Role-Based Access Control in Search with OpenSearch

Configuring Role-Based Access Control

To use role-based access control, the feature must be enabled for your cluster. Role-based access control is enabled by default and required for all new clusters created in the Console.

For existing clusters and clusters not created in the Console, if you're not sure if the role-based access control feature is enabled, see Verify Security Mode for how to check if it's enabled or not. If role-based access control is not enabled for your cluster, and you want to enable it, you need to perform the steps described in Upgrading an Existing Cluster for Role-Based Access Control.

When you create a new cluster, you specify a username and password for the primary user account. This is an administrator type account that you use to connect to your cluster or cluster's OpenSearch Dashboard, to then create and configure additional users and roles for your cluster. For more information, see the following:

• Users and roles
• Create users
• Create roles
• Map users to roles

If you don't create additional users, you can use this account anytime you connect to your OpenSearch cluster, however we recommend that you configure additional accounts to provide you with more granularity and control with your clusters. You can't change the name of the primary user account. To change the password, see Changing the Primary Account Password.

Limitations and Considerations

• Search with OpenSearch only supports users internal to OpenSearch for role-based access control. The service doesn't support other authentication protocols at this time.

• The username for the primary account isn't case-sensitive, and can't specify admin as the primary username.

• You can't change the username of the primary account that you specified when you created or upgraded the cluster.

• You manage all other OpenSearch user accounts from the OpenSearch cluster or the cluster's OpenSearch Dashboard.