All Products
Search
Document Center

Access authorization rules

Last Updated: Sep 09, 2021

All OpenSearch applications that are created within your Alibaba Cloud account belong to the account. By default, an Alibaba Cloud account has full permissions on resources that belong to the account. OpenSearch allows you to use Resource Access Management (RAM) to grant RAM users the permissions to access and manage OpenSearch resources within your Alibaba Cloud account.

Note

  • Compared with the earlier version of the RAM console, the new version supports more fine-grained permission control. To grant RAM users permissions in the new version of the RAM console, you must reconfigure RAM authorization policies.

  • To grant RAM users permissions, you must use the OpenSearch API or OpenSearch SDK V3 or later. This feature is not supported by V2 or earlier versions of the OpenSearch API or OpenSearch SDK.

  • If you use a third-party service as the data source of an OpenSearch application, you must comply with the rules of the RAM permission system to grant RAM users the permissions on the third-party service. You cannot grant RAM users the permissions on MaxCompute. The reason is that a RAM user that is authorized to access a MaxCompute project of the corresponding Alibaba Cloud account may fail to access other resources that belong to the Alibaba Cloud account. As a result, the RAM user may fail to reference the project as the data source to connect to OpenSearch. We recommend that you use an Alibaba Cloud account to configure a MaxCompute project as the data source of an application, and then manage the application as a RAM user.

  • If you want to use a RAM user to configure an ApsaraDB RDS instance as the data source of an application in the OpenSearch console, you must grant the RAM user the required permissions on the instance. Otherwise, an error message appears, indicating that the connection to ApsaraDB RDS fails. For more information about how to grant a RAM user the permissions on an ApsaraDB RDS instance, see the "Permissions required to access an ApsaraDB RDS instance" section of this topic.

  • Actions that start with :Search, such as :SearchApp and :SearchSuggest, do not support IP address-based conditional authorization. If you configure IP-based conditional authorization for such actions, an error occurs.

Time for authorization to take effect

After you grant permissions to a RAM user or update the permissions of a RAM user, the granted or updated permissions take effect in five minutes.

Common minimum permission set

If you want to use the OpenSearch console as a RAM user, you must grant the RAM user the required permissions. A common minimum permission set contains the permissions that are required to search for data in an application, view the application list, view application details, configure monitoring and alerting, and access an ApsaraDB RDS instance. The following sections describe these permissions for your reference.

Permission to search for data in an application

If you want to use OpenSearch SDK to initiate a search request or test the document retrieval feature for an application as a RAM user, the RAM user must have the permission to search for data from the application. The following sample code provides an example of the policy that grants the permission required to retrieve documents from the application named app_schema_demo:

{
    "Statement": [
    {
            "Effect": "Allow",
            "Action": "opensearch:SearchApp",
            "Resource": "acs:opensearch:*:*:apps/app_schema_demo"
        }
    ],
    "Version": "1"
}

Permission to view the application list

If you want to view applications after you log on to the OpenSearch console as a RAM user, the RAM user must have the permission to view the list of applications.

{
    "Statement": [
        {
            "Action": [
                "opensearch:ListAppGroup",
                "opensearch:DescribeAppStatistics",
                "opensearch:ListAppGroupErrors"
            ],
            "Effect": "Allow",
            "Resource": "acs:opensearch:*:*:app-groups/*"
        }
    ],
    "Version": "1"
}

Permissions to view application details

The OpenSearch console provides the monitoring and alerting feature on the details pages of applications. If you want to view the details of an application in the OpenSearch console as a RAM user, the RAM user must have the permissions to view application details. The following sample code provides an example of the authorization policy that grants the permissions required to view the details of the application named app_schema_demo:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "opensearch:DescribeAppGroup",
                "opensearch:ListApp",
                "opensearch:DescribeApp"
            ],
            "Resource": "acs:opensearch:*:*:app-groups/app_schema_demo"
        },
        {
            "Action": "opensearch:ListUserAnalyzers",
            "Effect": "Allow",
            "Resource": "acs:opensearch:*:*:user-analyzers/*"
        }
    ],
    "Version": "1"
}

Permissions to configure monitoring and alerting

OpenSearch provides the monitoring and alerting feature based on the CloudMonitor service of Alibaba Cloud. The system policy AliyunCloudMonitorReadOnlyAccess grants the read-only permissions on CloudMonitor. You can search for this policy in the RAM console.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:Get*",
                "cms:List*",
                "cms:Query*",
                "cms:BatchQuery*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "opensearch:DescribeApp",
            "Resource": "acs:opensearch:*:*:app-groups/*",
            "Effect": "Allow"
        }
    ]
}

