Create additional users including rights management

Using OpenSearch dashboards, additional users can be created so that, for example, when operating several Shopware instances or similar, the "admin" user does not have to be used for each instance and access options can thus be effectively restricted.


Prerequisites

  • OpenSearch server with OpenSearch dashboards
  • Access via "admin" user to OpenSearch dashboards


Create user

First log in to OpenSearch Dashboards with the access data stored in the server's password vault.

Then navigate to "Security" → "Internal Users " in the settings and create a new user here using the "Create internal user" button and assign a secure password for this user.


We recommend excluding the following special characters when assigning the password, as these cannot be processed correctly by OpenSearch or by a connected application such as Shopware: / # $


Create user role

Then select "Roles " in the sidebar on the left and use the "Create role" button to create a new user role for the user you have just created.


First assign a name and add the following cluster authorizations to this role in the next step:

  • cluster_composite_ops cluster:monitor/main



To ensure that the user can only access certain indices, the granted index authorizations must be bound to index patterns.


It should be noted here that certain authorizations must be granted to all indices (see following image → * pattern) so that access to the user's own indices is possible at all and the authorizations of the user-specific pattern ("test_product*) are applied correctly. If the authorizations are assigned as shown in the following image, the additional user can only access or create indices that correspond to the assigned pattern and has full access options here.


Permissions for the * pattern:

  • get indices:data/read/search**


Permissions for the user-specific pattern (test_product*):

  • indices_all


By using the * pattern, however, it is possible for a user to retrieve all available indices and thus all index names. However, due to a known bug, this is necessary for access to the indices to be possible at all, as otherwise access is rejected with the status code 401 Unauthorized.


The creation of the user role can be completed with the "Create" button at the bottom of the current view.


Mapping of the user role

Then select the role you have just created in the overview of all available user roles and switch to the "Mapped users" tab at the top.



Use the "Manage Mapping" button to add the previously created user under "Users" and confirm the new mapping using the "Map" button so that the new user rights become active for the user.



Additional authorizations for OpenSearch dashboards

If the user is to have access to their indices via OpenSearch dashboards and OpenSearch is not only to be connected to Shopware or a similar application, the following additional cluster authorizations must be granted:

  • cluster:monitor/state
  • cluster:monitor/health



Furthermore, the following additional index permissions are required for the * pattern:

  • indices:monitor/setting/get
  • indices:monitor/stats


Similar articles
On this page
Emergency?
In urgent cases, our emergency hotline is available around the clock at +49 2507 900 80 - 34.