forked from docs/doc-exports
zhengxiu
93d856d5c5
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com> Co-authored-by: zhengxiu <zhengxiu@huawei.com> Co-committed-by: zhengxiu <zhengxiu@huawei.com>
74 lines
17 KiB
HTML
74 lines
17 KiB
HTML
<a name="EN-US_TOPIC_0000001965496885"></a><a name="EN-US_TOPIC_0000001965496885"></a>
|
|
|
|
<h1 class="topictitle1">Creating Users for an OpenSearch Cluster and Granting Cluster Access</h1>
|
|
<div id="body8662426"><p id="EN-US_TOPIC_0000001965496885__p17682103664518">CSS limits access to security-mode clusters to authorized users only. When creating a security-mode cluster, an administrator account must be created. This administrator account can use OpenSearch Dashboards to add new users for the cluster and grant them the required permissions.</p>
|
|
<div class="section" id="EN-US_TOPIC_0000001965496885__section14743123515531"><h4 class="sectiontitle">Context</h4><p id="EN-US_TOPIC_0000001965496885__p13262512159">CSS uses the opendistro_security plug-in to provide security cluster capabilities. The opendistro_security plug-in is built based on the RBAC model. RBAC involves three core concepts: user, action, and role. RBAC simplifies the relationship between users and actions, simplifies permission management, and facilitates permission expansion and maintenance. The following figure shows the relationship between the three.</p>
|
|
<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig17424102121615"><span class="figcap"><b>Figure 1 </b>User, action, and role</span><br><span><img id="EN-US_TOPIC_0000001965496885__image1422725243218" src="figure/en-us_image_0000001963190104.png"></span></div>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_table1130152932111" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating and authorizing a user on OpenSearch Dashboards</caption><thead align="left"><tr id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_row913192910216"><th align="left" class="cellrowborder" valign="top" width="19.759999999999998%" id="mcps1.3.2.4.2.3.1.1"><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p11131129172116">Parameter</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="80.24%" id="mcps1.3.2.4.2.3.1.2"><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p613112916211">Description</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_row4131629172119"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p169320115226">Permission</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p1193210115228">A single permission, for example, creating an index (for example, <strong id="EN-US_TOPIC_0000001965496885__b114492720428">indices:admin/create</strong>).</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_row1513182932110"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001965496885__p2730113274814">Action group</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p1093216119229">An action group is a group of permissions. For example, the predefined <strong id="EN-US_TOPIC_0000001965496885__b12494231258">SEARCH</strong> action group grants roles permissions to use <strong id="EN-US_TOPIC_0000001965496885__b1625062342519">_search</strong> and <strong id="EN-US_TOPIC_0000001965496885__b725092302517">_msearch</strong> APIs.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_row1313115297218"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001965496885__p133421830164820">Role</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p18932711152220">A role is a combination of permissions or action groups, including operation permissions on clusters, indexes, documents, or fields.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_row1413182914217"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001965496885__p2696326114814">User</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p093351115224">A user can send operation requests to an OpenSearch cluster. The user has credentials such as username and password, and zero or multiple backend roles and custom attributes.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_row6131829112117"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.2.4.2.3.1.1 "><p id="EN-US_TOPIC_0000001965496885__p136582364811">Role mapping</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.2.4.2.3.1.2 "><p id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_p10933171182210">A user will be assigned a role after successful authentication. Role mapping means to map a role to a user (or a backend role). For example, the mapping from <strong id="EN-US_TOPIC_0000001965496885__b1011012456257">Dashboards_user</strong> (role) to <strong id="EN-US_TOPIC_0000001965496885__b14111124582510">Bob</strong> (user) means that Bob obtains all permissions of <strong id="EN-US_TOPIC_0000001965496885__b4111114542518">Dashboards_user</strong> after authentication. Similarly, the mapping from <strong id="EN-US_TOPIC_0000001965496885__b167081758152612">all_access</strong> (role) to <strong id="EN-US_TOPIC_0000001965496885__b47091158112619">admin</strong> (backend role) means that any user with the backend role <strong id="EN-US_TOPIC_0000001965496885__b1671010589261">admin</strong> (from the LDAP/Active Directory server) has all the permissions of role <strong id="EN-US_TOPIC_0000001965496885__b10710958162613">all_access</strong> after being authenticated. You can map each role to multiple users or backend roles.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p id="EN-US_TOPIC_0000001965496885__p1770883133318">On OpenSearch Dashboards, you can configure user permissions on the OpenSearch cluster under <strong id="EN-US_TOPIC_0000001965496885__b455304334416">Security</strong> to implement fine-grained access control at four levels: cluster, index, document, and field.</p>
