This publish demonstrates learn how to construct a safe search utility utilizing Amazon OpenSearch Service and JSON Net Tokens (JWTs). We talk about the fundamentals of OpenSearch Service and JWTs and learn how to implement consumer authentication and authorization via an current identification supplier (IdP). The main target is on imposing fine-grained entry management primarily based on consumer roles and permissions.
JWT authentication and authorization to your OpenSearch Service area supplies a strong mechanism that addresses necessities for fine-grained entry management. An IdP is a service that shops and manages consumer identities and their entry rights, enabling centralized consumer authentication throughout a number of functions. The IdP points JWTs, that are safe tokens containing claims in regards to the authenticated consumer. By utilizing JWTs from the IdP, you possibly can:
- Implement safe, role-based entry management to look outcomes
- Validate consumer permissions earlier than granting entry to delicate information
- Preserve a centralized authentication mechanism throughout your search utility
- Be sure that solely licensed customers can view information primarily based on their predefined roles
The JWT integration helps organizations:
- Outline granular permissions inside the IdP
- Authenticate customers utilizing bearer tokens throughout totally different functions
- Defend delicate data via token-based entry administration
- Cut back complexity of managing a number of authentication methods
Key advantages of the answer embrace:
- Standardized token-based authentication
- Centralized permission administration
- Simplified single sign-on (SSO) expertise
- Versatile and scalable entry management mechanism
The power to dynamically filter delicate data primarily based on token claims enhances information safety whereas decreasing the complexity of managing a number of authentication methods. This functionality is made potential via the fine-grained entry management (FGAC) characteristic in OpenSearch Service, which enforces document- and field-level entry primarily based on consumer roles.
Use case overview
On this publish, we discover a consumer workflow with a number of roles and entry stage necessities. A analysis establishment needs to construct a safe search utility with managed entry to biomedical databases particularly PubMed (a complete database of biomedical literature) and Scientific Trials (a registry of medical analysis research). Completely different analysis groups require various ranges of entry to those datasets primarily based on their roles and clearance ranges. The next hierarchical entry construction defines the consumer roles and their corresponding permission ranges for accessing PubMed and Scientific Trials databases:
- PubMed Admin – Full learn entry to all PubMed information (for senior analysis teams)
- PubMed Restricted – Restricted entry to particular fields and paperwork (for researchers with restricted entry)
- Scientific Trials Admin – Full learn entry to all Scientific Trials information (for principal investigators and senior trial managers)
- Scientific Trials Restricted – Restricted learn entry to particular trial data and aggregated information (for trial researchers with restricted entry)
- Analysis Fundamental – Learn-only entry to particular public information in PubMed and Scientific Trials (for basic analysis workers and interns)
- Analysis Full Entry – Full learn and write entry to all indices, with permissions to replace or modify information
To implement this use case, we use JWTs generated by the supported IdP, which encode role-specific data. This setup makes positive OpenSearch Service can validate tokens earlier than returning search outcomes, dynamically filtering delicate information primarily based on the consumer’s JWT claims and fine-grained entry management settings.
Answer overview
The technical workflow for utilizing JWT authorization with OpenSearch Service entails a number of key phases:
- Consumer authentication – Customers log in via the present authentication system linked to the IdP
- JWT technology – Upon profitable authentication, the IdP generates a JWT containing particular position data
- Search question submission – Customers submit search queries to OpenSearch Service together with their JWT
- Token validation – OpenSearch Service validates and decodes the JWT to confirm consumer permissions
- Consequence filtering – Search outcomes are filtered primarily based on the consumer’s permissions outlined within the JWT
- Knowledge retrieval – Solely licensed information is returned to the consumer, imposing compliance with privateness requirements
This workflow supplies a standardized method to authentication and authorization whereas streamlining consumer interactions with the search utility. The answer makes positive every consumer sees solely the knowledge acceptable to their position, sustaining information privateness and organizational safety requirements.
It’s essential to allow JWT authentication and authorization, and fine-grained entry management throughout the OpenSearch Service area creation course of. For extra data, consult with Configuring JWT authentication and authorization and Wonderful-grained entry management in Amazon OpenSearch Service.
