You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _security/access-control/users-roles.md
+39Lines changed: 39 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -242,3 +242,42 @@ Map the role to your user:
242
242
1. Choose the **Mapped users** tab and **Manage mapping**.
243
243
1. For **Internal users**, add your bulk access user.
244
244
1. Choose **Map**.
245
+
246
+
## Admin and super admin roles
247
+
248
+
OpenSearch user roles are essential for controlling access to cluster resources. Users can be categorized as regular users, admin users, or super admin users based on their access rights and responsibilities.
249
+
250
+
For more information about defining users, see [Defining users](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-users). For more information about defining roles, see [Defining roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-roles).
251
+
252
+
253
+
### Regular users
254
+
Regular users have basic access permissions that allow them to interact with the OpenSearch cluster, such as querying data and using dashboards, but they do not have administrative privileges.
255
+
256
+
### Admin users
257
+
Admin users have elevated permissions that allow them to perform various administrative tasks within the cluster. They have broader access compared to regular users, including permissions to:
258
+
- Manage users and roles.
259
+
- Configure permissions.
260
+
- Adjust backend settings.
261
+
262
+
Admin users can perform these tasks by configuring settings in the `opensearch.yml` file, using OpenSearch Dashboards, or interacting with the REST API. For more information about configuring users and roles, see [predefined roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#predefined-roles).
263
+
264
+
### Super admin users
265
+
Super admin users have the highest level of administrative authority within the OpenSearch environment. This role is typically reserved for select users and should be managed carefully.
266
+
267
+
Super admin users have unrestricted access to all settings and data within the cluster, including permissions to:
268
+
- Modify Security plugin configurations.
269
+
- Access and manage the security index `.opendistro_security`.
270
+
- Override any security limitations.
271
+
272
+
#### Authentication of the super admin role
273
+
274
+
Super admin users are authenticated through certificates, not passwords. The necessary certificates are defined in the `admin_dn` section of the `opensearch.yml` file and must be signed with the same root certificate authority (CA), as shown in the following example:
275
+
```
276
+
YAML
277
+
plugins.security.authcz.admin_dn:
278
+
- CN=kirk,OU=client,O=client,L=test, C=de
279
+
```
280
+
281
+
If the super admin certificate is signed by a different CA, then the admin CA must be concatenated with the node's CA in the file defined in `plugins.security.ssl.http.pemtrustedcas_filepath` in `opensearch.yml`.
282
+
283
+
For more information, see [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates).
Copy file name to clipboardExpand all lines: _security/configuration/tls.md
+4-3Lines changed: 4 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -128,14 +128,16 @@ If your node certificates have an Object ID (OID) identifier in the SAN section,
128
128
129
129
## Configuring admin certificates
130
130
131
-
Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s):
131
+
Super admin certificates are regular client certificates that have elevated rights to perform administrative security tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Super admin certificates are configured in `opensearch.yml` by stating their DN(s):
132
132
133
133
```yml
134
134
plugins.security.authcz.admin_dn:
135
135
- CN=admin,OU=SSL,O=Test,L=Test,C=DE
136
136
```
137
137
138
-
For security reasons, you can't use wildcards or regular expressions here.
138
+
For security reasons, you cannot use wildcards or regular expressions as values for the `admin_dn` setting.
139
+
140
+
For more information about admin and super admin user roles, see [Admin and super admin roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#admin-and-super-admin-roles) and [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates).
## (Advanced) Disabling client initiated renegotiation for Java 8
242
243
243
244
Set `-Djdk.tls.rejectClientInitiatedRenegotiation=true` to disable secure client initiated renegotiation, which is enabled by default. This can be set via `OPENSEARCH_JAVA_OPTS` in `config/jvm.options`.
Copy file name to clipboardExpand all lines: _troubleshoot/security-admin.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -92,7 +92,7 @@ Connected as CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE
92
92
ERR: CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user
93
93
```
94
94
95
-
You must use an admin certificate when executing the script. To learn more, see [Configuring admin certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates).
95
+
You must use an admin certificate when executing the script. To learn more, see [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates).
0 commit comments