Connecting to an OpenSearch cluster
You can connect to Managed Service for OpenSearch cluster nodes with the DATA
role:
-
Over the internet, if you configured public access for the appropriate node group.
-
From Nebius AI VM instances hosted in the same virtual network.
Regardless of the connection method, Managed Service for OpenSearch only supports cluster node connections with an SSL certificate.
Getting an SSL certificate
To use an encrypted connection, get an SSL certificate:
mkdir -p ~/.opensearch && \
wget "https://storage.nemax.nebius.cloud/certs/CA.pem" \
--output-document ~/.opensearch/root.crt && \
chmod 0600 ~/.opensearch/root.crt
The certificate is saved to the ~/.opensearch/root.crt
file.
mkdir $HOME\.opensearch; curl -o $HOME\.opensearch\root.crt https://storage.nemax.nebius.cloud/certs/CA.pem
The certificate is saved to the $HOME\.opensearch\root.crt
file.
Connecting to OpenSearch Dashboards
You can connect to OpenSearch Dashboards:
- Over the internet.
- Using a VM instance in Nebius AI.
-
Install the SSL certificate in the browser's trusted root certificate store (instructions
for Mozilla Firefox). -
On the cluster page, in the management console, click OpenSearch Dashboards or go to
https://c-< cluster ID>.rw.mdb.nemax.nebius.cloud>
in your browser.You can get the cluster ID with a list of clusters in the folder.
-
Enter the
admin
username and password that you set when creating the cluster.
-
Connect to the virtual machine over SSH.
-
Install the dependencies:
sudo apt update && \ sudo apt install --yes nginx ssl-cert
-
Copy the downloaded SSL certificate to the
/etc/nginx/
directory :sudo cp ~/.opensearch/root.crt /etc/nginx/root.crt
-
Edit the NGINX default configuration file, for example, like this:
/etc/nginx/sites-available/default
upstream os-dashboards-nodes { server <FQDN of node 1 with DASHBOARDS role>:443; ... server <FQDN of node N with the DASHBOARDS role>:443; } server { listen 443 ssl; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; server_name _; location / { proxy_pass https://os-dashboards-nodes; proxy_ssl_trusted_certificate /etc/nginx/root.crt; proxy_ssl_session_reuse on; } }
Warning
This configuration file example uses a self-signed
snakeoil
certificate from thessl-cert
package. It's not safe to use this certificate in a real cluster. Instead of the self-signed certificate, specify the path to your public and private SSL certificate keys in thessl_certificate
andssl_certificate_key
directives. -
Restart NGINX:
sudo systemctl restart nginx
-
Add the certificate specified in the
ssl_certificate
directive to the browser's trusted root certificate store (instructions for Mozilla Firefox). -
In the browser, go to
https://<public IP address of the VM instance>
. -
Enter the
admin
username and password.
Note
When using the OpenSearch Dashboards API:
- To send requests, use port
443
instead of standard port5601
. - Add the SSL certificate path to your application's configuration to use the API.
Connecting from a Docker container
You can only use Docker containers to connect to public cluster nodes using SSL certificates.
To connect to a Managed Service for OpenSearch cluster, add the following lines to the Dockerfile:
RUN apt-get update && \
apt-get install wget curl --yes && \
mkdir -p ~/.opensearch && \
wget "https://storage.nemax.nebius.cloud/certs/CA.pem" \
--output-document ~/.opensearch/root.crt && \
chmod 0600 ~/.opensearch/root.crt
Sample connection strings
Before connecting, prepare a certificate.
To connect, enter the admin
username and password used when creating the cluster.
To view an example of the command with the host FQDN filled in, open the cluster page in the management console
Bash
curl \
--user admin:<password> \
--cacert ~/.opensearch/root.crt \
--request GET 'https://<ID of OpenSearch node with DATA role>.mdb.nemax.nebius.cloud:9200/'
Go
Before connecting, install the dependencies:
go mod init opensearch-example && \
go get github.com/opensearch-project/opensearch-go
-
Code example:
connect.go
package main import ( "crypto/tls" "crypto/x509" "crypto/x509" "github.com/opensearch-project/opensearch-go" "io/ioutil" "log" "net/http" ) var hosts = []string{ "<FQDN of node 1 with DATA role>:9200", ..., "<FQDN of node N with DATA role>:9200" } var CA = "/home/<home directory>/.opensearch/root.crt" var password = "<password>" func main() { caCert, err := ioutil.ReadFile(CA) if err != nil { log.Fatal(err) } caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) cfg := opensearch.Config{ Addresses: hosts, Transport: &http.Transport{ TLSClientConfig: &tls.Config{ RootCAs: caCertPool, }, }, Username: "admin", Password: password, } es, err := opensearch.NewClient(cfg) if err != nil { log.Printf("Error creating the client: %s", err) } else { log.Println(es.Info()) } }
Unlike other connection methods, in this example, you need to use the full path to the
CA.pem
certificate for OpenSearch in theCA
variable. -
Connecting:
go run connect.go
PowerShell
curl `
-Certificate <absolute path to certificate file> `
-Uri https://<ID of OpenSearch node with DATA role>.mdb.nemax.nebius.cloud:9200 `
-Credential admin
Python
Before connecting, install the dependencies:
sudo apt update && sudo apt install --yes python3 python3-pip && \
pip3 install opensearch-py
-
Code example:
connect.py
from opensearchpy import OpenSearch CA = '~/.opensearch/root.crt' PASS = '<password>' HOSTS = [ "<FQDN of node 1 with DATA role>", ..., "<FQDN of node N with DATA role>" ] conn = OpenSearch( HOSTS, http_auth=('admin', PASS), use_ssl=True, verify_certs=True, ca_certs=CA) print(conn.info())
-
Connecting:
python3 connect.py
Special FQDNs
Just like usual FQDNs, which can be requested with a list of cluster nodes, Managed Service for OpenSearch provides a number of special FQDNs, which can also be used when connecting to a cluster.
Available Dashboards node
Such FQDN as c-<cluster ID>.rw.mdb.nemax.nebius.cloud
always points to the available OpenSearch node with the DASHBOARDS
role in the cluster. You can get the cluster ID with a list of clusters in the folder.