a1f942b6f9
* WIP: Added support for AWS Sigv4 for UrlLib3. Signed-off-by: dblock <dblock@amazon.com> * Refactored common implementation. Signed-off-by: dblock <dblock@amazon.com> * Added sigv4 samples. Signed-off-by: dblock <dblock@amazon.com> * Updated CHANGELOG. Signed-off-by: dblock <dblock@amazon.com> * Add documentation. Signed-off-by: dblock <dblock@amazon.com> * Use the correct class in tests. Signed-off-by: dblock <dblock@amazon.com> * Renamed samples. Signed-off-by: dblock <dblock@amazon.com> * Split up requests and urllib3 unit tests. Signed-off-by: dblock <dblock@amazon.com> * Rename AWSV4Signer. Signed-off-by: dblock <dblock@amazon.com> * Clarified documentation of when to use Urllib3AWSV4SignerAuth vs. RequestHttpConnection. Signed-off-by: dblock <dblock@amazon.com> * Move fetch_url inside the signer class. Signed-off-by: dblock <dblock@amazon.com> * Added unit test for Urllib3AWSV4SignerAuth adding headers. Signed-off-by: dblock <dblock@amazon.com> * Added unit test for signing to include query string. Signed-off-by: dblock <dblock@amazon.com> --------- Signed-off-by: dblock <dblock@amazon.com>
126 lines
3.4 KiB
Markdown
126 lines
3.4 KiB
Markdown
- [Authentication](#authentication)
|
|
- [IAM Authentication](#iam-authentication)
|
|
- [IAM Authentication with a Synchronous Client](#iam-authentication-with-a-synchronous-client)
|
|
- [IAM Authentication with an Async Client](#iam-authentication-with-an-async-client)
|
|
- [Kerberos](#kerberos)
|
|
|
|
# Authentication
|
|
|
|
OpenSearch allows you to use different methods for the authentication via `connection_class` and `http_auth` parameters.
|
|
|
|
## IAM Authentication
|
|
|
|
This library supports IAM-based authentication when communicating with OpenSearch clusters running in Amazon Managed OpenSearch and OpenSearch Serverless.
|
|
|
|
## IAM Authentication with a Synchronous Client
|
|
|
|
For `Urllib3HttpConnection` use `Urllib3AWSV4SignerAuth`, and for `RequestHttpConnection` use `RequestsAWSV4SignerAuth`.
|
|
|
|
```python
|
|
from opensearchpy import OpenSearch, Urllib3HttpConnection, Urllib3AWSV4SignerAuth
|
|
import boto3
|
|
|
|
host = '' # cluster endpoint, for example: my-test-domain.us-east-1.es.amazonaws.com
|
|
region = 'us-west-2'
|
|
service = 'es' # 'aoss' for OpenSearch Serverless
|
|
credentials = boto3.Session().get_credentials()
|
|
auth = Urllib3AWSV4SignerAuth(credentials, region, service)
|
|
|
|
client = OpenSearch(
|
|
hosts = [{'host': host, 'port': 443}],
|
|
http_auth = auth,
|
|
use_ssl = True,
|
|
verify_certs = True,
|
|
connection_class = Urllib3HttpConnection,
|
|
pool_maxsize = 20
|
|
)
|
|
|
|
index_name = 'test-index'
|
|
|
|
q = 'miller'
|
|
|
|
query = {
|
|
'size': 5,
|
|
'query': {
|
|
'multi_match': {
|
|
'query': q,
|
|
'fields': ['title^2', 'director']
|
|
}
|
|
}
|
|
}
|
|
|
|
response = client.search(
|
|
body = query,
|
|
index = index_name
|
|
)
|
|
|
|
print('\nSearch results:')
|
|
print(response)
|
|
```
|
|
|
|
## IAM Authentication with an Async Client
|
|
|
|
Use `AsyncOpenSearch` with the `AsyncHttpConnection` connection class and the async `AWSV4SignerAsyncAuth` signer.
|
|
|
|
```python
|
|
from opensearchpy import AsyncOpenSearch, AsyncHttpConnection, AWSV4SignerAsyncAuth
|
|
import boto3
|
|
|
|
host = '' # cluster endpoint, for example: my-test-domain.us-east-1.es.amazonaws.com
|
|
region = 'us-west-2'
|
|
service = 'es' # 'aoss' for OpenSearch Serverless
|
|
credentials = boto3.Session().get_credentials()
|
|
auth = AWSV4SignerAsyncAuth(credentials, region, service)
|
|
|
|
client = AsyncOpenSearch(
|
|
hosts = [{'host': host, 'port': 443}],
|
|
http_auth = auth,
|
|
use_ssl = True,
|
|
verify_certs = True,
|
|
connection_class = AsyncHttpConnection
|
|
)
|
|
|
|
async def search():
|
|
index_name = 'test-index'
|
|
|
|
q = 'miller'
|
|
query = {
|
|
'size': 5,
|
|
'query': {
|
|
'multi_match': {
|
|
'query': q,
|
|
'fields': ['title^2', 'director']
|
|
}
|
|
}
|
|
}
|
|
|
|
response = await client.search(
|
|
body = query,
|
|
index = index_name
|
|
)
|
|
|
|
print(response)
|
|
|
|
search()
|
|
```
|
|
|
|
## Kerberos
|
|
|
|
There are several python packages that provide Kerberos support over HTTP, such as [requests-kerberos](http://pypi.org/project/requests-kerberos) and [requests-gssapi](https://pypi.org/project/requests-gssapi). The following example shows how to setup Kerberos authentication.
|
|
|
|
Note that some of the parameters, such as `mutual_authentication` might depend on the server settings.
|
|
|
|
```python
|
|
from opensearchpy import OpenSearch, RequestsHttpConnection
|
|
from requests_kerberos import HTTPKerberosAuth, OPTIONAL
|
|
|
|
client = OpenSearch(
|
|
['htps://...'],
|
|
use_ssl=True,
|
|
verify_certs=True,
|
|
http_auth=HTTPKerberosAuth(mutual_authentication=OPTIONAL)
|
|
)
|
|
|
|
health = client.cluster.health()
|
|
```
|