Cloud
Data Center 11.2
Versions

Securing an OpenSearch cluster

Configuring OpenSearch for Jira

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Jira can be configured to use OpenSearch for searching and indexing. Follow the OpenSearch page on security best practice to strengthen the security of your data.

Audit logs

Additionally, we advise you to enable audit logs.

  1. Add the following line to opensearch.yml on each node:

    plugins.security.audit.type: internal_opensearch

    This setting stores audit logs on the current cluster. For other storage options, see Audit Log Storage Types.

  2. Restart each node.

On this page:

Fine-grained access control

One of the actions of security best practice is to configure fine-grained access control by applying restrictive role-based policies.

Jira requires a role to have the following permissions:

"cluster_permissions": [       
        "cluster:admin/script/put",
        "indices:data/write/bulk",
        "cluster:monitor/*",
        "indices:data/read/scroll/clear"
    ],
    "index_permissions":[
        {
            "index_patterns": ["jira-issues*"],
            "allowed_actions": [
                "indices:admin/aliases",
                "indices:admin/create",
                "indices:admin/delete",
                "indices:admin/get",
                "indices:admin/mapping/put",
                "indices:admin/mappings/*",
                "indices:admin/refresh*",
                "indices:admin/settings/update",
                "indices:data/read/*",
                "indices:data/write/*",
                "indices:monitor/settings/get",
                "indices:monitor/stats"
            ]
        }
    ]
}


AWS resource-based policy

If you use AWS OpenSearch Service, we also recommend that you apply a restrictive resource-based access policy.

Jira requires an AWS principal with a resource-based policy that grants it the following actions:

"Action": [
  "es:ESHttpPut",
  "es:ESHttpPost",
  "es:ESHttpGet",
  "es:ESHttpDelete",
  "es:ESHttpHead"
]


TLS/SSL

In production, TLS/SSL should be used to ensure data is encrypted during transport. Details of how to configure certificates can be found at Configuring TLS certificates. If you're using a self-signed certificate, or a certificate not included in the default CA certificates, add the certificate to your JRE's truststore on each Jira node.

Authentication

For AWS-hosted OpenSearch, we recommend using IAM authentication. This is achieved by specifying the opensearch.aws.region property in the config file jira-config.properties. We also recommend that you apply a restrictive resource-based access policy on your OpenSearch domain.

For non-AWS-hosted OpenSearch, we recommend basic auth by specifying username and password. Visit the page HTTP basic authentication for configuration details. The username and password need to be specified in the config file jira-config.properties on each node under opensearch.username and opensearch.password respectively. When you start Jira with opensearch.username and opensearch.password set in the jira-config.properties file, Jira encrypts the plain text values and replaces them with the secure secret placeholder {ATL_SECURED}. More about secured secrets

Last modified on Dec 3, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.