The next diagram illustrates the answer structure.
This answer demonstrates authentication utilizing Amazon Cognito because the IdP to generate the JWT. Nevertheless, you need to use one other supported IdP. The ID token contains group membership data that OpenSearch Service maps to roles configured utilizing fine-grained entry management.
The consumer circulation consists of the next steps:
- The consumer initiates authentication by logging in with Amazon Cognito consumer credentials. Amazon Cognito returns an authorization code.
- The consumer sends the authorization code to an Amazon API Gateway /token endpoint for ID token trade.
- API Gateway forwards the authorization code to an AWS Lambda operate.
- The Lambda operate sends a token trade request to Amazon Cognito with the authorization code.
- The Lambda operate receives the ID token from Amazon Cognito and returns it to the consumer.
- The consumer sends an OpenSearch Service question to the API Gateway /search endpoint, together with the ID token. API Gateway validates the ID token (JWT) with Amazon Cognito.
- API Gateway forwards the request to a Lambda operate.
- The Lambda operate checks if JWT authentication and authorization is enabled for the OpenSearch Service area with the respective public key of the Amazon Cognito consumer pool. If not, it’s going to allow and configure this characteristic for the OpenSearch Service area. The Lambda operate forwards the question and ID token to OpenSearch Service.
- OpenSearch Service validates the JWT with Amazon Cognito:
- OpenSearch Service verifies consumer permissions in opposition to fine-grained entry management primarily based on group membership.
- OpenSearch Service returns question outcomes to the consumer if authorization succeeds.
The next diagram illustrates the request circulation.
Stipulations
Earlier than you deploy the answer, be sure to have the next conditions:
Deploy answer sources
To deploy the answer sources, we use an AWS CloudFormation template. Launch the AWS CloudFormation template with the next Launch Stack button.
Enter an acceptable stack title. This title is used as a prefix for sources like OpenSearch Service domains and Lambda capabilities. Maintain the default settings, and select Create.
The stack deployment takes roughly 15–20 minutes. When deployment is full, the stack standing reveals as CREATE_COMPLETE.
The outputs for this CloudFormation stack present vital data concerning the deployed sources. This data might be referenced all through totally different sections of this publish.
On the Outputs tab, notice the next values:
- OpenSearchDashboardURL
- SharedLambdaRoleArn
On the Assets tab, find the next data:
- OpenSearchMasterUserSecret: Select the Bodily ID hyperlink, then select Retrieve Secret Worth. Notice the consumer title and password required for OpenSearch Service area login.
- IngestDataAndCreateBackendRoles: Select the Bodily ID hyperlink to open the Lambda operate, wanted in later steps.
- UserPool: Select the Bodily ID hyperlink to open the Amazon Cognito consumer pool, wanted in later steps.
- RestAPI: Select the Bodily ID hyperlink to open the API Gateway endpoint, wanted in later sections.
In a separate browser tab, log in to the OpenSearch dashboard utilizing OpenSearchDashboardsURL and consumer credentials famous beforehand.
Assign permissions to the IAM position related to the Lambda operate
Full the next steps to map your IAM position to each the all_access and security_manager roles in OpenSearch Service:
- In OpenSearch Dashboards, select Safety within the navigation pane, then select Roles.
- Open the all_access position.
- Within the Mapped customers part, select Handle mapping.
- For Backend position, enter the IAM position Amazon Useful resource title (ARN). That is the worth you copied from the CloudFormation stack output for
SharedLambdaRoleArn. - Select Map to substantiate.
- On the Roles web page, open the security_manager position.
- Within the Mapped customers part, select Handle mapping.
- For Backend position, enter the identical IAM position ARN.
- Select Map to substantiate the modifications.
These steps make sure the IAM position hooked up to the Lambda operate has the mandatory permissions to ingest information (all_access) and create roles (security_manager) inside the OpenSearch Service area.
