Page MenuHomePhabricator
Create Task
Maniphest T416714

OpenSearch on K8s: Create separate admin user for cluster operations
Open, MediumPublic
Actions

Description

Currently we protect the OpenSearch cluster endpoints using basic auth. The opensearch user has full permissions for index-level operations, and that's fine for end users.

But SREs needing to perform some cluster operations (such as forcing shard reallocation) currently have to use the operator user, which is also used by the opensearch operator. We don't want humans and applications to use the same user, so let's:

  • Create a separate admin user for cluster admins. It should be easy enough to auth via the same client certs that are available to the deploy users on the deployment hosts. Note that that would give application owners full permission to do these cluster operations as well, and that's OK.
  • Verify operation.
  • Update/create relevant docs.

Related Objects
Search...

Event Timeline

bking created this task.Feb 6 2026, 4:37 PM
bking triaged this task as Medium priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 6 2026, 4:37 PM
bking renamed this task from Ease OpenSearch cluster management from deployment hosts to OpenSearch on K8s: Create separate admin user for cluster operations.Feb 6 2026, 4:58 PM
bking edited projects, added Data-Platform-SRE (2026.01.23 - 2026.02.13); removed Data-Platform-SRE.
bking updated the task description. (Show Details)
bking added a comment.Feb 9 2026, 10:44 PM

For reference:

bking edited parent tasks, added: T414217: ☂️Test OpenSearch k8s Operator 3.x ☂️, T414688: Deploy a test opensearch cluster managed by operator 3.x; removed: T408586: ☂️ OpenSearch on K8s: Ensure that our first tenant workload is ready for production ☂️.Feb 12 2026, 9:01 PM
bking added a parent task: T417328: Explore K8s-native OpenSearch user management.Feb 12 2026, 9:12 PM

We should check out the options for user/role management in the newest version of the chart before we do any work here. I've created T417328 for this purpose.

Gehel edited projects, added Data-Platform-SRE (2026-02-13 - 2026-03-06); removed Data-Platform-SRE (2026.01.23 - 2026.02.13).Feb 16 2026, 3:36 PM
Gehel edited projects, added Data-Platform-SRE (2026-03-06 - 2026-03-27); removed Data-Platform-SRE (2026-02-13 - 2026-03-06).Mar 6 2026, 2:04 PM
Gehel edited projects, added Data-Platform-SRE (2026-03-27 - 2026-04-17); removed Data-Platform-SRE (2026-03-06 - 2026-03-27).Mar 27 2026, 9:51 AM
Gehel edited projects, added Data-Platform-SRE (2026-04-24 - 2026-05-15); removed Data-Platform-SRE (2026-03-27 - 2026-04-17).Fri, Apr 24, 9:18 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits