Set superior settings with the Amazon OpenSearch Service Dashboards API
11 mins read

Set superior settings with the Amazon OpenSearch Service Dashboards API


Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) is a completely managed service that you need to use to deploy and function OpenSearch clusters cost-effectively at scale within the AWS Cloud. The service makes it straightforward so that you can carry out interactive log analytics, real-time software monitoring, web site search, and extra by providing the most recent variations of OpenSearch, assist for 19 variations of Elasticsearch (1.5 to 7.10 variations), and visualization capabilities powered by OpenSearch Dashboards and Kibana (1.5 to 7.10 variations).

A standard use case of OpenSearch in multi-tenant environments is to make use of tenants in OpenSearch Dashboards and supply segregated index patterns, dashboards, and visualizations to completely different groups within the group. Tenants in OpenSearch Dashboards aren’t the identical as indexes, the place OpenSearch organizes all knowledge. You should still have a number of indexes for multi-tenancy and tenants for controlling entry to OpenSearch Dashboards’ saved objects.

On this submit, we give attention to operationalizing superior settings for OpenSearch Dashboards tenants with programmatic methods, particularly with the Dashboards Superior Settings API. For a deeper perception into multi-tenancy in OpenSearch, discuss with OpenSearch Dashboards multi-tenancy.

One instance of superior settings configurations is deploying time zone settings in an setting the place every tenant is aligned to a distinct geographic space with particular time zone. We clarify the time zone configuration with the UI and show configuring it with the OpenSearch Dashboards Superior Settings API utilizing curl. This submit additionally gives steering for different superior settings chances are you’ll want to embrace in your deployment.

To observe alongside on this submit, be sure you have an Amazon OpenSearch Service area with entry to OpenSearch Dashboards by way of a job with administrator privileges for the area. For extra details about enabling entry management mechanisms on your domains, see Wonderful-grained entry management in Amazon OpenSearch Service.

The next examples use Amazon OpenSearch Service model 1.0, which was the most recent launch on the time of writing.

Configure superior settings within the OpenSearch Dashboards UI

To configure superior settings through the OpenSearch Dashboards UI, full the next steps:

  1. Log in to OpenSearch Dashboards.
  2. Select your consumer icon and select Change Tenants to decide on the tenant you need to change configuration for.

By default, all OpenSearch Dashboards customers have entry to 2 tenants: non-public and world. The worldwide tenant is shared between each OpenSearch Dashboards consumer. The non-public tenant is unique to every consumer and used largely for experimenting earlier than publishing configuration to different tenants. Be certain that to examine your configurations within the non-public tenant earlier than replicating in different tenants, together with world.

  1. Select Stack Administration within the navigation pane, then select Superior Settings.
  2. In your required tenant context, select a price for Timezone for date formatting.

On this instance, we modify the time zone from the default choice Browser to US/Japanese.

  1. Select Save adjustments.

Configure superior settings with the OpenSearch Dashboards API

For environments the place you favor to carry out operations programmatically, Amazon OpenSearch Service gives the flexibility to configure superior settings with the OpenSearch Dashboards superior settings API.

Let’s stroll by way of configuring the time zone utilizing curl.

  1. First, that you must authenticate to the API endpoint together with your consumer identify and password, and retrieve the authorization cookies into the file auth.txt:
curl -X POST  https://<domain_endpoint>/_dashboards/auth/login 
-H "osd-xsrf: true" 
-H "content-type:software/json" 
-d '{"username":"<username>", "password":"<password>"}' 
-c auth.txt

On this instance, we configure OpenSearch Dashboards to make use of the interior consumer database, and the consumer inherits administrative permissions below the worldwide tenant. In multi-tenant environments, the consumer is required to have related tenant permissions. You possibly can see an instance of this within the subsequent part, the place we illustrate a multi-tenant setting. Entry management in OpenSearch Dashboards is a broad and essential subject, and it might be unfair to attempt to squeeze all of it on this submit. Subsequently, we don’t cowl entry management in depth right here. For added info on entry management in multi-tenant OpenSearch Dashboards, discuss with OpenSearch Dashboards multi-tenancy.

The auth.txt file holds authorization cookies that you just use to move configuration adjustments to the API endpoint. The auth.txt file ought to look just like the next code:

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your personal danger.

#HttpOnly_<domain_endpoint> FALSE   /_dashboards    TRUE    0       security_authentication Fe26.2**80fca234dd0974fb6dfe9427e6b8362ba1dd78fc5a71
e7f9803694f40980012b*k9QboTT5A24hs71_wN32Cw*9-RvY2UhS-Cmat4RZPHohTbczyGRjmHezlIlhwePG1gv_P2bgSuZhx9XBV9I-zzdxrZIbJTTpymy4mv1rAB_GRuXjt-6ITUfsG58GrI7TI7D3pWKaw8n6lrhamccGYqL9K_dQrE4kr_godwEDLydR1d_
Oc11jEG98yi_O0qhBTu1kDNzNAEqgXEoaLS--afnbwPS0zvqUc4MUgrfGQOTt7mUoWMC778Tpii4V4gxhAcRqe_KoYQG1LhUq-j9XTHCouzB4qTJ8gR3tlbVYMFwhA**f278b1c9f2c9e4f50924c47bfd1a992234400c6f11ee6f005beecc4201760998*3Aj8gQAIKKPoUR0PX-5doFgZ9zqxlcB3YbfDgJIBNLU

  1. Assemble configuration adjustments inside the curl physique and submit them utilizing an authorization cookie. On this instance, we included a pattern to change the time zone to US/Japanese.
curl -X PUT https://<domain_endpoint>/_dashboards/api/saved_objects/config/1.0.0-SNAPSHOT 
-H "osd-xsrf:true" 
-H "content-type:software/json" 
-d '{"attributes":{"dateFormat:tz":"US/Japanese"}}' 
-b auth.txt

By default, the constructed API modifies the configuration within the non-public tenant, which is unique to every consumer, can’t be shared, and is right for testing. We offer directions to change configuration in multi-tenant environments later within the submit.

