convert to gitea

2025-09-15 13:35:51 +09:00
commit ef73e56eb9
38 changed files with 3314 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,514 @@
 # OpenSearch 3.1 클러스터 구축 가이드 (3-Node)
 본 문서는 Ubuntu 24.04 환경에서 3대의 서버를 이용하여 OpenSearch 3.1 클러스터를 구축하고, 최종적으로 로드 밸런서(LB) 중심의 안정적인 프로덕션 아키텍처로 전환하는 전체 과정을 상세히 기술한다.
 ## 버전 히스토리
 *   **v1.0:** 개별 노드 직접 접속 방식의 초기 클러스터 구축
 *   **v2.0:** 로드 밸런서(LB)를 도입하여 고가용성 및 단일 접속점을 확보한 프로덕션 아키텍처로 전환
 ## 목차
 1.  [사전 정보](#1-사전-정보)
 2.  [**v1.0: 초기 클러스터 구축 (LB 미사용)**](#v10-초기-클러스터-구축-lb-미사용)
    1.  [1단계: 설치](#1단계-설치)
    2.  [2단계: 사전 준비](#2단계-사전-준비)
    3.  [3단계: OpenSearch 설정 (`opensearch.yml`)](#3단계-opensearch-설정-opensearchyml)
    4.  [4단계: JVM 및 시스템 설정](#4단계-jvm-및-시스템-설정)
    5.  [5단계: 보안 플러그인 설정](#5단계-보안-플러그인-설정)
    6.  [6단계: 클러스터 시작 및 적용](#6단계-클러스터-시작-및-적용)
    7.  [7단계: Dashboards 설정](#7단계-dashboards-설정)
    8.  [8단계: Dashboards 시작 및 확인](#8단계-dashboards-시작-및-확인)
    9.  [9단계: JWT 인증 테스트](#9단계-jwt-인증-테스트)
 3.  [**v2.0: LB 중심 아키텍처로 전환**](#v20-lb-중-심-아키텍처로-전환)
    1.  [10단계: 아키텍처 목표](#10단계-아키텍처-목표)
    2.  [11단계: LB 준비 및 Nginx 프록시 구축](#11단계-lb-준비-및-nginx-프록시-구축)
    3.  [12단계: OpenSearch 및 Dashboards 재구성](#12단계-opensearch-및-dashboards-재구성)
    4.  [13단계: 최종 전환 및 테스트](#13단계-최종-전환-및-테스트)
 4.  [**부록: 운영 및 관리**](#부록-운영-및-관리)
    1.  [주요 트러블슈팅 및 교훈](#주요-트러블슈팅-및-교훈)
    2.  [추가 권장 사항 및 팁](#추가-권장-사항-및-팁)
    3.  [사용자/역할 추가 (Dashboards UI)](#사용자역할-추가-dashboards-ui)
    4.  [인증서에서 정확한 DN 추출하기](#인증서에서-정확한-dn-추출하기)
    5.  [`-nameopt RFC2253` 옵션 상세 설명](#-nameopt-rfc2253-옵션-상세-설명)
 ---
 ## 1. 사전 정보
 ### 서버 사양 (3대 공통)
 *   **CPU:** 8 vCPU
 *   **Memory:** 65 GB
 *   **Disk:** 2 TB SSD
 *   **OS:** Ubuntu 24.04
 *   **SSH Port:** 42894
 ### 노드 정보
 | 항목 | Node1 | Node2 | Node3 |
 | :--- | :--- | :--- | :--- |
 | **호스트네임** | ds-opensearch001 | ds-opensearch002 | ds-opensearch003 |
 | **외부 DNS (v1.0)** | ds-osearch001.oneunivrs.com | ds-osearch002.oneunivrs.com | ds-osearch003.oneunivrs.com |
 | **내부 DNS** | ds-osnode001.oneunivrs.com | ds-osnode002.oneunivrs.com | ds-osnode003.oneunivrs.com |
 | **Private IP** | 10.0.10.8 | 10.0.10.9 | 10.0.10.10 |
 ### SSL 인증서
 *   **종류:** 와일드카드 `*.oneunivrs.com`
 *   **초기 위치:** Node1의 `/data/cert/`
 *   **파일:** `oneunivrs.pem`, `root.pem`, `oneunivrs_key.pem`
 *   **DN:** `C=KR, ST=Seoul, O="ONEUNIVERSE Co.,Ltd.", CN=*.oneunivrs.com`
 ### JWT 인증
 *   **방식:** 대칭키 (HS256)
 *   **서명키:** `UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA=`
 ---
 ## v1.0: 초기 클러스터 구축 (LB 미사용)
 이 버전은 로드 밸런서 없이 각 노드에 직접 접속하는 방식의 기본 클러스터를 구축한다.
 ### 1단계: 설치
 모든 작업은 `root` 계정으로 진행.
 **[모든 노드]**
 APT 저장소 설정 후 OpenSearch 설치. 초기 admin 비밀번호 지정.
 ```bash
 # APT 저장소 설정 (공식 문서 참조)
 # OpenSearch 설치 (3.1.0)
 env OPENSEARCH_INITIAL_ADMIN_PASSWORD='DHp5#r#GYQ9d' apt-get install opensearch=3.1.0
 # Dashboards도 미리 설치
 apt-get install opensearch-dashboards=3.1.0
 ```
 ### 2단계: 사전 준비
 **[모든 노드]**
 #### 2.1. 데이터/로그 디렉토리 생성
 ```bash
 mkdir -p /data/opensearch/{data,logs}
 chown -R opensearch:opensearch /data/opensearch
 ```
 #### 2.2. 인증서 복사 및 권한 설정
 **[Node1]**
 ```bash
 mkdir -p /etc/opensearch/certs
 cp /data/cert/*.pem /etc/opensearch/certs/
 # 다른 노드로 전송
 scp -P 42894 /etc/opensearch/certs/*.pem root@ds-osnode002.oneunivrs.com:/etc/opensearch/certs/
 scp -P 42894 /etc/opensearch/certs/*.pem root@ds-osnode003.oneunivrs.com:/etc/opensearch/certs/
 ```
 **[모든 노드]**
 ```bash
 chown -R opensearch:opensearch /etc/opensearch/certs
 chmod 600 /etc/opensearch/certs/oneunivrs_key.pem # 개인키 권한 축소
 chmod 644 /etc/opensearch/certs/oneunivrs.pem /etc/opensearch/certs/root.pem
 ```
 ### 3단계: OpenSearch 설정 (`opensearch.yml`)
 **[모든 노드]**
 기존 파일 백업 후, 각 노드에 맞게 `/etc/opensearch/opensearch.yml` 작성.
 ```yaml
 # 클러스터 이름
 cluster.name: ds-cluster
 # [중요] node.name은 내부 DNS와 일치시킬 것 (클러스터링 실패 방지)
 # Node1: node.name: ds-osnode001.oneunivrs.com
 # Node2: node.name: ds-osnode002.oneunivrs.com
 # Node3: node.name: ds-osnode003.oneunivrs.com
 node.name: ds-osnode001.oneunivrs.com # 각 노드에 맞게 수정
 # 역할
 node.roles: [ cluster_manager, data ]
 # 경로
 path.data: /data/opensearch/data
 path.logs: /data/opensearch/logs
 # 메모리 잠금
 bootstrap.memory_lock: true
 # 네트워크
 network.host: 0.0.0.0
 http.port: 9200
 transport.port: 9300
 # 클러스터링
 discovery.seed_hosts:
