921204101010"><b>Dashboards</b></span> in the <strong id="EN-US_TOPIC_0000002003441200__b1411115564111">Operation</strong> column. Use the LDAP user to log in to OpenSearch Dashboards.<p id="EN-US_TOPIC_0000002003441200__p19651548138">If the login is successful, the configuration is successful, and users can access the OpenSearch cluster through LDAP. The specific permissions authorized are controlled by role permissions configured in OpenSearch.</p>
</li></ol>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0288.html">Accessing an OpenSearch Cluster</a></div>
</div>
</div>
View Git Blame Copy Permalink