|
|
<p id="EN-US_TOPIC_0000001965496885__p1884939342">Users can be added or deleted for a cluster, and mapped to roles. This way, you assign roles to users.</p>
|
|
<p id="EN-US_TOPIC_0000001965496885__p456112285323">With role mapping, you can configure the members of each role and assign roles to users based on usernames, backend roles, and host names. For each role, you can configure cluster, index, and document access permissions, as well as the permission to use OpenSearch Dashboards.</p>
|
|
<p id="EN-US_TOPIC_0000001965496885__p185614287325">For more about security configuration for a security-mode cluster and the detailed guide, see the official OpenSearch document <a href="https://opendistro.github.io/for-elasticsearch-docs/docs/security/" target="_blank" rel="noopener noreferrer">About Security in OpenSearch</a>.</p>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000001965496885__section72681840185618"><h4 class="sectiontitle">Constraints</h4><p id="EN-US_TOPIC_0000001965496885__p16490174215503">You can customize the username, role name, and tenant name in the <strong id="EN-US_TOPIC_0000001965496885__b17299028182620">OpenSearch Dashboards</strong>.</p>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000001965496885__en-us_topic_0000001528379273_en-us_topic_0000001223434440_section12163507442"><h4 class="sectiontitle">Creating a User and Granting Permissions</h4><ol id="EN-US_TOPIC_0000001965496885__ol1068888105119"><li id="EN-US_TOPIC_0000001965496885__li46882825113"><span>Log in to the OpenSearch Dashboards.</span><p><ol type="a" id="EN-US_TOPIC_0000001965496885__ol146186208523"><li id="EN-US_TOPIC_0000001965496885__li19618112013520"><span id="EN-US_TOPIC_0000001965496885__ph152259618315">Log in to the CSS management console.</span></li><li id="EN-US_TOPIC_0000001965496885__li17698202175313">In the navigation pane on the left, choose <span class="menucascade" id="EN-US_TOPIC_0000001965496885__menucascade1261204320370"><b><span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol4612134333719">Clusters</span></b> > <b><span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol06124434375">OpenSearch</span></b></span>.</li><li id="EN-US_TOPIC_0000001965496885__li1520983912521">In the cluster list, find the target cluster, click <strong id="EN-US_TOPIC_0000001965496885__b1724510318382">Dashboards</strong> in the <strong id="EN-US_TOPIC_0000001965496885__b1524603203818">Operation</strong> column, and use an administrator account to log in to OpenSearch Dashboards.<ul id="EN-US_TOPIC_0000001965496885__ul1374935705111"><li id="EN-US_TOPIC_0000001965496885__li874925725116">Username: <strong id="EN-US_TOPIC_0000001965496885__b1736013155503">admin</strong> (default administrator account name)</li><li id="EN-US_TOPIC_0000001965496885__li674905795114">Password: Enter the administrator password you set when creating the cluster in security mode.</li></ul>
|
|
</li></ol>
|
|
</p></li><li id="EN-US_TOPIC_0000001965496885__li1135162925115"><span>Creating a user.</span><p><ol type="a" id="EN-US_TOPIC_0000001965496885__ol11749151913567"><li id="EN-US_TOPIC_0000001965496885__li1643913311569">On the <strong id="EN-US_TOPIC_0000001965496885__b158711634121014">OpenSearch Dashboards</strong> page, choose <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol44399315561"><b>Security</b></span>. The <strong id="EN-US_TOPIC_0000001965496885__b92751642153216">Security</strong> page is displayed.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig199111740135616"><span class="figcap"><b>Figure 2 </b>Going to the Security page</span><br><span><img id="EN-US_TOPIC_0000001965496885__image89119406565" src="figure/en-us_image_0000001965417001.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li1991114015566">Choose <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol195889417167"><b>Internal users</b></span> on the left. The user creation page is displayed.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig962416241208"><span class="figcap"><b>Figure 3 </b>Creating a user</span><br><span><img id="EN-US_TOPIC_0000001965496885__image197931550135918" src="figure/en-us_image_0000001965416993.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li10128204619594">Click <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol357810286163"><b>Create internal user</b></span>. The user information configuration page is displayed.</li><li id="EN-US_TOPIC_0000001965496885__li135915321345">In the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol679135714161"><b>Credentials</b></span> area, enter the username and password.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig185229441813"><span class="figcap"><b>Figure 4 </b>Entering the username and password</span><br><span><img id="EN-US_TOPIC_0000001965496885__image109723718616" src="figure/en-us_image_0000001965497221.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li834016289520">Click <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol1237654511159"><b>Create</b></span>. After the user is created, it is displayed in the user list.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig6803417387"><span class="figcap"><b>Figure 5 </b>User information</span><br><span><img id="EN-US_TOPIC_0000001965496885__image12729141883" src="figure/en-us_image_0000001965497225.png"></span></div>