Permissions to access an ApsaraDB RDS instance

OpenSearch can obtain data from an ApsaraDB RDS instance based on tables or fields. ApsaraDB RDS uses the whitelist to implement access control. If you want to use OpenSearch to obtain data from an ApsaraDB RDS instance, you must grant the RAM user the permissions to configure the whitelist for the ApsaraDB RDS instance. Otherwise, when OpenSearch connects to the ApsaraDB RDS instance, an error occurs, indicating that the RAM user is not authorized to configure the IP address whitelist for the ApsaraDB RDS instance. You can authorize a RAM user in the RAM console by performing the following steps: Create a custom authorization policy and a RAM user on the Overview page. Then, attach the policy to the RAM user on the Users page. For more information, see Use RAM to manage ApsaraDB RDS permissions. The following sample code provides an example of the authorization policy that grants the permissions required to access an ApsaraDB RDS instance in OpenSearch:

  • For information about the variables, such as $regionid, $accountid, and $dbinstanceid, in the Resource parameters, see Use RAM for resource authorization.

  • You can use the wildcard (*) to set the variables in the Resource parameters.

    {
      "Version": "1",
      "Statement": [
          {
              "Action": "rds:DescribeDBInstanceAttribute",
              "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
              "Effect": "Allow"
          },
          {
              "Action": "rds:ModifySecurityIps",
              "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
              "Effect": "Allow"
          },
          {
              "Action": "rds:DescribeDBInstanceIPArrayList",
              "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
              "Effect": "Allow"
          },
          {
              "Action": "rds:DescribeDBInstanceNetInfoForChannel",
              "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
              "Effect": "Allow"
          }
      ]
    }

Examples

Before you grant permissions to a RAM user, you must determine which permissions on which applications to grant. In most cases, if you use the OpenSearch console as a RAM user, you must grant the RAM user the permissions to perform the required actions. For example, you can grant the RAM user the permissions to perform the Describe* and List* actions. You can also grant a custom set of permissions to the RAM user as needed.

Example 1

You want to grant all permissions on all OpenSearch applications in all regions to a RAM user that belongs to the Alibaba Cloud account whose ID is 1234. In this case, you can use the Alibaba Cloud account to create an authorization policy in the RAM console, and then attach the policy to the RAM user. You can also authorize the RAM user by using RAM SDK. To authorize a RAM user, perform the following steps: 1. Create an authorization policy.

{
  "Statement": [
    {
      "Action": "opensearch:*",
      "Effect": "Allow",
      "Resource": "acs:opensearch:*:1234:apps/*"
    }
  ],
  "Version": "1"
}

2. Attach the authorization policy to the RAM user.

Example 2

You want to grant all permissions on all OpenSearch applications in the China (Hangzhou) region to a RAM user that belongs to an Alibaba Cloud account whose ID is 1234. In this case, You can use the Alibaba Cloud account to create an authorization policy in the RAM console, and then attach the policy to the RAM user. You can also authorize the RAM user by using RAM SDK. To authorize a RAM user, perform the following steps:

1. Create an authorization policy.

{
  "Statement": [
    {
      "Action": "opensearch:*",
      "Effect": "Allow",
      "Resource": "acs:opensearch:cn-hangzhou:1234:apps/*"
    }
  ],
  "Version": "1"
}

2. Attach the authorization policy to the RAM user.

Note

  • You can use the wildcard (*) to specify all types of resources in the Resource parameter.

  • You can specify the name of an application in the Resource parameter. In this case, the authorized RAM users can perform all actions that are specified in the Action parameter only on this application, even if the Action parameter is set to opensearch:*. This limit does not apply to the opensearch:ListApp and opensearch:CreateApp actions.

  • The actions that are specified in the Action parameter apply to only the resources that are specified in the Resource parameter. For example, if you want to authorize RAM users to perform the opensearch:ListApp and opensearch:CreateApp actions, you must use the wildcard (*) to specify all applications in the Resource parameter. These two actions are different from other actions in that you can authorize RAM users to perform other actions only on specified applications.

  • You have specified application names in all your authorization policies. In this case, if you also want to authorize a RAM user to perform the opensearch:ListApp and opensearch:CreateApp actions, you must create another authorization policy with the Action parameter set to opensearch:* for the two actions and attach this policy to the RAM user.

Solution to failed RAM user authentication in the OpenSearch console

When you use the OpenSearch console as a RAM user, an error message of failed RAM user authentication may appear.

To resolve this error, perform the following steps:

  • View the details of the error message to find the POP action in the request. In this example, the POP action is ListAppGroups. If the POP action ends with DryRun, ignore DryRun. For example, if the POP action is CreateAppDryRun, the actual action is CreateApp.

  • In the Authorization rules of applications topic, find the RAM action and the value format of the Resource parameter that correspond to the ListAppGroups POP action.

    In most cases, the RAM action is different from the POP action.
  • Configure an authorization policy to grant the required permissions on the RAM action to the RAM user.