From 5194d5419bed28dd7792204e1df865bf90fe8762 Mon Sep 17 00:00:00 2001 From: Chengwu Shi Date: Wed, 1 May 2024 11:42:37 +1000 Subject: [PATCH 01/14] Added documentation for managed identity support in repository-azure plugins Signed-off-by: Chengwu Shi --- .../snapshots/snapshot-restore.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index 91d0baca92..cc2d426a1f 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -296,6 +296,35 @@ Use the following steps to register a snapshot repository backed by an Azure sto } ``` +### Microsoft Azure + +1. To use a Microsoft Azure Blob Storage as a snapshot repository, install the `repository-azure` plugin on all nodes: + + ```bash + sudo ./bin/opensearch-plugin install repository-azure + ``` + +1. (Optional) If you're using token credential instead of SAS token or an account key: + + 1. Define your azure storage account name in secure setting: + + ```bash + sudo ./bin/opensearch-keystore add azure.client.default.account + ``` + + 1. Add your token credential type to `opensearch.yml`: + + ```yml + azure.client.default.token_credential_type: "managed" # Both "managed" or "managed_identity" are valid values, and the value is not case-sensitive. + ``` + + 1. Useful information when using token credential: + + - At the moment, azure managde identity is only token credential support. + - Token credential is disabled by default. + - If both token credential and sas token are configured, token credential will be used for authentication instead + of sas token. Similar behaviour when both token credential and account key are configured. + ## Take snapshots You specify two pieces of information when you create a snapshot: From dc4d02e864e6adc85939d0096454c2b76938b17f Mon Sep 17 00:00:00 2001 From: Chengwu Shi Date: Wed, 1 May 2024 11:56:05 +1000 Subject: [PATCH 02/14] fixed syntax Signed-off-by: Chengwu Shi --- .../snapshots/snapshot-restore.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index cc2d426a1f..95deb4c1af 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -318,12 +318,12 @@ Use the following steps to register a snapshot repository backed by an Azure sto azure.client.default.token_credential_type: "managed" # Both "managed" or "managed_identity" are valid values, and the value is not case-sensitive. ``` - 1. Useful information when using token credential: +Useful information when using token credential: - - At the moment, azure managde identity is only token credential support. - - Token credential is disabled by default. - - If both token credential and sas token are configured, token credential will be used for authentication instead - of sas token. Similar behaviour when both token credential and account key are configured. + - At the moment, azure managde identity is only token credential support. + - Token credential is disabled by default. + - If both token credential and sas token are configured, token credential will be used for authentication instead + of sas token. Similar behaviour when both token credential and account key are configured. ## Take snapshots From 0ad763e3dcd9a74183feb3fdf5ec775fdf5e81e2 Mon Sep 17 00:00:00 2001 From: Chengwu Shi Date: Wed, 1 May 2024 13:53:18 +1000 Subject: [PATCH 03/14] fixed style error Signed-off-by: Chengwu Shi --- .../snapshots/snapshot-restore.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index 95deb4c1af..c5e2c74567 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -296,7 +296,7 @@ Use the following steps to register a snapshot repository backed by an Azure sto } ``` -### Microsoft Azure +### Microsoft azure 1. To use a Microsoft Azure Blob Storage as a snapshot repository, install the `repository-azure` plugin on all nodes: @@ -320,10 +320,10 @@ Use the following steps to register a snapshot repository backed by an Azure sto Useful information when using token credential: - - At the moment, azure managde identity is only token credential support. + - At the moment, azure managed identity is the only token credential support. - Token credential is disabled by default. - - If both token credential and sas token are configured, token credential will be used for authentication instead - of sas token. Similar behaviour when both token credential and account key are configured. + - If both token credential and SAS token are configured, token credential will be used for authentication instead + of SAS token. Similar behaviour when both token credential and account key are configured. ## Take snapshots From c53d9899f7b80a8cfe75cc78347916f44da5ce48 Mon Sep 17 00:00:00 2001 From: Chengwu Shi Date: Fri, 3 May 2024 18:09:11 +1000 Subject: [PATCH 04/14] remove sudo, and added 1 more point when configuring key or sas token Signed-off-by: Chengwu Shi --- .../snapshots/snapshot-restore.md | 29 +++++++++++++++---- 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index c5e2c74567..db8080eb78 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -301,15 +301,32 @@ Use the following steps to register a snapshot repository backed by