|
|
</li></ol>
|
|
</p></li><li id="EN-US_TOPIC_0000001965496885__li3498151425619"><span>Create a role and grant permissions to the role.</span><p><ol type="a" id="EN-US_TOPIC_0000001965496885__ol550032114123"><li id="EN-US_TOPIC_0000001965496885__li2190145912112">Select <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol19190205911114"><b>Roles</b></span> from the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol1819025931110"><b>Security</b></span> drop-down list box.</li><li id="EN-US_TOPIC_0000001965496885__li105009210125">On the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol176501443168"><b>Roles</b></span> page, click <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol663619611712"><b>Create role</b></span>. The role creation page is displayed.</li><li id="EN-US_TOPIC_0000001965496885__li16234145210132">In the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol17241171712"><b>Name</b></span> area, set the role name.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig32601740191415"><span class="figcap"><b>Figure 6 </b>Setting a role name</span><br><span><img id="EN-US_TOPIC_0000001965496885__image159901834141410" src="figure/en-us_image_0000001938218636.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li177392931414">On the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol1391516416154"><b>Cluster Permissions</b></span> page, set the cluster permission. Set cluster permissions based on service requirements. If this parameter is not specified for a role, the role has no cluster-level permissions.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig123901559176"><span class="figcap"><b>Figure 7 </b>Assigning cluster-level permissions</span><br><span><img id="EN-US_TOPIC_0000001965496885__image12249171151716" src="figure/en-us_image_0000001938377996.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li15981349189">In the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol1998743188"><b>Index Permissions</b></span> area, set the index permission.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig75714326205"><span class="figcap"><b>Figure 8 </b>Setting index permissions</span><br><span><img id="EN-US_TOPIC_0000001965496885__image1576324207" src="figure/en-us_image_0000001938218644.png"></span></div>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li185793217207">On the <strong id="EN-US_TOPIC_0000001965496885__b11411814123817">Tenant Permissions</strong> page, set role permissions.<div class="fignone" id="EN-US_TOPIC_0000001965496885__fig19985195582216"><span class="figcap"><b>Figure 9 </b>Role permissions</span><br><span><img id="EN-US_TOPIC_0000001965496885__image5537144312221" src="figure/en-us_image_0000001938218648.png"></span></div>
|
|
<p id="EN-US_TOPIC_0000001965496885__p1346385502314">After the setting is complete, you can view the created role on the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol7446132920171"><b>Roles</b></span> page.</p>
|
|
</li></ol>
|
|
</p></li><li id="EN-US_TOPIC_0000001965496885__li131909597110"><span>Map a user with a role to bind them.</span><p><ol type="a" id="EN-US_TOPIC_0000001965496885__ol191901459141112"><li id="EN-US_TOPIC_0000001965496885__li201901590118">Select <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol125511013203712"><b>Roles</b></span> from the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol65521713183712"><b>Security</b></span> drop-down list box.</li><li id="EN-US_TOPIC_0000001965496885__li1484144152815">On the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol584054742811"><b>Roles</b></span> page, select the role to be mapped. The role mapping page is displayed.<p id="EN-US_TOPIC_0000001965496885__p1614212299302"><span><img id="EN-US_TOPIC_0000001965496885__image971510297308" src="figure/en-us_image_0000001938218640.png"></span></p>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li14368151116295">On the <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol1994203819171"><b>Mapped users</b></span> tab page, click <span class="uicontrol" id="EN-US_TOPIC_0000001965496885__uicontrol55131743161712"><b>Map users</b></span> and select the user to be mapped from the <strong id="EN-US_TOPIC_0000001965496885__b711471318404">users</strong> drop-down list box.<p id="EN-US_TOPIC_0000001965496885__p124900017321"><span><img id="EN-US_TOPIC_0000001965496885__image1749410193213" src="figure/en-us_image_0000001965497217.png"></span></p>
|
|
</li><li id="EN-US_TOPIC_0000001965496885__li1366321319562">Click <strong id="EN-US_TOPIC_0000001965496885__b664411894013">Map</strong>.</li><li id="EN-US_TOPIC_0000001965496885__li106481633155610">After the configuration is complete, you can check whether the configuration has taken effect in OpenSearch Dashboards.</li></ol>
|
|
</p></li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0274.html">Managing OpenSearch Clusters</a></div>
|
|
</div>
|
|
</div>
|
|
|