本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 教程:亚马逊 OpenSearch 无服务器 (CLI) 安全入门 为了安全起见,本教程涵盖了[控制台入门教程](gsg-serverless.md)中描述的步骤,但使用 AWS CLI 的是而不是 OpenSearch 服务控制台。 您将在本教程中完成以下步骤: 1. 创建 IAM 权限策略 1. 将 IAM 策略附加到 IAM 角色 1. 创建加密策略 1. 创建网络策略 1. 创建集合 1. 配置数据访问策略 1. 检索集合端点 1. 将数据上传到您的馆藏 1. 在您的连接中搜索数据 本教程的目标是使用相当简单的加密、网络和数据访问设置来设置单个 OpenSearch Serverless 集合。例如,您可以配置公共网络访问权限、 AWS 托管式密钥 用于加密以及向单个用户授予最低权限的简化数据访问策略。 在生产场景中,应考虑实施更强大的配置,包括 SAML 身份验证、自定义加密密钥和 VPC 访问权限。 **开始使用 OpenSearch 无服务器中的安全策略** 1. **注意** 如果您已经在使用更广泛的基于身份的策略,如 `Action":"aoss:*"` 或 `Action":"*"`,则可以跳过此步骤。但是,在生产环境中,请遵循最低权限原则,只分配完成任务所需的最低权限。 首先,创建一个具有执行本教程中步骤所需的最低权限的 AWS Identity and Access Management 策略。为策略命名`TutorialPolicy`: ``` aws iam create-policy \ --policy-name TutorialPolicy \ --policy-document "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": [\"aoss:ListCollections\",\"aoss:BatchGetCollection\",\"aoss:CreateCollection\",\"aoss:CreateSecurityPolicy\",\"aoss:GetSecurityPolicy\",\"aoss:ListSecurityPolicies\",\"aoss:CreateAccessPolicy\",\"aoss:GetAccessPolicy\",\"aoss:ListAccessPolicies\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}]}" ``` **示例响应** ``` { "Policy": { "PolicyName": "TutorialPolicy", "PolicyId": "ANPAW6WRAECKG6QJWUV7U", "Arn": "arn:aws:iam::{{123456789012}}:policy/TutorialPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2022-10-16T20:57:18+00:00", "UpdateDate": "2022-10-16T20:57:18+00:00" } } ``` 1. 将 `TutorialPolicy` 附加到 IAM 角色,该角色将在集合中索引并搜索数据。在此示例中,该角色的名字为`TutorialRole`: ``` aws iam attach-role-policy \ --role-name {{TutorialRole}} \ --policy-arn arn:aws:iam::{{123456789012}}:policy/TutorialPolicy ``` 1. 在创建馆藏之前,您需要创建一个[加密策略](serverless-encryption.md), AWS 拥有的密钥 为在稍后步骤中创建的*图书*收藏分配一个。 发送以下请求,为 *books*(书籍)集合创建加密策略: ``` aws opensearchserverless create-security-policy \ --name books-policy \ --type encryption --policy "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AWSOwnedKey\":true}" ``` **示例响应** ``` { "securityPolicyDetail": { "type": "encryption", "name": "books-policy", "policyVersion": "MTY2OTI0MDAwNTk5MF8x", "policy": { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AWSOwnedKey": true }, "createdDate": 1669240005990, "lastModifiedDate": 1669240005990 } } ``` 1. 创建[网络策略](serverless-network.md),该策略将提供针对 *books*(书籍)集合的公共访问权限: ``` aws opensearchserverless create-security-policy --name books-policy --type network \ --policy "[{\"Description\":\"Public access for books collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/books\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AllowFromPublic\":true}]" ``` **示例响应** ``` { "securityPolicyDetail": { "type": "network", "name": "books-policy", "policyVersion": "MTY2OTI0MDI1Njk1NV8x", "policy": [ { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "dashboard" }, { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AllowFromPublic": true, "Description": "Public access for books collection" } ], "createdDate": 1669240256955, "lastModifiedDate": 1669240256955 } } ``` 1. 