Access Control Lists

To set up access control lists (ACLs) for OpenSearch content, you need to:

  • Create a new user in the Users tab
  • Add a new ACL related to that specific user by creating rules within the ACL tab
  • click on Submit

The new rules will take effect once you toggle the Enable ACL option on the right of the ACL tab.

ACL_Opensearch

Switching on Enable ACL does not restrict access to OpenSearch Dashboards itself, but all requests done by OpenSearch Dashboards are checked against the current user’s ACLs.

In practice, for OpenSearch Dashboards to function properly, you must grant the user admin-level access to the _msearch interface (permission: admin, pattern: _msearch) or switch on the ExtendedAcl option. Knowing that _msearch, _mget and so on are top-level API endpoints of OpenSearch. Only rules where the pattern starts with _ are considered for top-level API access.

You can switch on the Enable Extended ACL option for the service to enforce index rules in a limited fashion for requests that only use the _mget, _msearch and _bulk APIs. When Extended ACL is enabled, service users can access these APIs as long as all operations only target indices that they have appropriate permissions for.

NOTE
Rules are defined separately for each user as pattern/permission combinations. The pattern defines the indices that the permission applies to. Patterns are glob-style, where * (an asterisk) matches any number of characters and ? (a question mark) matches any character.