Document Level Security in Search with OpenSearch
Learn about using document level security with Search with OpenSearch.
OCI Search with OpenSearch supports document level security, enabled by the OpenSearch Security plugin. Document level security lets you to restrict access to documents in an index to a specific role, based on a specified query.
If multiple roles apply to a user, some with more restrictive access, the more expansive access will be applied.
If the role doesn't have anything specified for document level security, that role will have access to all the documents within the indexes the role has access to, based on the specified index permissions.
Prerequisites
The following are prerequisites to enable document level security in Search with OpenSearch.
The security mode for the cluster must be set to enforcing. For more information about how to check this setting, and update if necessary, see Verify Security Mode and Setting the Security Mode to Enforcing.
The OpenSearch version for the cluster must be 2.3.
Using Document Level Security
To use document level security in Search with OpenSearch, you specify an index pattern and OpenSearch query for a role. Use OpenSearch query DSL for the query.
-
Log into your cluster's OpenSearch Dashboards, and select Security.
-
Choose Roles, and then either create a new role or edit an existing role.
-
For Index, specify an index pattern.
-
For Document level security, specify an OpenSearch query.
For example, the following sample query included in the OpenSearch Document Level Security documentation:
{ "bool": { "must": { "match": { "genres": "Comedy" } } } }restricts access for the role to documents where the
genresfield includesComedy.
Configuring Document Level Security using the REST API
Use the Roles API to configure document level security, as demonstrated in the following example from the OpenSearch Document Level Security documentation:
PUT _plugins/_security/api/roles/comedy_data
{
"cluster_permissions": [
"*"
],
"index_permissions": [{
"index_patterns": [
"pub*"
],
"dls": "{\"bool\":{\"must\":{\"match\":{\"genres\":\"Comedy\"}}}}",
"allowed_actions": [
"read"
]
}]
}This example shows how to configure a role, comedy_data, that allows
access to any documents where the genre is "Comedy", in any index.