Hi all,
I have mutiple applications hosted on the same server (host) and they all access OpenSearch. Is there a way to identify which application is calling OpenSearch? And is there a way to enforce “app_key” so that users cannot call OpenSearch unless they are coming feom authorized apps?
Thanks
@asfoorial There is an open issue for API-key generation, which I think would be ideal for your use case.
As a potential workaround you can create different users and credentials for each application and assign the correct roles based on the access needed and use basic auth to authenticate the applications.
Also, you can use hosts to map the users based on the IP address. By configuring the hosts in roles_mappings.yml
example_role:
reserved: false
hidden: false
hosts: ["192.168.65.1"]
users: []
and_backend_roles: []
Hope this helps
Unfortunately api key and user per application won’t work! For example, user1 (For example an Active Directory user) might access opensearch from multiple applications (hosted on the same host). The user’s permissions are determined by roles and he is audited in the security audit indices. Have api key or application users would require reimplementing both permission and audit layers outside opensearch!
What I need is to have app key in conjunction with normal user authentication/authorization layer.
It coudl also be something as simple as intercepting HTTP calls and enforce/validating certain headers from the API caller.
Thanks
@asfoorial I would recommend to raise a feature request for this, but distinguish it clearly from the Api Key auth issue mentioned earlier.