Skip to content

afazel/security

Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

CI codecov

OpenSearch Security

OpenSearch Security is an OpenSearch plugin that offers encryption, authentication, and authorization. When combined with OpenSearch Security-Advanced Modules, it supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens, SAML, OpenID and more. It includes fine grained role-based access control to indices, documents and fields. It also provides multi-tenancy support in OpenSearch Dashboards.

Features provided by Security

Encryption:

  • Full data in transit encryption
  • Node-to-node encryption
  • Certificate revocation lists
  • Hot Certificate renewal

Authentication:

  • Internal user database
  • HTTP basic authentication
  • PKI authentication
  • Proxy authentication
  • User Impersonation
  • Active Directory / LDAP
  • Kerberos / SPNEGO
  • JSON web token (JWT)
  • OpenID Connect (OIDC)
  • SAML

Access control:

  • Role-based cluster level access control
  • Role-based index level access control
  • User-, role- and permission management
  • Document-level security
  • Field-level security
  • REST management API

Audit/Compliance logging:

  • Audit logging
  • Compliance logging for GDPR, HIPAA, PCI, SOX and ISO compliance

OpenSearch Dashboards multi-tenancy

  • True OpenSearch Dashboards multi-tenancy

Documentation

Please refer to the technical documentation for detailed information on installing and configuring opensearch-security plugin.

Quick Start

  • Install OpenSearch

  • Install the opensearch-security plugin for your OpenSearch version 1.0.0-beta1, e.g.:

<OpenSearch directory>/bin/opensearch-plugin install \
  -b org.opensearch:opensearch-security:1.0.0.0-beta1
  • cd into <OpenSearch directory>/plugins/opensearch-security/tools

  • Execute ./install_demo_configuration.sh, chmod the script first if necessary. This will generate all required TLS certificates and add the Security Plugin Configuration to your opensearch.yml file.

  • Start OpenSearch

  • Test the installation by visiting https://localhost:9200. When prompted, use admin/admin as username and password. This user has full access to the cluster.

  • Display information about the currently logged in user by visiting https://localhost:9200/_plugins/_security/authinfo.

Test and Build

  • Run all tests
mvn clean test
  • Build artifacts (zip, deb, rpm)
mvn clean package -Padvanced -DskipTests
artifact_zip=`ls $(pwd)/target/releases/opensearch-security-*.zip | grep -v admin-standalone`
./gradlew build buildDeb buildRpm --no-daemon -ParchivePath=$artifact_zip -Dbuild.snapshot=false

Config hot reloading

The Security Plugin Configuration is stored in a dedicated index in OpenSearch itself. Changes to the configuration are pushed to this index via the command line tool. This will trigger a reload of the configuration on all nodes automatically. This has several advantages over configuration via opensearch.yml:

  • Configuration is stored in a central place
  • No configuration files on the nodes necessary
  • Configuration changes do not require a restart
  • Configuration changes take effect immediately

Contributing

See developer guide and how to contribute to this project.

Getting Help

If you find a bug, or have a feature request, please don't hesitate to open an issue in this repository.

For more information, see project website and documentation. If you need help and are unsure where to open an issue, try forums.

Code of Conduct

This project has adopted the Amazon Open Source Code of Conduct. For more information see the Code of Conduct FAQ, or contact [email protected] with any additional questions or comments.

Security

If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our vulnerability reporting page. Please do not create a public GitHub issue.

License

This code is licensed under the Apache 2.0 License.

Copyright

Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.

About

πŸ” OpenSearch Security plugin

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 99.5%
  • Other 0.5%