opensearch-project · Naarcha-AWS · Jun 5, 2024 · May 1, 2024 · May 1, 2024 · May 1, 2024
@@ -242,3 +242,42 @@
 1. Choose the **Mapped users** tab and **Manage mapping**.
 1. For **Internal users**, add your bulk access user.
 1. Choose **Map**.
+
+## Admin and super admin roles in OpenSearch security
+
+User roles in OpenSearch are essential for controlling access to cluster resources and functionalities. Users can be categorized as regular users, admin users, or super admin users based on their access rights and responsibilities.
+
+For more information about defining a user, see [Defining users](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-users). For more information about defining roles, see [Defining roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-roles).
+
+
+### Regular users
+Regular users have basic access permissions to interact with the OpenSearch cluster, such as querying data and using dashboards, but they do not have administrative privileges.
+
+### Admin users
+Admin users in OpenSearch have elevated permissions allowing them to perform various administrative tasks within the cluster. They have broader access compared to regular users, which includes:
+- Managing users and roles
+- Configuring permissions
+- Adjusting backend settings
+
+Admin users can perform these tasks by configuring settings in the `opensearch.yml` file, using OpenSearch Dashboards, or interacting with the REST API. For more information about configuring users and roles, see [predefined roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#predefined-roles).
+
+### Super admin users
+Super admins hold the highest level of administrative authority within the OpenSearch environment. This role is typically reserved for select users and is maintained carefully.
+
+Super admin users have unrestricted access to all settings and data within the cluster, including the following tasks:
+- Modify Security plugin configurations
+- Access and manage the security index `.opendistro_security`
+- Override any security limitations
+
+#### Authentication of super admin role
+
+Super admins are authenticated through certificates, not passwords. The necessary certificates are defined in the `admin_dn` section of the `opensearch.yml` file and must be signed with the same root CA to verify and connect it to the cluster.
+```
+YAML
+plugins.security.authcz.admin_dn:
+- CN=kirk,OU=client,O=client,L=test, C=de
+``` 
+
+If the super admin certificate is signed by a different CA, then the admin CA must be concatenated with the node's CA in the file defined in `plugins.security.ssl.http.pemtrustedcas_filepath` in `opensearch.yml`. 
+
+For more information, see [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-super-admin-certificates).
@@ -128,14 +128,16 @@ If your node certificates have an Object ID (OID) identifier in the SAN section,
 
 ## Configuring admin certificates
 
-Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s):
+Super admin certificates are regular client certificates that have elevated rights to perform administrative security and OpenSearch related tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Super admin certificates are configured in `opensearch.yml` by stating their DN(s):
 
 ```yml
 plugins.security.authcz.admin_dn:
   - CN=admin,OU=SSL,O=Test,L=Test,C=DE
 ```
 
-For security reasons, you can't use wildcards or regular expressions here.
+For security reasons, you cannot use wildcards or regular expressions here. 
+
+For more information about admin and super admin users, see [Admin and super admin roles in OpenSearch security](https://opensearch.org/docs/latest/security/access-control/users-roles/#admin-and-super-admin-roles-in-opensearch-security) and [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-super-admin-certificates).
 
 
 ## (Advanced) OpenSSL
@@ -237,7 +239,6 @@ plugins.security.ssl.http.enabled_protocols:
   - "TLSv1.2"
 ```
 
-
 ## (Advanced) Disabling client initiated renegotiation for Java 8
 
 Set `-Djdk.tls.rejectClientInitiatedRenegotiation=true` to disable secure client initiated renegotiation, which is enabled by default. This can be set via `OPENSEARCH_JAVA_OPTS` in `config/jvm.options`.

@@ -92,7 +92,7 @@ Connected as CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE
 ERR: CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user
 ```
 
-You must use an admin certificate when executing the script. To learn more, see [Configuring admin certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates).
+You must use an admin certificate when executing the script. To learn more, see  [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates).
 
 ## Use the diagnose option