How to scure and authenticate opensearch-client

OpenSearch
, ,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
3.2.1

Describe the issue:
how to scure and authenticate opensearch-client

Configuration:

Relevant Logs or Screenshots:

532eb9a3-b947-454a-af90-93a15e80d65b
532eb9a3-b947-454a-af90-93a15e80d65b1672×941 181 KB

2

Hi @abdul, The question is very broad, also I assume you are referring to OpenSearch version 3.2.0.

As an example you can use the following docker compose file to spin up a secure single node cluster:

services:
  opensearch:
    image: opensearchproject/opensearch:3.2.0
    container_name: opensearch-client-auth
    environment:
      - discovery.type=single-node
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=MyR3pr0@Secur3!
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - bootstrap.memory_lock=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    ports:
      - "9200:9200"
    healthcheck:
      test: ["CMD-SHELL", "curl -sku admin:'MyR3pr0@Secur3!' https://localhost:9200/_cluster/health | grep -qE '\"status\":\"(green|yellow)\"'"]
      interval: 15s
      timeout: 10s
      retries: 40

You can use the below python client script to connect to the secure cluster using opensearchpy:


from opensearchpy import OpenSearch

HOST = "localhost"
PORT = 9200
AUTH = ("admin", "MyR3pr0@Secur3!")
CA_CERT = "root-ca.pem"  # extracted from the container, see README


def connect_verified():
    """Recommended: verify the server cert against the cluster's CA."""
    client = OpenSearch(
        hosts=[{"host": HOST, "port": PORT}],
        http_auth=AUTH,
        use_ssl=True,
        verify_certs=True,
        ca_certs=CA_CERT,
    )
    print("verify_certs=True ->", client.info())
    return client


def connect_insecure():
    """Quick local testing only: skips CA verification entirely."""
    client = OpenSearch(
        hosts=[{"host": HOST, "port": PORT}],
        http_auth=AUTH,
        use_ssl=True,
        verify_certs=False,
        ssl_show_warn=False,
    )
    print("verify_certs=False ->", client.info())
    return client


if __name__ == "__main__":
    connect_insecure()
    connect_verified()

Do you have a specific question regarding securing a cluster?

3

I would like to configure this using Helm. Could you please guide me on how to do it? My OpenSearch cluster and OpenSearch Dashboard are already deployed and running through Helm.

4

@abdul for security, are you attempting to use demo certificates generated by OpenSearch, or provide your own certificates and CA?

Also, can you please provide your current values.yml file for this cluster.