an Azure sto 1. To use a Microsoft Azure Blob Storage as a snapshot repository, install the `repository-azure` plugin on all nodes: ```bash - sudo ./bin/opensearch-plugin install repository-azure + ./bin/opensearch-plugin install repository-azure ``` +1. To use `repository-azure` plugin after installation, you need to define your azure storage settings before + initialising the node: + + 1. Define your azure storage account name in secure setting: + + ```bash + ./bin/opensearch-keystore add azure.client.default.account + ``` + + 1. Specify your azure storage account key or SAS token in secure setting. Choose one option, either the key or the + token, but not both: + + ```bash + ./bin/opensearch-keystore add azure.client.default.key + ./bin/opensearch-keystore add azure.client.default.sas_token + ``` + 1. (Optional) If you're using token credential instead of SAS token or an account key: 1. Define your azure storage account name in secure setting: ```bash - sudo ./bin/opensearch-keystore add azure.client.default.account + ./bin/opensearch-keystore add azure.client.default.account ``` 1. Add your token credential type to `opensearch.yml`: @@ -320,10 +337,10 @@ Use the following steps to register a snapshot repository backed by an Azure sto Useful information when using token credential: - - At the moment, azure managed identity is the only token credential support. - - Token credential is disabled by default. - - If both token credential and SAS token are configured, token credential will be used for authentication instead - of SAS token. Similar behaviour when both token credential and account key are configured. +- At the moment, azure managed identity is the only token credential support. +- Token credential is disabled by default. +- If both token credential and SAS token are configured, token credential will be used for authentication instead + of SAS token. Similar behaviour when both token credential and account key are configured. ## Take snapshots From 32b0e9cd658236510cbfc3d1fb01845bd2be26f0 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Wed, 22 May 2024 10:31:41 -0500 Subject: [PATCH 05/14] Update section Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../snapshots/snapshot-restore.md | 71 +++++++++++-------- 1 file changed, 40 insertions(+), 31 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index db8080eb78..f63f57ec35 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -296,51 +296,60 @@ Use the following steps to register a snapshot repository backed by an Azure sto } ``` -### Microsoft azure +### Set up Microsoft Azure Blob Storage -1. To use a Microsoft Azure Blob Storage as a snapshot repository, install the `repository-azure` plugin on all nodes: +To use Microsoft Azure Blob Storage as a snapshot repository, install the `repository-azure` plugin on all nodes using the following command: - ```bash - ./bin/opensearch-plugin install repository-azure - ``` +```bash +./bin/opensearch-plugin install repository-azure +``` -1. To use `repository-azure` plugin after installation, you need to define your azure storage settings before - initialising the node: +To use `repository-azure` plugin after installation, define your Azure Blob Storage settings before initializing the node. - 1. Define your azure storage account name in secure setting: +Define your Azure Storage account name using the following secure setting: - ```bash - ./bin/opensearch-keystore add azure.client.default.account - ``` +```bash +./bin/opensearch-keystore add azure.client.default.account +``` - 1. Specify your azure storage account key or SAS token in secure setting. Choose one option, either the key or the - token, but not both: +Then, use one of the following options to set up your account keys for Azure Blod Storage. - ```bash - ./bin/opensearch-keystore add azure.client.default.key - ./bin/opensearch-keystore add azure.client.default.sas_token - ``` +#### Azure storage account key -1. (Optional) If you're using token credential instead of SAS token or an account key: +Use the following setting to specify your Azure Storage account key: - 1. Define your azure storage account name in secure setting: +```bash +./bin/opensearch-keystore add azure.client.default.key +``` - ```bash - ./bin/opensearch-keystore add azure.client.default.account - ``` +#### Shared access signatures (SAS) - 1. Add your token credential type to `opensearch.yml`: +Use the following setting when accessing Azure with an SAS token + +```bash +./bin/opensearch-keystore add azure.client.default.sas_token +``` - ```yml - azure.client.default.token_credential_type: "managed" # Both "managed" or "managed_identity" are valid values, and the value is not case-sensitive. - ``` +#### Azure credential token + +If you're using a non-SAS token credential or an account key, use the following steps: + +1. Define your Azure storage account name in secure setting: + + ```bash + ./bin/opensearch-keystore add azure.client.default.account + ``` + +2. Add your token credential type