On this pattern setup, the Lambda operate handles bulk ingestion and position creation with out granting any direct entry to customers, and all_access is offered to the Lambda position solely to allow ingestion. FGAC in OpenSearch supplies in-depth entry management, permitting you to additional tighten the Lambda position permissions by granting solely the mandatory CRUD operations, moderately than full entry for ingestion. For extra particulars, consult with Defining customers and roles and Wonderful-grained entry management in OpenSearch.
Run the Lambda operate to ingest information into the OpenSearch Service area
On the CloudFormation stack’s Assets tab, find the IngestDataAndCreateBackendRoles Lambda operate. Open the Lambda operate, select Check, and execute it. You may verify the operate’s profitable execution by checking Amazon CloudWatch Logs.
This Lambda operate is designed to carry out bulk ingestion and position creation within the OpenSearch Service area. It ingests pattern medical analysis information into OpenSearch Service, creating two indexes (pubmed and clinical_trials), and units up required OpenSearch Service roles. We discover these roles intimately within the subsequent part.
Map roles and customers in OpenSearch Service
On this step, we outline two key OpenSearch Service roles:
- pubmed-admin – Grants full learn entry to the PubMed index containing biomedical literature and analysis abstracts, meant for senior analysis teams
- pubmed-limited – Offers restricted learn entry to solely particular fields (journal, title, and summary, the place journal is a masked subject), meant for researchers with restricted information entry
We’ve got already created these roles by operating the Lambda operate within the earlier part. The next code is the pubmed-admin OpenSearch Service position description:
The next code is the pubmed-limited OpenSearch Service position description:
The pubmed-admin and pubmed-limited roles serve totally different functions, and their major distinction lies in how they management information visibility. Doc-level safety (DLS) enables you to limit a job to a subset of paperwork in an index, whereas field-level safety (FLS) enables you to management which doc fields a consumer can see. The restricted position is configured with FLS to reveal solely the journal, title, and summary fields, whereas masked fields anonymize delicate information equivalent to journal. On high of those, you possibly can apply DLS to cover particular information, for instance, to forestall customers from viewing paperwork from sure journals or publication years. In your use instances, use DLS and FLS to regulate doc and subject visibility for various customers. These roles are totally configurable; you possibly can add, take away, or replace doc and subject entry at any time to match evolving safety or enterprise necessities.
To implement entry management, customers have to be mapped to acceptable OpenSearch Service roles on OpenSearch Dashboards. Full the next steps to map customers to the OpenSearch Service roles:
- On OpenSearch Dashboards, select Safety within the navigation pane, then select Roles.
- Open the
pubmed-adminposition. - Within the Mapped customers part, select Handle mapping.
- For Backend position, enter
pubmed_admin_group. - Select Map to substantiate the mapping.
- On the Roles web page, open the pubmed-limited position.
- Within the Mapped customers part, select Handle mapping.
- For Backend position, enter pubmed_limited_group.
- Select Map to substantiate the mapping.
Backend roles simplify entry administration in OpenSearch Service. As a substitute of mapping particular person customers to OpenSearch service roles, you possibly can map roles to backend roles that customers share. This method enables you to map IdP teams on to the OpenSearch service roles. OpenSearch Service supplies choices when configuring your OpenSearch Service area to map JWT claims to OpenSearch Service roles utilizing the roles key.
On this answer, the JWT accommodates a subject known as cognito:teams that might be mapped because the roles key. In each JWT, this subject has a price for the suitable group the consumer belongs to. Based mostly on the sector worth within the JWT and the mapping outlined within the earlier step for various analysis teams, OpenSearch Service area dynamically assigns permissions:
- If the JWT accommodates “cognito:teams”: [“pubmed_admin_group”], the consumer is granted pubmed_admin entry
- If the JWT accommodates “cognito:teams”: [“pubmed_limited_group”], the consumer is granted pubmed_limited entry
Check out the examples beneath to grasp what a JWT header and payload seem like.
Pattern JWT header:
Pattern JWT payload:
Create customers in Amazon Cognito
On this part, we create the next Amazon Cognito customers:
The e-mail tackle required for every consumer must be distinctive. In case your e-mail area helps e-mail alias, you possibly can add a suffix to your personal e-mail tackle through the use of +pubmedadminuser@area.com. The next screenshot reveals our customers.
On the CloudFormation stack’s Assets tab, find the UserPool Amazon Cognito consumer pool that you just famous earlier. Open the consumer pool in a brand new browser tab.
To create the Amazon Cognito customers, full the next steps for every consumer:
- On the Amazon Cognito console, select Customers within the navigation pane.
- Select Create consumer.
- For Alias attributes used to sign up, choose E mail.
- For Consumer title, enter a novel consumer title.
- For E mail tackle, enter a novel e-mail tackle for every consumer.
- Choose Mark e-mail tackle as verified.
- Select Create Consumer.
Create teams in Amazon Cognito
We create the next teams in Amazon Cognito:
The next screenshot reveals created teams.
To create the Amazon Cognito teams, full the next steps for every group:
- On the Amazon Cognito console, select Teams within the navigation pane.
- Select Create group.
- For Group title, enter a novel title.
- Select Create group.
Add Amazon Cognito customers to teams
The customers must be added to the teams as follows:
- Add
PubMedAdminUserto thepubmed_admin_groupgroup - Add
PubMedLimitedUserto thepubmed_limited_groupgroup - Add
ClinicalTrialsAdminUserto theclinical_trials_admin_groupgroup - Add
ClinicalTrialsLimitedUserto theclinical_trials_limited_groupgroup - Add
ResearchBasicUserto theresearch_basic_groupgroup
So as to add customers to their respective group, full the next steps for every group:
- On the Amazon Cognito console, select Teams within the navigation pane.
- Select the group to which you need to add a consumer.
- Select Add consumer to group.
- Select the consumer and select Add.
Log in to generate a JWT
Earlier than operating the check queries within the subsequent part, you have to receive the id_token (JWT) for the required customers. The tokens will expire in 60 minutes. If the token is expired for a consumer, you have to log in once more to get a recent token. To log in together with your consumer to get the id_token, full the next steps:
- On the Amazon Cognito console, open your consumer pool.
- Select App shoppers within the navigation pane.
- Select the app consumer.
- Select View login web page.
- Enter the consumer title that you just used when creating the consumer.
- Enter the non permanent password that you just set when creating the consumer.
- For first-time logins, you may be prompted to create a brand new password. Enter a brand new password that meets the next necessities:
- No less than 8 characters
- Accommodates uppercase and lowercase letters
- Accommodates at the least one quantity
- Accommodates at the least one particular character
- Copy the id_token worth you generated (with out citation marks).
Question information in OpenSearch Service
This instance demonstrates how OpenSearch Service filters search outcomes primarily based on consumer permissions. We check searches utilizing JWTs for 2 totally different customers to confirm entry controls. Every consumer’s search outcomes are restricted to the indexes and paperwork allowed by their assigned roles.
On the CloudFormation stack’s Assets tab, find the RestAPI worth that you just famous earlier. Open the API gateway in a brand new browser tab.
Full the next steps to check the search API for every of the eventualities talked about on this part:
- On the API Gateway console, select Assets within the navigation pane.
- Select the /search useful resource.
- Select the POST methodology.
- Select Check.
When submitting queries to OpenSearch Service, make certain all double citation marks are escaped to forestall syntax errors. Moreover, be sure to full your question earlier than your JWT expires, or you will have to generate a brand new token. When you try to make use of an expired token, it’s going to end in an error.
For Eventualities 1 and a pair of, log in together with your PubMedAdmin consumer, and for Eventualities 3 and 4, log in together with your PubMedLimitedUser to acquire the required id_token.
State of affairs 1
On this first question, we question the pubmed index with the credentials of consumer PubMedAdminUser, which is a part of pubmed_admin_group:
Add the next values to the respective enter fields:
- For Question strings, enter question=
"{"question":{"match_all":{}}}"&index=pubmed - For Headers, enter id_token:
The next screenshot reveals our question outcomes.
