Upgrading an Existing Cluster for Role-Based Access Control
This topic describes how to verify if role-based access control is enabled for your cluster and if it's not, how to upgrade your cluster to enable the feature.
Primary User Account
When you enable role-based access control for a cluster, you need to specify a username and password for your cluster's primary account. This is an administrator type account that you then use to connect to your cluster or cluster's OpenSearch Dashboard to then create additional users and roles for OpenSearch, for more information, see Role-Based Access Control in Search with OpenSearch.
Security Modes
When enabling role-based access security for your cluster, the following two modes are available when upgrading clusters:
-
PERMISSIVE: This mode only requires that you use a username and password when connecting to your cluster's OpenSearch Dashboard. With this mode, you can still connect to the cluster directly without specifying a username and password. While you can keep your cluster configured for permissive mode, we recommend that you upgrade to enforcing mode as soon as possible.
-
ENFORCING: This mode requires a username and password anytime you connect to a cluster or the cluster's OpenSearch Dashboard. This is the recommended mode when upgrading an older cluster and is the only mode supported for new clusters.
You must enable the modes sequentially. Enable permissive mode first before you enable enforcing mode. You can then change the security mode for your cluster to enforcing, but you can also choose to keep the security mode set to permissive.
Verify Security Mode
You can verify if role-based access security is enabled for your cluster using the following steps:
Open the navigation menu and click Databases. Under OpenSearch, click Clusters.
In the Clusters list, click the name of the cluster you want to verify.
On the Security Information tab, if the Mode field is DISABLED, your cluster doesn't have role-based access control enabled. To use the feature, you need to perform the steps described in the following procedures.
Setting the Security Mode to Permissive
Use the steps listed in this section to set a cluster's security mode to permissive. This enables role-based access control for your cluster.
Enabling role-based access security for a cluster isn't something you can undo.
Open the navigation menu and click Databases. Under OpenSearch, click Clusters.
In the Clusters list, click the name of the cluster you want to enable the feature for.
On the Security Information tab, click Update security information.
- Specify values for Username and Password.Important
You need to have the correct username and password to access your cluster. Check Check here to confirm, and then click Save changes.
Setting the Security Mode to Enforcing
After you have enabled role-based access security for your cluster by setting the security mode to permissive, you can then change the security mode to enforcing using the steps in this section.
After you set your cluster's security mode to enforcing, you can't revert it back to permissive.
Open the navigation menu and click Databases. Under OpenSearch, click Clusters.
In the Clusters list, click the name of the cluster you want to change the security mode to enforcing.
On the Security Information tab, select ENFORCING for Mode.
(Optional) To change the password for the primary account, specify a new value in the Password field, and then re-enter it in Confirm Password.
Click Save changes.