This version of the OpenSearch documentation is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.
HTTP basic authentication
HTTP basic authentication provides a simple challenge-and-response process for gaining access to OpenSearch and its resources that prompts you to sign in with a username and password. You enable HTTP basic authentication in the
http_authenticator section of the configuration by specifying
basic, as shown in the following example:
authc: basic_internal_auth_domain: description: "Authenticate using HTTP basic against the internal users database" http_enabled: true transport_enabled: true order: 1 http_authenticator: type: basic challenge: true authentication_backend: type: internal
Additionally, you can specify the internal user database as the authentication backend by specifying
internal as the type for
authentication_backend. See The internal user database for information about this backend.
basic is specified for the type of HTTP authenticator and
internal is specified for the type of authentication backend, no further configuration in
config.yml is needed, unless you plan to use additional authentication backends with HTTP basic authentication. Continue reading for considerations related to this type of setup and more information about the
The challenge setting
In most cases, it’s appropriate to set
true for basic authentication. This setting defines the behavior of the Security plugin when the
Authorization field in the HTTP header is not specified. By default, the setting is
challenge is set to
true, the Security plugin sends a response with the status
UNAUTHORIZED (401) back to the client. If the client is accessing the cluster with a browser, this triggers the authentication dialog box and the user is prompted to enter a username and password. This is a common configuration when HTTP basic authentication is the only backend being used.
challenge is set to
false and an
Authorization header has not been specified in the request, the Security plugin does not send a
WWW-Authenticate response back to the client, and authentication fails. This configuration is often used when you have multiple challenging
http_authenticator settings included in your configured authentication domains. This might be the case, for example, when you plan to use basic authentication and SAML together. For an example and a more complete explanation of this configuration, see Running multiple authentication domains in the SAML documentation.
When you define multiple HTTP authenticators, make sure to order non-challenging authenticators first—such as
clientcert—and order challenging HTTP authenticators last. For example, in a configuration where a non-challenging HTTP basic authentication backend is paired with a challenging SAML backend, you might specify
order: 0 in the HTTP basic
authc domain and
order: 1 in the SAML domain.
The internal user database
When using HTTP basic authentication, the internal user database stores the internal users and includes their hashed passwords and other user attributes, such as roles. Users and their settings are kept in the
internal_users.yml configuration file. For more information about this file, see internal_users.yml in the security configuration documentation.