to `opensearch.yml`, using either the `managed` or `managed_identity` values: + + ```yml + azure.client.default.token_credential_type: "managed_identity" -Useful information when using token credential: +Remember the following information when using Azure token credentials: -- At the moment, azure managed identity is the only token credential support. -- Token credential is disabled by default. -- If both token credential and SAS token are configured, token credential will be used for authentication instead - of SAS token. Similar behaviour when both token credential and account key are configured. +- As of OpenSearch 2.14, one Azure Managed Identity tokens are supported. +- Token credential support is disabled in `opensearch.yml` by default. +- Token credentials will take precedent over Azure Storage account keys or SAS tokens when multiple options are configured. ## Take snapshots From b3123f0a5828e16959fdb383b389736f3b76d057 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Wed, 22 May 2024 10:37:43 -0500 Subject: [PATCH 06/14] Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../availability-and-recovery/snapshots/snapshot-restore.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index f63f57ec35..e9eb645e2a 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -312,7 +312,7 @@ Define your Azure Storage account name using the following secure setting: ./bin/opensearch-keystore add azure.client.default.account ``` -Then, use one of the following options to set up your account keys for Azure Blod Storage. +Then, use one of the following options to set up your account keys for Azure Blob Storage. #### Azure storage account key @@ -322,9 +322,9 @@ Use the following setting to specify your Azure Storage account key: ./bin/opensearch-keystore add azure.client.default.key ``` -#### Shared access signatures (SAS) +#### Shared access signatures tokens -Use the following setting when accessing Azure with an SAS token +Use the following setting when accessing Azure with a shared access signature (SAS) token: ```bash ./bin/opensearch-keystore add azure.client.default.sas_token From 9f39f1c0920c3f437faf6d7f72763f438e40c0f3 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Wed, 22 May 2024 10:38:13 -0500 Subject: [PATCH 07/14] Update snapshot-restore.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../availability-and-recovery/snapshots/snapshot-restore.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index e9eb645e2a..307b001755 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -343,7 +343,8 @@ If you're using a non-SAS token credential or an account key, use the following 2. Add your token credential type to `opensearch.yml`, using either the `managed` or `managed_identity` values: ```yml - azure.client.default.token_credential_type: "managed_identity" + azure.client.default.token_credential_type: "managed_identity" + ``` Remember the following information when using Azure token credentials: From 2feaeb4f0ef9191049f72b5703e29ea77964f353 Mon Sep 17 00:00:00 2001 From: Chengwu Shi Date: Thu, 23 May 2024 16:37:38 +1000 Subject: [PATCH 08/14] improve readability and clarity Signed-off-by: Chengwu Shi --- .../snapshots/snapshot-restore.md | 73 +++++++++---------- 1 file changed, 33 insertions(+), 40 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index 307b001755..f77c836ed7 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -207,7 +207,7 @@ You will most likely not need to specify any parameters except for `location`. F You will most likely not need to specify any parameters except for `bucket` and `base_path`. For allowed request parameters, see [Register or update snapshot repository API](https://opensearch.org/docs/latest/api-reference/snapshots/create-repository/). -### Registering an Azure storage account +### Registering an Azure storage account for kubernetes deployment using Helm and Docker Use the following steps to register a snapshot repository backed by an Azure storage account for an OpenSearch cluster deployed using Helm. @@ -296,61 +296,54 @@ Use the following steps to register a snapshot repository backed by an Azure sto } ``` -### Set up Microsoft Azure Blob Storage +### General set up to use Microsoft Azure Blob Storage -To use Microsoft Azure Blob Storage as a snapshot repository, install the `repository-azure` plugin on all nodes using the following command: +To utilize Microsoft Azure Blob Storage as a snapshot repository, follow the steps below: +1. Install the `repository-azure` plugin on all nodes with the following command: -```bash -./bin/opensearch-plugin install repository-azure -``` - -To use `repository-azure` plugin after installation, define your Azure Blob Storage settings before initializing the node. - -Define your Azure Storage account name using the following secure setting: - -```bash -./bin/opensearch-keystore add azure.client.default.account -``` - -Then, use one of the following options to set up your account keys for Azure Blob Storage. - -#### Azure storage account key + ```bash + ./bin/opensearch-plugin install repository-azure + ``` -Use the following setting to specify your Azure Storage account key: +1. Once the repository-azure plugin is installed, define your Azure Blob Storage settings before initializing the node. Start by defining your Azure Storage account name using the following secure setting: -```bash -./bin/opensearch-keystore add azure.client.default.key -``` + ```bash + ./bin/opensearch-keystore add azure.client.default.account + ``` -#### Shared access signatures tokens +1. choose one of the following options to set up your authentication credentials for Azure Blob Storage: -Use the following setting when accessing Azure with a shared access signature (SAS) token: - -```bash -./bin/opensearch-keystore add azure.client.default.sas_token -``` + #### Using Azure storage account key + + Use the following setting to specify your Azure Storage account key: + + ```bash + ./bin/opensearch-keystore add azure.client.default.key + ``` -#### Azure credential token + #### Shared access signature (SAS) + + Use the following setting when accessing Azure with a shared access signature: + + ```bash + ./bin/opensearch-keystore add azure.client.default.sas_token + ``` -If you're using a non-SAS token credential or an account key, use the following steps: + #### Azure credential token -1. Define your Azure storage account name in secure setting: + Starting from OpenSearch 2.15.0, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which necessitates a SAS or an account key. - ```bash - ./bin/opensearch-keystore add azure.client.default.account - ``` + If you opt for token credential authentication, you will need to choose a token credential type. Although Azure offers multiple token credential types, as of OpenSearch version 2.15.0, only managed identity is supported. -2. Add your token credential type to `opensearch.yml`, using either the `managed` or `managed_identity` values: + To use managed identity, add your token credential type to `opensearch.yml` using either `managed` or `managed_identity` values. This indicates that managed identity is being used to perform token credential authentication: ```yml azure.client.default.token_credential_type: "managed_identity" ``` -Remember the following information when using Azure token credentials: - -- As of OpenSearch 2.14, one Azure Managed Identity tokens are supported. -- Token credential support is disabled in `opensearch.yml` by default. -- Token credentials will take precedent over Azure Storage account keys or SAS tokens when multiple options are configured. + Remember the following information when using Azure token credentials: + - Token credential support is disabled in `opensearch.yml` by default. + - Token credentials will take precedent over Azure Storage account key or SAS when multiple options are configured. ## Take snapshots From 8839a753c34e4102d236f5097f2f82b0694c556c Mon Sep 17 00:00:00 2001 From: Chengwu Shi Date: Thu, 23 May 2024 16:49:20 +1000 Subject: [PATCH 09/14] improved naming Signed-off-by: Chengwu Shi --- .../availability-and-recovery/snapshots/snapshot-restore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index f77c836ed7..a080a11ba0 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -329,7 +329,7 @@ To utilize Microsoft Azure Blob Storage as a snapshot repository, follow the ste ./bin/opensearch-keystore add azure.client.default.sas_token ``` - #### Azure credential token + #### Azure token credential Starting from OpenSearch 2.15.0, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which necessitates a SAS or an account key. From 940a9a02ddf459efb8e8607d9d7f57a5baf5509d Mon Sep 17 00:00:00 2001 From: chengwushi-netapp <153049940+chengwushi-netapp@users.noreply.github.com> Date: Fri, 24 May 2024 09:11:02 +1000 Subject: [PATCH 10/14] Update _tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: chengwushi-netapp <153049940+chengwushi-netapp@users.noreply.github.com> --- .../availability-and-recovery/snapshots/snapshot-restore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index a080a11ba0..ebaf7295bf 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -207,7 +207,7 @@ You will most likely not need to specify any parameters except for `location`. F You will most likely not need to specify any parameters except for `bucket` and `base_path`. For allowed request parameters, see [Register or update snapshot repository API](https://opensearch.org/docs/latest/api-reference/snapshots/create-repository/). -### Registering an Azure storage account for kubernetes deployment using Helm and Docker +### Registering an Azure storage account using Helm Use the following steps to register a snapshot repository backed by an Azure storage account for an OpenSearch cluster deployed using Helm. From 44383ce9969642e3e73d59601c5f20297fdd69b0 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Tue, 11 Jun 2024 16:16:53 -0500 Subject: [PATCH 11/14] Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../snapshots/snapshot-restore.md | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index ebaf7295bf..c6333a45c8 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -296,52 +296,53 @@ Use the following steps to register a snapshot repository backed by an Azure sto } ``` -### General set up to use Microsoft Azure Blob Storage +### Set up Microsoft Azure Blob Storage -To utilize Microsoft Azure Blob Storage as a snapshot repository, follow the steps below: +To utilize Microsoft Azure Blob Storage as a snapshot repository, use the following steps: 1. Install the `repository-azure` plugin on all nodes with the following command: ```bash ./bin/opensearch-plugin install repository-azure ``` -1. Once the repository-azure plugin is installed, define your Azure Blob Storage settings before initializing the node. Start by defining your Azure Storage account name using the following secure setting: +1. After the `repository-azure` plugin is installed, define your Azure Blob Storage settings before initializing the node. Start by defining your Azure Storage account name using the following secure setting: ```bash ./bin/opensearch-keystore add azure.client.default.account ``` -1. choose one of the following options to set up your authentication credentials for Azure Blob Storage: +Choose one of the following options to set up your authentication credentials for Azure Blob Storage: - #### Using Azure storage account key +#### Using Azure storage account key - Use the following setting to specify your Azure Storage account key: +Use the following setting to specify your Azure Storage account key: - ```bash - ./bin/opensearch-keystore add azure.client.default.key +```bash +./bin/opensearch-keystore add azure.client.default.key ``` - #### Shared access signature (SAS) +#### Shared access signature - Use the following setting when accessing Azure with a shared access signature: +Use the following setting when accessing Azure with a shared access signature (SAS): - ```bash - ./bin/opensearch-keystore add azure.client.default.sas_token +```bash +./bin/opensearch-keystore add azure.client.default.sas_token ``` - #### Azure token credential +#### Azure token credential - Starting from OpenSearch 2.15.0, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which necessitates a SAS or an account key. + Starting from OpenSearch 2.15, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which necessitates a SAS or an account key. - If you opt for token credential authentication, you will need to choose a token credential type. Although Azure offers multiple token credential types, as of OpenSearch version 2.15.0, only managed identity is supported. +If you choose to use token credential authentication, you will need to choose a token credential type. Although Azure offers multiple token credential types, as of OpenSearch version 2.15, only [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) is supported. - To use managed identity, add your token credential type to `opensearch.yml` using either `managed` or `managed_identity` values. This indicates that managed identity is being used to perform token credential authentication: +To use managed identity, add your token credential type to `opensearch.yml` using either `managed` or `managed_identity` values. This indicates that managed identity is being used to perform token credential authentication: - ```yml - azure.client.default.token_credential_type: "managed_identity" +```yml +azure.client.default.token_credential_type: "managed_identity" ``` - Remember the following information when using Azure token credentials: +Remember the following information when using Azure token credentials: + - Token credential support is disabled in `opensearch.yml` by default. - Token credentials will take precedent over Azure Storage account key or SAS when multiple options are configured. From e2c5cf4d529977b38f9451f1cc99e744fb7b51e7 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Tue, 11 Jun 2024 16:17:41 -0500 Subject: [PATCH 12/14] Update snapshot-restore.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../snapshots/snapshot-restore.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index c6333a45c8..8556e72062 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -319,7 +319,7 @@ Use the following setting to specify your Azure Storage account key: ```bash ./bin/opensearch-keystore add azure.client.default.key - ``` +``` #### Shared access signature @@ -331,7 +331,7 @@ Use the following setting when accessing Azure with a shared access signature (S #### Azure token credential - Starting from OpenSearch 2.15, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which necessitates a SAS or an account key. +Starting from OpenSearch 2.15, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which necessitates a SAS or an account key. If you choose to use token credential authentication, you will need to choose a token credential type. Although Azure offers multiple token credential types, as of OpenSearch version 2.15, only [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) is supported. @@ -339,12 +339,12 @@ To use managed identity, add your token credential type to `opensearch.yml` usin ```yml azure.client.default.token_credential_type: "managed_identity" - ``` +``` Remember the following information when using Azure token credentials: - - Token credential support is disabled in `opensearch.yml` by default. - - Token credentials will take precedent over Azure Storage account key or SAS when multiple options are configured. +- Token credential support is disabled in `opensearch.yml` by default. +- Token credentials will take precedent over Azure Storage account key or SAS when multiple options are configured. ## Take snapshots From ad1a03d6cf19a7d0d2d316c8ee9676f2f3158ce4 Mon Sep 17 00:00:00 2001 From: Chengwu Shi Date: Wed, 12 Jun 2024 14:01:50 +1000 Subject: [PATCH 13/14] fixed syntax based on requested changes Signed-off-by: Chengwu Shi --- .../availability-and-recovery/snapshots/snapshot-restore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index 8556e72062..8a68c1f2ce 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -327,7 +327,7 @@ Use the following setting when accessing Azure with a shared access signature (S ```bash ./bin/opensearch-keystore add azure.client.default.sas_token - ``` +``` #### Azure token credential From bfb710a339fb43d5636208ea904de96233b1cbe3 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Wed, 12 Jun 2024 15:50:26 -0500 Subject: [PATCH 14/14] Apply suggestions from code review Co-authored-by: Nathan Bower Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../snapshots/snapshot-restore.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index 8a68c1f2ce..6873b62113 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -207,7 +207,7 @@ You will most likely not need to specify any parameters except for `location`. F You will most likely not need to specify any parameters except for `bucket` and `base_path`. For allowed request parameters, see [Register or update snapshot repository API](https://opensearch.org/docs/latest/api-reference/snapshots/create-repository/). -### Registering an Azure storage account using Helm +### Registering a Microsoft Azure storage account using Helm Use the following steps to register a snapshot repository backed by an Azure storage account for an OpenSearch cluster deployed using Helm. @@ -298,7 +298,7 @@ Use the following steps to register a snapshot repository backed by an Azure sto ### Set up Microsoft Azure Blob Storage -To utilize Microsoft Azure Blob Storage as a snapshot repository, use the following steps: +To use Azure Blob Storage as a snapshot repository, follow these steps: 1. Install the `repository-azure` plugin on all nodes with the following command: ```bash @@ -311,9 +311,9 @@ To utilize Microsoft Azure Blob Storage as a snapshot repository, use the follow ./bin/opensearch-keystore add azure.client.default.account ``` -Choose one of the following options to set up your authentication credentials for Azure Blob Storage: +Choose one of the following options for setting up your Azure Blob Storage authentication credentials. -#### Using Azure storage account key +#### Using an Azure Storage account key Use the following setting to specify your Azure Storage account key: @@ -331,20 +331,20 @@ Use the following setting when accessing Azure with a shared access signature (S #### Azure token credential -Starting from OpenSearch 2.15, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which necessitates a SAS or an account key. +Starting in OpenSearch 2.15, you have the option to configure a token credential authentication flow in `opensearch.yml`. This method is distinct from connection string authentication, which requires a SAS or an account key. If you choose to use token credential authentication, you will need to choose a token credential type. Although Azure offers multiple token credential types, as of OpenSearch version 2.15, only [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) is supported. -To use managed identity, add your token credential type to `opensearch.yml` using either `managed` or `managed_identity` values. This indicates that managed identity is being used to perform token credential authentication: +To use managed identity, add your token credential type to `opensearch.yml` using either the `managed` or `managed_identity` value. This indicates that managed identity is being used to perform token credential authentication: ```yml azure.client.default.token_credential_type: "managed_identity" ``` -Remember the following information when using Azure token credentials: +Note the following when using Azure token credentials: - Token credential support is disabled in `opensearch.yml` by default. -- Token credentials will take precedent over Azure Storage account key or SAS when multiple options are configured. +- A token credential takes precedence over an Azure Storage account key or a SAS when multiple options are configured. ## Take snapshots