# OpenSearch - Features

## Topologies <a href="#opensearchclusterarchitecture-architecture" id="opensearchclusterarchitecture-architecture"></a>

OpenSearch cluster is available as:

* 3 nodes cluster - not recommended for Production use
* 5 or more nodes cluster - recommended for Production use

### 3 nodes topology <a href="#opensearchclusterarchitecture-3nodestopology-notrecommended" id="opensearchclusterarchitecture-3nodestopology-notrecommended"></a>

In the 3 servers topology, all server are playing the master role, two of them are also used as data nodes. Each index are by default replicated on those two data nodes.

### At least 5 nodes topology <a href="#opensearchclusterarchitecture-5-ormore-nodestopology-recommended" id="opensearchclusterarchitecture-5-ormore-nodestopology-recommended"></a>

With 5 to more servers, three node are used as masters only nodes and don't host any data. Depending of the Area, master nodes are dispatched across 2 or 3 Availability Zones. The remaining nodes host only data and are spread over two Availability Zones.

## Resiliency <a href="#opensearchclusterarchitecture-resiliency" id="opensearchclusterarchitecture-resiliency"></a>

In an Area with 3 Availability Zones, the cluster is resilient against one AZ failure.

In an Area with 2 Availability Zones, the cluster might fail if the Availability Zone containing two masters is not available.

## Features <a href="#opensearchclusterarchitecture-features" id="opensearchclusterarchitecture-features"></a>

This section lists which feature / capabilities are available to users, and how to request / perform them :

<table data-header-hidden data-full-width="false"><thead><tr><th width="166"></th><th></th></tr></thead><tbody><tr><td><strong>Self Service</strong></td><td>Customer can perform action autonomously using ITCare.</td></tr><tr><td><strong>On Request</strong></td><td>Customer can request for the action to be done by cegedim.cloud support team.</td></tr></tbody></table>

<table data-full-width="true"><thead><tr><th width="257">Features</th><th width="142" data-type="checkbox">Self-service</th><th width="137.5" data-type="checkbox">On request</th><th>Comments</th></tr></thead><tbody><tr><td>SSH access</td><td>false</td><td>false</td><td>SSH access is disabled and reserved to cegedim.cloud administrators.</td></tr><tr><td>Change configuration file</td><td>false</td><td>true</td><td>On request via ticket.</td></tr><tr><td>Add nodes</td><td>true</td><td>false</td><td>Add two data nodes to an existing cluster (only available in clusters with dedicated masters)</td></tr><tr><td>Resize node</td><td>true</td><td>false</td><td>Resize a node of a cluster</td></tr><tr><td>Add ingest nodes</td><td>true</td><td>false</td><td>Add two ingest nodes to an existing cluster (only available in clusters with dedicated masters)</td></tr><tr><td>Delete nodes</td><td>true</td><td>false</td><td>Delete two nodes from an existing cluster (the nodes need to be in different availability zones, enough space must be available in the remaining nodes of the cluster, only available in clusters with dedicated masters)</td></tr></tbody></table>

## Security <a href="#opensearchclusterarchitecture-security" id="opensearchclusterarchitecture-security"></a>

### Authentication <a href="#opensearchclusterarchitecture-authentication" id="opensearchclusterarchitecture-authentication"></a>

Authentication uses OpenSearch internal security system.

It can be configured on request to accept Active Directory as an authentication backend.

### Authorizations <a href="#opensearchclusterarchitecture-authorizations" id="opensearchclusterarchitecture-authorizations"></a>

Authorizations is done using RBAC.

It can be configured on request to accept Active Directory as a backend role provider.

### Secured Transport <a href="#opensearchclusterarchitecture-securedtransport" id="opensearchclusterarchitecture-securedtransport"></a>

TLS/SSL is activated by default for the incoming and internal network flows.

### Passwords <a href="#opensearchclusterarchitecture-passwords" id="opensearchclusterarchitecture-passwords"></a>

This section explains how the password management is handled:

<table data-full-width="true"><thead><tr><th width="217">Password</th><th width="225" data-type="checkbox">Stored by cegedim.cloud</th><th width="187" data-type="checkbox">Stored by customer</th><th width="113" data-type="checkbox">Enforced</th><th>Comment</th></tr></thead><tbody><tr><td><strong>admin</strong> account</td><td>false</td><td>true</td><td>false</td><td><br></td></tr><tr><td><strong>ANY</strong> other account</td><td>false</td><td>true</td><td>false</td><td><br></td></tr><tr><td><strong>kibana</strong> account</td><td>true</td><td>false</td><td>true</td><td>Used by the dashboard server to connect to the cluster</td></tr><tr><td><strong>support</strong> account</td><td>true</td><td>false</td><td>true</td><td>Used by cegedim.cloud support team (it has limited access and cannot read index datas)</td></tr><tr><td><strong>centreon</strong> account</td><td>true</td><td>false</td><td>true</td><td>Used by cegedim.cloud monitoring system (it has only access to monitoring information)</td></tr><tr><td><strong>prometheus</strong> account</td><td>true</td><td>false</td><td>true</td><td>Used by cegedim.cloud metering system (it has only access to monitoring information)</td></tr></tbody></table>

\\