Securing an OpenSearch cluster
This page is for the OpenSearch Early Access Program (EAP).
OpenSearch is not currently supported, and during the EAP, it should not be used in production environments; some features will not be available. These are listed at the end of this page.
If you have questions about the OpenSearch EAP or need support, contact us.
OpenSearch security best practice
Confluence can be configured to use OpenSearch for searching and indexing. Follow the Opensearch page on security best practice to strengthen the security of your data.
Additionally, we advise you to enable audit logs.
Add the following line to
opensearch.ymlon each node:plugins.security.audit.type: internal_opensearchThis setting stores audit logs on the current cluster. For other storage options, see Audit Log Storage Types
Restart each node.
Fine-grained access control
One of the actions of security best practice is to configure fine-grained access control by applying restrictive role-based policies.
Confluence requires a role to have the following permissions:
{
"cluster_permissions": [
"cluster:admin/script/put",
"indices:data/write/bulk"
],
"index_permissions":[
{
"index_patterns": ["confluence-*"],
"allowed_actions": [
"indices:data/write/*",
"indices:data/read/search",
"indices:admin/create",
"indices:admin/get",
"indices:admin/mapping/put",
"indices:admin/mappings/*",
"indices:admin/delete",
"indices:monitor/settings/get",
"indices:monitor/stats",
"indices:admin/settings/update"
]
}
]
}AWS resource-based policy
If you use AWS OpenSearch Service, we also recommend that you apply a restrictive resource-based access policy.
Confluence requires an AWS principal with a resource-based policy that grants it the following actions:
"Action": [
"es:ESHttpPut",
"es:ESHttpPost",
"es:ESHttpGet",
"es:ESHttpDelete",
"es:ESHttpHead"
]