I'm new to OpenSearch, and I'm trying to configure OpenSearch using few customizations. First thing is I want to setup a different authentication method using OpenID Connect instead of using the internal user database file. As a start, I tried taking copies of different security config files such as config.yml
and internal_users.yml
to try some customizations. I have commented out all other authc
options in config.yml
and kept only basic_internal_auth_domain
. And I added a new user with a password in the internal_users.yml
as well. Then I mounted the customized config files to opensearch-nodes through docker-compose.yml
. When I start the cluster using docker-compose up
, The dashboard gets up and running, but I cant log-in with the new user credentials I added. Also after logging with the admin credentials, I can still see the authentication methods in the security settings even though I have removed them in the mounted config.yml
file. I checked whether the files are correctly mounted using a bash shell inside the containers, they are correctly mounted. Can someone explain whether I have doing these customizations wrong? Following are the parts of the files I modified.
config.yml
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
internal_users.yml
# Define your internal users here
## Demo users
customadmin:
hash: "$2a$12$wzKZMYOQZ0KE8WsgfXqQxuvflKlzmSTprlPZrAaJDcXnhjgmrVZNm"
reserved: false
backend_roles:
- "admin"
description: `"Demo admin user for customization purpose"
...
docker-compose.yaml
services:
opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
image: opensearchproject/opensearch:2.11.1 # Use the 2.11.1 version of OpenSearch for all nodes
container_name: opensearch-node1
environment:
- cluster.name=opensearch-cluster # Name the cluster
- node.name=opensearch-node1 # Name the node that will run in this container
- discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager
- bootstrap.memory_lock=true # Disable JVM heap memory swapping
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
ulimits:
memlock:
soft: -1 # Set memlock to unlimited (no soft or hard limit)
hard: -1
nofile:
soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
hard: 65536
volumes:
- opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
- ./node-configs/opensearch-security/config.yml:/usr/share/opensearch/config/opensearch-security/config.yml # Mount the custom OpenSearch Security configuration file for AuthN and AuthZ
- ./node-configs/opensearch-security/internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml # Mount the custom OpenSearch Security internal users configuration file
ports:
- 9200:9200 # REST API
- 9600:9600 # Performance Analyzer
networks:
- opensearch-net # All of the containers will join the same Docker bridge network
# same with node 2