创建 *books*(书籍)集合: ``` aws opensearchserverless create-collection --name books --type SEARCH ``` **示例响应** ``` { "createCollectionDetail": { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "CREATING", "type": "SEARCH", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "kmsKeyArn": "auto", "createdDate": 1669240325037, "lastModifiedDate": 1669240325037 } } ``` 1. 创建[数据访问策略](serverless-data-access.md),该策略将提供索引和搜索 *books*(书籍)集合中的数据的最低权限。将主体 ARN 替换为步骤 1 中 `TutorialRole` 的 ARN: ``` aws opensearchserverless create-access-policy \ --name books-policy \ --type data \ --policy "[{\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index\/books\/books-index\"],\"Permission\":[\"aoss:CreateIndex\",\"aoss:DescribeIndex\",\"aoss:ReadDocument\",\"aoss:WriteDocument\",\"aoss:UpdateIndex\",\"aoss:DeleteIndex\"]}],\"Principal\":[\"arn:aws:iam::{{123456789012}}:{{role}}\/{{TutorialRole}}\"]}]" ``` **示例响应** ``` { "accessPolicyDetail": { "type": "data", "name": "books-policy", "policyVersion": "MTY2OTI0MDM5NDY1M18x", "policy": [ { "Rules": [ { "Resource": [ "index/books/books-index" ], "Permission": [ "aoss:CreateIndex", "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument", "aoss:UpdateDocument", "aoss:DeleteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::123456789012:role/TutorialRole" ] } ], "createdDate": 1669240394653, "lastModifiedDate": 1669240394653 } } ``` 现在,`TutorialRole` 应该能够索引和搜索 *books*(书籍)集合中的文档。 1. 要调用 OpenSearch API,您需要收集端点。发送以下请求以检索 `collectionEndpoint` 参数: ``` aws opensearchserverless batch-get-collection --names books {{ }} ``` **示例响应** ``` { "collectionDetails": [ { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "ACTIVE", "type": "SEARCH", "description": "", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "createdDate": 1665765327107, "collectionEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com", "dashboardEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/_dashboards" } ], "collectionErrorDetails": [] } ``` **注意** 在集合状态更改为之前,集合端点不可用`ACTIVE`。在成功创建集合之前,您可能需要拨打多个电话来检查状态。 1. 使用 [Postman](https://www.getpostman.com/) 或 curl 等 HTTP 工具,将数据索引到 *books*(书籍)集合中。以下示例创建了一个名为 *books-index 的索引*并添加了一个文档。 使用 `TutorialRole` 的凭证,将以下请求发送到您在上一步中检索到的集合端点。 ``` PUT https://{{8kw362bpwg4gx9b2f6e0}}.{{us-east-1}}.aoss.amazonaws.com/books-index/_doc/1 { "title": "The Shining", "author": "Stephen King", "year": 1977 } ``` **示例响应** ``` { "_index" : "books-index", "_id" : "1", "_version" : 1, "result" : "created", "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }, "_seq_no" : 0, "_primary_term" : 0 } ``` 1. 要开始搜索您的集合中的数据,请使用[搜索 API](https://opensearch.org/docs/latest/opensearch/rest-api/search/)。以下查询将执行基本搜索: ``` GET https://{{8kw362bpwg4gx9b2f6e0}}.us-east-1.aoss.amazonaws.com/books-index/_search ``` **示例响应** ``` { "took": 405, "timed_out": false, "_shards": { "total": 6, "successful": 6, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 1.0, "hits": [ { "_index": "books-index:0::3xJq14MBUaOS0wL26UU9:0", "_id": "F_bt4oMBLle5pYmm5q4T", "_score": 1.0, "_source": { "title": "The Shining", "author": "Stephen King", "year": 1977 } } ] } } ```