Migration of config data from .opendistro_security to .opensearch_security index?

We already use elasticsearch-oss & kibana-oss (v7.8.0) with standalone opendistro security plugins ( This creates .opendistro_security index containing the security configurations (users, roles etc).

  • Now, with opensearch security plugin, as per docs, securityadmin would create index .opensearch_security to store these security configs.

  • That would mean on upgrade from (elasticsearch+opendistro) to opensearch → it would not read the existing opendistro_security index and create a fresh index altogether with default configs.

  • Result - on upgrade, we would lose all users/roles etc already created in opendistro, and will need manual effort to recreate all resources & update opensearch index.

Is this understanding right? I was hoping if an automatic migration could be kicked in such that if .opendistro_security index is detected, it would get migrated to opensearch format. Is something like this available/planned?

Also, looking into the opensearch-project/security code, I see the index name still is
and the same gets used everywhere in the code. There is no use of .opensearch_security index here.

Is it an incorrect branch of project that doesnt have the updated code?
Or is this a bug?
Or is the index name going to remain .opendistro_security only - in which case, the docs have to be updated with the right index name :slight_smile:

[moved to security category]

My understanding is that this type of index name would not be changing for 1.0 GA. That would be a breaking change for those moving from ODFE and would change at 2.0.

The doc update does give me pause. Let me dig a bit.

Definitely seems like a mistake in the docs as this would be a breaking change.

We can track it with this issue.

Thanks for the confirmation and the issue tracking link!

As I understand in 2.0, the index name would change to .opensearch_security. Imo, it would be good idea to consider migration from existing .opendistro_security index to .opensearch_security in 2.0 (such that if .opendistro_security index is detected, securityadmin could migrate its content to .opensearch_security).

Reason - it wont be just a breaking change for those moving from ODFE, because even a fresh install of 1.0 opensearch GA would create .opendistro_security index. So without any automatic index migration, it would be a breaking change even while moving from 1.0 to 2.0.

Thanks for the suggestion - if you want to formally suggest that, I’d open up an issue on the repo.

Likely this is the direction anyway - I’ve been party to some chats about how to change other indices names properly and everything needs to go stepwise. First, deprecate the old one for some time while prefereneing the new if both exist and warning about the old. Finally ignore the old.

1 Like