Understanding access control in Aiven for OpenSearch®#
Implementing access control and permissions is essential in maintaining secure access to data stored in Aiven for OpenSearch®. This article provides an overview of how access control works in Aiven for OpenSearch®, including the different types of permissions that can be used to control access.
Patterns and permissions#
Access control in OpenSearch is achieved through the use of patterns and permissions. A pattern is a string in glob-style that specifies the indices to which the permission applies, while the permission defines the level of access granted to the user for the matching indices.
Patterns are glob-style strings that use the following syntax:
*: Matches any number of characters (including none)
?: Matches any single character
The permissions available in Aiven for OpenSearch®, ordered by importance, are:
deny: Explicitly denies access
admin: Allows unlimited access to the index
readwrite: Grants full access to documents
read: Allows only searching and retrieving documents
write: Allows updating, adding, and deleting documents
The permission also determines which index APIs the user can access:
deny: No access
admin: No restrictions
readwrite: Allows access to
read: Allows access to
write: Allows access to
When no rules match, access is implicitly denied.
writepermission allows creating indices that match the rule’s index pattern but does not allow deleting them. Indices can only be deleted when a matching
adminpermission rule exists.
As an example, consider the following set of rules:
This set of rules would allow the service user to:
Add documents to
Retrieve and search documents from
Gain full access to
Gain full access to
logs_20190115(fifth rule, as the
adminpermission gets higher priority than the
readpermission in the fourth rule)
This same set of rules would deny the service user from:
Gain any access to
messages_2019(no matching rules)
Read or search documents from
events_2018(the second rule only grants
Write to or use the API
for logs_20171230(the first rule only grants
Access control for aliases#
Access control and aliases are key concepts in OpenSearch. Aliases are virtual indices that can reference one or more physical indices, simplifying the management and search of data. You can define access control rules for aliases to ensure proper security and control over data access.
When working with aliases in OpenSearch, it’s essential to remember how access control rules apply to them:
Aliases are not automatically expanded in access control. Therefore, the ACL must explicitly include a rule that matches the alias pattern.
Only access control rules that match the alias pattern will be applied, while rules that match the physical indices the alias expands to will not be used.
Access to top-level APIs#
You can control access to “top-level” APIs in addition to indices using ACLs. This can be achieved by creating an API-specific rule to manage access to these APIs.
Service controlled APIs#
The following top-level APIs are controlled by the OpenSearch service and not by the ACLs defined by you:
Enabling OpenSearch Security management provides control over the top-level APIs -
Using ACLs to control access#
Only rules starting with
_ ``are considered for controlling access to top-level APIs, and normal index rules do not grant access to these APIs. For example, a rule like ``*search/admin only grants access to indices that match the pattern, not to
_*/admingrants unlimited access to all top-level APIs
_msearch/admingrants unlimited access to the
ACLs only control access to the API and not its usage. Granting access to the top-level API will effectively bypass index-specific rules. For example, granting
_msearch/admin access allows searching any index via the API as the indices to search are defined in the request body itself.
When granting top-level API access via an explicit ACL, the requested content is not examined.
Access control and OpenSearch Dashboards#
Enabling ACLs does not restrict access to OpenSearch Dashboards. However, all requests made by OpenSearch Dashboards are checked against the current user’s ACLs.
You might encounter
HTTP 500 internal server errors when you try to view dashboards as a service user with read-only access to certain indices, as these dashboards call the
_msearch API. o prevent this, add a new ACL rule that grants
admin access to
_msearch for that service user.
Learn how to :doc: enable and manage access control <../howto/control_access_to_content> for your Aiven for OpenSearch® service.