Your API name ought to obtain a response just like the next code, indicating the adjustments you submitted:

{"id":"1.0.0-SNAPSHOT","kind":"config","updated_at":"2021-09-06T19:59:42.425Z","model":"WzcsMV0=","namespaces":["default"],"attributes":{"dateFormat:tz":"US/Japanese"}}

In the event you favor to make a number of adjustments, you may assemble the API name as follows:

curl -X PUT https://<domain_endpoint>/_dashboards/api/saved_objects/config/1.0.0-SNAPSHOT 
-H "osd-xsrf:true" 
-H "content-type:software/json" 
-d 
'{
    "attributes":{
      "dateFormat:tz":"US/Japanese",
      "dateFormat:dow":"Monday"
    }
 }' 
-b auth.txt

To retrieve the most recent configuration adjustments, assemble a GET request as follows:

curl -X GET https://<domain_endpoint>/_dashboards/api/saved_objects/config/1.0.0-SNAPSHOT 
-H "osd-xsrf:true" 
-H "content-type:software/json" 
-b auth.txt

Configure superior settings with the OpenSearch Dashboards API in multi-tenant environments

Tenants in OpenSearch Dashboards are generally used to share customized index patterns, visualizations, dashboards, and different OpenSearch objects with completely different groups or organizations.

The OpenSearch Dashboards API gives the flexibility to change superior settings in several tenants. Within the earlier part, we coated making superior configuration adjustments for a non-public tenant. We now stroll by way of the same state of affairs for a number of tenants.

  1. First, that you must authenticate to the API endpoint and retrieve the authorization cookies into the file auth.txt. You possibly can assemble this request in the identical means you’ll in a single-tenant setting as described within the earlier part.

In multi-tenant environments, be sure you configure the consumer’s position with related tenant permissions. One sample is to affiliate the consumer to the kibana_user and a customized group that has tenant permissions. In our instance, we related the tenant admin consumer tenant-a_admin_user to the 2 roles as proven within the following code: the kibana_user system position and a customized tenant-a_admin_role that features tenant permissions.

GET _plugins/_security/api/account
{
  "user_name" : "tenant-a_admin_user",
  "is_reserved" : false,
  "is_hidden" : false,
  "is_internal_user" : true,
  "user_requested_tenant" : "tenant-a",
  "backend_roles" : [
    ""
  ],
  "custom_attribute_names" : [ ],
  "tenants" : {
    "global_tenant" : true,
    "tenant-a_admin_user" : true,
    "tenant-a" : true
  },
  "roles" : [
    "tenant-a_admin_role",
    "kibana_user"
  ]
}


GET _plugins/_security/api/roles/tenant-a_admin_role
{
  "tenant-a_admin_role" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [ ],
    "index_permissions" : [ ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "tenant-a"
        ],
        "allowed_actions" : [
          "kibana_all_write"
        ]
      }
    ],
    "static" : false
  }
}

After authenticating to the OpenSearch Dashboards API, the auth.txt file holds authorization cookies that you just use to move configuration adjustments to the API endpoint. The content material of the auth.txt file needs to be just like the one we illustrated within the earlier part.

  1. Assemble the configuration adjustments by including a securitytenant header. On this instance, we modify the time zone and day of week in tenant-a:
curl -X PUT https://<domain_endpoint>/_dashboards/api/saved_objects/config/1.0.0-SNAPSHOT 
-H "osd-xsrf:true" 
-H "content-type:software/json" 
-H "securitytenant: tenant-a" 
-d 
'{
    "attributes":{
     "dateFormat:tz":"US/Japanese",
     "dateFormat:dow":"Monday"
    }
 }' 
-b auth.txt

The OpenSearch Dashboards API endpoint returns a response just like the next:

{"id":"1.0.0-SNAPSHOT","kind":"config","updated_at":"2021-10-10T17:41:47.249Z","model":"WzEsMV0=","namespaces":["default"],"attributes":{"dateFormat:tz":"US/Japanese","dateFormat:dow":"Monday"}}

You may additionally confirm the configuration adjustments within the OpenSearch Dashboards UI, as proven within the following screenshot.

Conclusion

On this submit, you used the Amazon OpenSearch Service Dashboards UI and API to configure superior settings for a single-tenant and multi-tenant setting. Implementing OpenSearch Dashboards at scale in multi-tenant environments requires extra environment friendly strategies than merely utilizing the UI. That is particularly essential in environments the place you serve centralized logging and monitoring domains for various groups. You should utilize the OpenSearch Dashboards APIs we illustrated on this submit and bake your superior setting configurations into your infrastructure code to speed up your deployments!

Tell us about your questions and different matters you’d like us to cowl within the remark part.


In regards to the Authors

Prashant Agrawal is a Specialist Options Architect at Amazon Internet Companies primarily based in Seattle, WA.. Prashant works carefully with Amazon OpenSearch group, serving to prospects migrate their workloads to the AWS Cloud. Earlier than becoming a member of AWS, Prashant helped varied prospects use Elasticsearch for his or her search and analytics use instances.

Evren Sen is a Options Architect at AWS, specializing in strategic monetary companies prospects. He helps his prospects create Cloud Heart of Excellence and design, and deploy options on the AWS Cloud. Outdoors of AWS, Evren enjoys spending time with household and mates, touring, and biking.

Leave a Reply

Your email address will not be published. Required fields are marked *