Connect to an OpenSearch cluster

To connect to an OpenSearch cluster, connect to nodes in the group with the Manager, Data, or Dashboard role. The choice of node for connection depends on the purpose of connection — for example, if you need to access the cluster dashboard, you should connect to a node in the group with the Dashboard role. For more information about node groups and their roles, see Node Groups.

You can:

• connect to group nodes with the Manager and Data roles — through program code with SSL;
• connect to a group node with the Dashboard role — through the OpenSearch Dashboards web interface or OpenSearch API.

TLS(SSL)-encryption is supported only when connecting via a private IP address.

Specify the port and address when connecting.

Connection ports

Use port 9200 to connect to the cluster nodes.

Addresses for connection

The address to connect to depends on where you are connecting from. You can select an address depending on one of the scenarios:

• connecting to the cluster from a private subnet;
• connecting to the cluster from the Internet.

Connecting to the cluster from a private subnet

If you are connecting to the cluster from a private subnet, use a private IP address.

To connect from another private subnet, first connect both private subnets to the cloud router.

You can view the address to connect to in the control panel.

Connecting to the cluster from the Internet

If you are connecting to the cluster from the Internet, use a public IP address. The private subnet must meet the requirements. If the subnet does not meet the requirements, prepare it to connect a public IP address.

You can view the address to connect to in the control panel.

View the address for connection

1. In the Dashboard, on the top menu, click Products and select Cloud Databases.
2. Open the Active tab.
3. Open the Database Cluster page → Connection tab.
4. In the Connection Addresses block, open the tab of the node group whose addresses you want to view.

Connect to nodes in the group with the Manager and Data roles

Group nodes with the Manager and Data role can only be connected with SSL using a private IP address. Connecting using TLS(SSL)-encryption provides a secure connection between your server and the database cluster.

Bash

1. Download the root certificate and place it in the ~/.opensearch/ folder:

   mkdir -p ~/.opensearch/
   wget https://storage.dbaas.selcloud.ru/CA.pem -O ~/.opensearch/root.crt
   chmod 0600 ~/.opensearch/root.crt

2. Connect to the node:

   curl -XGET -u 'admin:<password>' --cacert ~/.opensearch/root.crt 'https://<ip_address>:<port>/'

   Specify:

   • <password> — password of the admin user;
   • <ip_address> — IP address of the node;
   • <port> — port for connection.

Python

1. Download the root certificate and place it in the ~/.opensearch/ folder:

   mkdir -p ~/.opensearch/
   wget https://storage.dbaas.selcloud.ru/CA.pem -O ~/.opensearch/root.crt
   chmod 0600 ~/.opensearch/root.crt

2. Install the opensearch-py library:

   pip3 install opensearch-py

3. Connect to the node:

   from opensearchpy import OpenSearch
   
   hosts = ['<host_1>',
           '<host_2>']
   auth = ('admin', '<password>')
   ca_certs_path = '~/.opensearch/root.crt'
   
   client = OpenSearch(
       hosts,
       http_auth = auth,
       use_ssl = True,
       verify_certs = True,
       ssl_assert_hostname = False,
       ssl_show_warn = False,
       ca_certs = ca_certs_path
   )
   
   print(client.info())

   Specify:

   • <host_1> and <host_2> — IP addresses of nodes;
   • <password> — password of the admin user.

Go

1. Download the root certificate and place it in the ~/.opensearch/ folder:

   mkdir -p ~/.opensearch/
   wget https://storage.dbaas.selcloud.ru/CA.pem -O ~/.opensearch/root.crt
   chmod 0600 ~/.opensearch/root.crt

2. Use the connection example:

   package main
   
   import (
       "crypto/tls"
       "crypto/x509"
       "fmt"
       "io/ioutil"
       "github.com/opensearch-project/opensearch-go"
       "net/http"
       "os"
   )
   
   func main() {
       caCert, err := ioutil.ReadFile("<path>")
       if err != nil {
           fmt.Println("failed to read CA certificate: %w", err)
           os.Exit(1)
       }
   
       caCertPool := x509.NewCertPool()
       if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
           fmt.Println("failed to append CA certificate")
       }
   
       client, err := opensearch.NewClient(opensearch.Config{
           Transport: &http.Transport{
           TLSClientConfig: &tls.Config{RootCAs: caCertPool},
           },
           Addresses: []string{
                               "https://<host_1>:<port>",
                               "https://<host_2>:<port>"
                           },
           Username:  "admin",
           Password:  "<password>",
       })
       if err != nil {
           fmt.Println("cannot initialize", err)
           os.Exit(1)
       } else {
           fmt.Println(client.Info())
       }
   }

   Specify:

   • <path> — the full path to the root certificate;
   • <host_1> and <host_2> — IP addresses of nodes;
   • <port> — port for connection;
   • <password> — user password.

Node.js

1. Download the root certificate and place it in the ~/.opensearch/ folder:

   mkdir -p ~/.opensearch/
   wget https://storage.dbaas.selcloud.ru/CA.pem -O ~/.opensearch/root.crt
   chmod 0600 ~/.opensearch/root.crt

2. Establish dependencies:

   npm install @opensearch-project/opensearch

3. Use the connection example:

   import { readFileSync } from 'fs';
   import { Client } from '@opensearch-project/opensearch';
   
   const hosts = [
   "https://<host_1>:<port>",
   "https://<host_2>:<port>"
   ];
   
   const username = "admin";
   const password = "<password>";
   const caCertsPath = "<path>";
   
   const client = new Client({
   nodes: hosts,
   ssl: {
       ca: readFileSync(caCertsPath),
   },
   auth: {
       username,
       password
   }
   });
   
   const getClusterInfo = async () => {
   try {
       const response = await client.cluster.health();
       console.log('Cluster Info:', response.body);
   } catch (error) {
       console.error('Error fetching cluster info:', error);
   }
   };
   
   getClusterInfo();

   Specify:

   • <host_1> and <host_2> — IP addresses of nodes;
   • <port> — port for connection;
   • <password> — password of the admin user;
   • <path> — the full path to the root certificate.

Connect to a group node with the Dashboard role

OpenSearch Dashboards

You can connect to a group node with the Dashboard role through the OpenSearch Dashboards web interface.

1. Open the page in your browser:

   https://<ip_address>

   Specify <ip_address> — IP address of the group node with the Dashboard role.

2. Enter login — admin.

3. Enter password — set when creating the cluster. Once created, the password cannot be viewed in the control panel, but can be changed.

4. To test the connection, run a test query in the Dev Tools console — for example, see the status of the cluster:

   GET _cluster/health

   The cluster status information will appear in the response.

OpenSearch API

Connect to the group node with the Dashboard role and test the connection, run a test query — for example, see the status of the cluster:

curl -u 'admin:<password>' -X GET "https://<ip_address>/api/status"

Specify:

• <password> — is set when the cluster is created. Once created, the password cannot be viewed in the control panel, but can be change it;
• <ip_address> — IP address of the group node with the Dashboard role.

The cluster status information will appear in the response.