OpenSearch Minimum Permissions

Hey there!

I was wondering if it was documented anywhere what the minimum permissions are required for an IAM role to have Hibernate Search work on Elasticsearch/Opensearch, without over-extending permissions. Is there a canonical list I can apply to ensure hibernate search performs all duties as expected? Off the top of my head I can think of index-write, index-read, index-create.

I could figure this out empirically but I was wondering if there is something that is recommended by the hibernate search team.


No there is not, we just run our integration tests with full permissions. If you want to use fine-grained permissions, you’ll have to determine what you need yourself.

The permissions one needs will likely depend on what they use anyway, since you’re unlikely to use every single feature of Hibernate Search in the same application.

I’d recommend the empirical solution you suggested: run your integration tests repeatedly against a staging instance of AWS OpenSearch Service, adding permissions one by one until all tests pass.

Good luck!

Thanks Yoann, appreciate the response. I’ll respond here with my findings once I determine the minimum set required for my use case, in case others are googling and come across this thread.

1 Like

Heya all, I have found through some minor trial and error the minimum permissions set for my use case, which is just using @Indexed, as well as using a template for the indexes:

| Permission                | Reason                                                                          |
| indices:admin/get         | Listing existing indices                                                        |
| indices:admin/aliases     | Ability to create write and read aliases for necessary indices                  |
| indices:admin/create      | Ability to create required indices                                              |
| indices:admin/mapping/put | Custom index settings for Hibernate Search managed indices.                     |
| indices:data/write/bulk*  | Hibernate Search will often buffer and bulk-write in high throughput situations |
| indices:data/write/delete | Data removal or reindexing needs to be updated to the fulltext index            |
| indices:data/write/index  | Storing data to Elasticsearch/OpenSearch                                        |
| indices:data/read/search  | Terminology/Fulltext search                                                     |
| cluster:monitor/main      | Hibernate Search monitoring indices for ILM rollover                            |
| cluster:monitor/health    | Hibernate Search health checks for the cluster                                  |

For the Elasticsearch implementation, I’ve found this permission set works well:

| Permission       | Reason                                                     |
| indices:manage   | Creation of indices and mapping management, as well as ILM |
| indices:read     | Ability to read and search indices.                        |
| indices:write    | Ability to write to required indices                       |
| cluster:monitor  | Hibernate Search health checks for the cluster             |
1 Like

Thanks for reporting back @Tadgh , hopefully it will help others :slight_smile: