Disabling and enabling the Security plugin
The Security plugin is installed by default with OpenSearch, but you can temporarily disable it or remove it altogether. Disabling the plugin involves a change to the opensearch.yml
file; you may want to do this to streamline testing. A more substantive change is required to remove the Security plugin completely. You might want to remove it if, for example, you are using your own security solution or need to remove it for development purposes.
Disabling or removing the plugin exposes the configuration index for the Security plugin. If the index contains sensitive information, make sure to protect it through some other means. If you no longer need the index, delete it.
Disabling, removing, or installing the Security plugin requires a full cluster restart because during this process, the individual nodes are not able to communicate with each other.
Disabling/enabling the Security plugin
You can disable the Security plugin by editing the opensearch.yml
file:
plugins.security.disabled: true
You can then enable the plugin by removing the plugins.security.disabled
setting.
Removing and adding the Security plugin
You can completely remove the Security plugin from your OpenSearch instance. Note that OpenSearch Dashboards can only run against a secure cluster, so if you uninstall the Security plugin, you’ll also need to uninstall the OpenSearch Dashboards plugin.
Removing the Security plugin from OpenSearch
Do the following to remove the plugin from OpenSearch.
-
Disable shard allocation and stop all nodes so that shards don’t move when the cluster is restarted:
curl -XPUT "https://localhost:9200/_cluster/settings" -u "admin:<password>" -H 'Content-Type: application/json' -d '{ "transient": { "cluster.routing.allocation.enable": "none" } }'
- Delete all
plugins.security.*
configuration entries fromopensearch.yml
. -
Uninstall the Security plugin by using the following command:
./bin/opensearch-plugin remove opensearch-security
- Restart the nodes and enable shard allocation:
curl -XPUT "http://localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d '{ "transient": { "cluster.routing.allocation.enable": "all" } }'
To perform these steps on the Docker image, see Working with plugins.
Removing the Security plugin from OpenSearch Dashboards
If you disable the Security plugin in opensearch.yml
and still want to use OpenSearch Dashboards, you must remove the corresponding OpenSearch Dashboards Security plugin. For more information, see Remove plugins.
Refer to the following installation types to remove the OpenSearch Dashboards plugin.
Docker
-
Remove all Security plugin configuration settings from
opensearch_dashboards.yml
or move the example file to the same folder as theDockerfile
:--- server.name: opensearch-dashboards server.host: "0.0.0.0" opensearch.hosts: http://localhost:9200
-
Create a new
Dockerfile
:FROM opensearchproject/opensearch-dashboards:3.3.0 RUN /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards COPY --chown=opensearch-dashboards:opensearch-dashboards opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/
-
To build the new Docker image, run the following command:
docker build --tag=opensearch-dashboards-no-security .
- In
docker-compose.yml
, changeopensearchproject/opensearch-dashboards:3.3.0
toopensearch-dashboards-no-security
. - Change
OPENSEARCH_HOSTS
oropensearch.hosts
tohttp://
rather thanhttps://
. - Enter
docker compose up
.
Tarball
-
Navigate to the
/bin
directory in your OpenSearch Dashboards installation folder and stop the running OpenSearch Dashboards instance by pressingCtrl + C
. -
Run the following command to uninstall the Security plugin:
./bin/opensearch-dashboards-plugin remove securityDashboards
-
Remove all Security plugin configuration settings from the
opensearch_dashboards.yml
file or use the following example file:--- server.name: opensearch-dashboards server.host: "0.0.0.0" opensearch.hosts: http://localhost:9200
-
Start OpenSearch Dashboards:
./bin/opensearch-dashboards
RPM and Debian
-
Stop the running instance of OpenSearch Dashboards by using the following command:
sudo systemctl stop opensearch-dashboards
-
Navigate to the OpenSearch Dashboards folder
/usr/share/opensearch-dashboards
and run the following command to uninstall the Security plugin:./bin/opensearch-dashboards-plugin remove securityDashboards
-
Remove all Security plugin configuration settings from the
opensearch_dashboards.yml
file or place the example file in the/etc/opensearch_dashboards
folder:--- server.name: opensearch-dashboards server.host: "0.0.0.0" opensearch.hosts: http://localhost:9200
-
Start OpenSearch Dashboards:
sudo systemctl start opensearch-dashboards
Installing the Security plugin
Use the following steps to reinstall the plugin:
-
Disable shard allocation and stop all nodes so that shards don’t move when the cluster is restarted:
curl -XPUT "http://localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d '{ "transient": { "cluster.routing.allocation.enable": "none" } }'
-
Install the Security plugin on all nodes in your cluster using one of the installation methods:
bin/opensearch-plugin install opensearch-security
-
Add the necessary configuration to
opensearch.yml
for TLS encryption. See Configuration for information about the settings that need to be configured. -
Create the
OPENSEARCH_INITIAL_ADMIN_PASSWORD
variable. For more information, see Setting up a custom admin password. -
Restart the nodes and reenable shard allocation:
curl -XPUT "https://localhost:9200/_cluster/settings" -u "admin:<password>" -H 'Content-Type: application/json' -d '{ "transient": { "cluster.routing.allocation.enable": "all" } }'
Installing the Security plugin on OpenSearch Dashboards
Use the following steps to reinstall the plugin on OpenSearch Dashboards:
- Stop running your OpenSearch Dashboards cluster.
-
Install the Security plugin:
./bin/opensearch-dashboards-plugin install securityDashboards
- Add the necessary configuration settings in the
opensearch_dashboards.yml
file. - Start OpenSearch Dashboards. If the plugin was successfully installed, you’ll be prompted to enter your login credentials.