Securing an OpenSearch cluster

Still need help?

The Atlassian Community is here for you.

Ask the community

OpenSearch security best practice

Confluence can be configured to use OpenSearch for searching and indexing. Follow the Opensearch page on security best practice to strengthen the security of your data.

Audit logs

Additionally, we advise you to enable audit logs.

  1. Add the following line to opensearch.yml on each node:

    plugins.security.audit.type: internal_opensearch

    This setting stores audit logs on the current cluster. For other storage options, see Audit Log Storage Types.

  2. Restart each node.

Fine-grained access control

One of the actions of security best practice is to configure fine-grained access control by applying restrictive role-based policies.

Confluence requires a role to have the following permissions:

{
    "cluster_permissions": [       
        "cluster:admin/script/put",
        "indices:data/write/bulk",
        "cluster:monitor/*"
    ],
    "index_permissions":[
        {
            "index_patterns": ["confluence-*"],
            "allowed_actions": [
                "indices:admin/aliases",
                "indices:admin/create",
                "indices:admin/delete",
                "indices:admin/get",
                "indices:admin/mapping/put",
                "indices:admin/mappings/*",
                "indices:admin/settings/update",
                "indices:data/read/*",
                "indices:data/write/*",
                "indices:monitor/settings/get",
                "indices:monitor/stats"
            ]
        }
    ]
}

AWS resource-based policy

If you use AWS OpenSearch Service, we also recommend that you apply a restrictive resource-based access policy.

Confluence requires an AWS principal with a resource-based policy that grants it the following actions:

"Action": [
  "es:ESHttpPut",
  "es:ESHttpPost",
  "es:ESHttpGet",
  "es:ESHttpDelete",
  "es:ESHttpHead"
]

TLS/SSL

In production, TLS/SSL should be used to ensure data is encrypted during transport. Details of how to configure certificates can be found at Configuring TLS certificates. If you're using a self-signed certificate, or a certificate not included in the default CA certificates, add the certificate to your JRE's truststore on each Confluence node.

Authentication

For AWS-hosted OpenSearch, we recommend using IAM authentication. This is achieved by specifying the opensearch.aws.region property in the config file confluence.cfg.xml, or as a system property. We also recommend that you apply a restrictive resource-based access policy on your OpenSearch domain.

For non-AWS-hosted OpenSearch, we recommend basic auth by specifying username/password. Visit the page HTTP basic authentication for configuration details. The username and password need to be specified in the config file confluence.cfg.xml on each node under opensearch.username and opensearch.password respectively. They can also be set as system properties, which will override anything in your config files.

Last modified on Oct 3, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.