Customers with the pubmed_admin position have full entry to the PubMed index and might carry out unrestricted searches throughout all fields and doc sorts. This question efficiently returns paperwork with the HTTP 200 standing code as a result of the consumer has full learn permissions on this index.
State of affairs 2
Subsequent, we question the clinical-trials index with the credentials of consumer PubMedAdminUser, who’s a part of pubmed_admin_group:
Add the next values to the respective enter fields:
- For Question strings, enter question=
"{"question":{"match_all":{}}}"&index=clinical-trials - For Headers, enter
id_token:
The next screenshot reveals our question outcomes.
Regardless of having admin privileges for PubMed information, this consumer receives a 403 Forbidden response when trying to entry the clinical-trials index. The error message signifies the shortage of needed permissions for performing search operations on this index.
State of affairs 3
Now we question allowed fields within the pubmed index with the credentials of consumer PubMedLimitedUser, which is a part of pubmed_limited_group:
Add the next values to the respective enter fields:
- For Question strings, enter question=
"{"question":{"match":{"title": "molecular biology"}}}"&index=pubmed - For Headers, enter
id_token:
The next screenshot reveals our question outcomes.
Customers with the pubmed_limited position can efficiently question particular fields like title, however with restricted entry to delicate data. The question returns outcomes with the HTTP 200 standing code, however the journal subject is anonymized resulting from field-level safety insurance policies. Customers can search and examine sure fields whereas having delicate information routinely masked or excluded from their outcomes.
State of affairs 4
Lastly, we question unauthorized fields within the pubmed index with the credentials of consumer PubMedLimitedUser, which is a part of pubmed_limited_group:
Add the next values to the respective enter fields:
- For Question strings, enter question=
"{"question":{"match":{"research_group":"RG_345"}}}"&index=pubmed - For Headers, enter
id_token:
The next screenshot reveals our question outcomes.
When a consumer with the pubmed_limited position makes an attempt to question the restricted research_group subject, OpenSearch returns a profitable response (HTTP 200) however with empty outcomes. This habits happens as a result of field-level safety is imposing entry controls as a substitute of returning a HTTP 403 error, it silently filters out the restricted subject from each the question and outcomes. This security-by-obscurity method signifies that customers can’t decide whether or not their question failed resulting from lack of permissions or real absence of matching paperwork.
Clear up
To keep away from incurring additional AWS utilization fees, delete the sources created on this publish by deleting the CloudFormation stack. This step will take away all sources besides Lambda layers. To delete the Lambda layers, navigate to the Layers web page on the Lambda console, and delete the layers named
Conclusion
On this publish, we mentioned how JWTs present a strong and scalable authentication mechanism that may be built-in with current IdPs. We additionally demonstrated learn how to seamlessly combine fine-grained entry management throughout search functions. Organizations can outline granular permissions inside their IdP, ensuring delicate data stays protected. The JWT integration with OpenSearch Service permits safe, environment friendly entry management, so customers can solely entry role-appropriate data whereas simplifying compliance and entry administration.
If in case you have suggestions about this publish, depart them within the feedback part. If in case you have questions on this publish, begin a brand new thread on AWS Safety, Identification, and Compliance re:Put up or contact AWS Help.
Concerning the authors
Ramya Bhat is a Knowledge Analytics Guide at AWS, specializing within the design and implementation of cloud-based information platforms. She builds enterprise-grade options throughout search, information warehousing, and ETL that allow organizations to modernize information ecosystems and derive insights via scalable analytics. She has delivered buyer engagements throughout healthcare, insurance coverage, fintech, and media sectors.
Shubhansu Sawaria is a Sr. Supply Guide – SRC at AWS, primarily based in Bangalore, India. He makes a speciality of designing and implementing complete AWS Cloud safety options. He has developed safety options for startups, banks, and healthcare organizations. His experience helps organizations elevate their cloud safety infrastructures, obtain compliance goals, and supply strong information safety.
Soujanya Konka is a Sr. Options Architect and Analytics Specialist at AWS, targeted on serving to prospects construct their concepts within the cloud. She has experience in designing and implementing enterprise search options and superior information analytics at scale.