  - ds-osnode001.oneunivrs.com
  - ds-osnode002.oneunivrs.com
  - ds-osnode003.oneunivrs.com
 # [중요] 최초 마스터 후보 목록. node.name과 일치해야 함.
 cluster.initial_cluster_manager_nodes:
  - ds-osnode001.oneunivrs.com
  - ds-osnode002.oneunivrs.com
  - ds-osnode003.oneunivrs.com
 # 보안 플러그인
 plugins.security.ssl.transport.enabled: true
 plugins.security.ssl.transport.pemcert_filepath: certs/oneunivrs.pem
 plugins.security.ssl.transport.pemkey_filepath: certs/oneunivrs_key.pem
 plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root.pem
 plugins.security.ssl.transport.enforce_hostname_verification: false
 plugins.security.ssl.http.enabled: true
 plugins.security.ssl.http.pemcert_filepath: certs/oneunivrs.pem
 plugins.security.ssl.http.pemkey_filepath: certs/oneunivrs_key.pem
 plugins.security.ssl.http.pemtrustedcas_filepath: certs/root.pem
 # [주의] DN의 쉼표(,)는 백슬래시 두 개(\\)로 이스케이프
 plugins.security.nodes_dn:
  - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
 plugins.security.authcz.admin_dn:
  - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
 plugins.security.allow_default_init_securityindex: true
 plugins.security.audit.type: internal_opensearch
 plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
 ```
 ### 4단계: JVM 및 시스템 설정
 **[모든 노드]**
 #### 4.1. JVM 힙 메모리
 `/etc/opensearch/jvm.options` 파일 수정. 31GB로 설정.
 ```bash
 sed -i 's/^-Xms1g/#-Xms1g/' /etc/opensearch/jvm.options
 sed -i 's/^-Xmx1g/#-Xmx1g/' /etc/opensearch/jvm.options
 echo -e "\n-Xms31g\n-Xmx31g" >> /etc/opensearch/jvm.options
 ```
 #### 4.2. Systemd 오버라이드
 메모리 잠금과 경로 권한 부여.
 ```bash
 mkdir -p /etc/systemd/system/opensearch.service.d
 cat <<EOF > /etc/systemd/system/opensearch.service.d/override.conf
 [Service]
 LimitMEMLOCK=infinity
 ReadWritePaths=/data/opensearch/
 EOF
 systemctl daemon-reload
 systemctl enable opensearch.service
 ```
 ### 5단계: 보안 플러그인 설정
 **[Node1에서 작업 후 다른 노드로 복사]**
 #### 5.1. 인증 방식 설정 (`config.yml`)
 `/etc/opensearch/opensearch-security/config.yml` 수정. JWT 우선, Basic 차선.
 ```yaml
 ---
 _meta:
  type: "config"
  config_version: 2
 config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      # [중요] order: 0(JWT) -> order: 1(Basic)
      jwt_auth_domain:
        http_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
            jwt_header: "Authorization" # "Bearer " 접두사는 자동 처리됨
            subject_key: sub
            roles_key: roles
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        http_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal
 ```
 #### 5.2. 역할 매핑 (`roles_mapping.yml`)
 `/etc/opensearch/opensearch-security/roles_mapping.yml` 수정.
 ```yaml
 # ... (기존 내용 유지)
 all_access:
  reserved: false
  users:
    - "admin"      # 내부 사용자
  backend_roles:
    - "admin"      # JWT를 통해 온 사용자
 # ... (기존 내용 유지)
 ```
 #### 5.3. 파일 복사 및 권한 설정
 **[Node1]**
 ```bash
 scp -P 42894 /etc/opensearch/opensearch-security/config.yml root@ds-osnode002.oneunivrs.com:/etc/opensearch/opensearch-security/
 scp -P 42894 /etc/opensearch/opensearch-security/roles_mapping.yml root@ds-osnode002.oneunivrs.com:/etc/opensearch/opensearch-security/
 scp -P 42894 /etc/opensearch/opensearch-security/config.yml root@ds-osnode003.oneunivrs.com:/etc/opensearch/opensearch-security/
 scp -P 42894 /etc/opensearch/opensearch-security/roles_mapping.yml root@ds-osnode003.oneunivrs.com:/etc/opensearch/opensearch-security/
 ```
 **[모든 노드]**
 ```bash
 chown -R opensearch:opensearch /etc/opensearch
 find /etc/opensearch -type d -exec chmod 750 {} \;
 find /etc/opensearch -type f -exec chmod 640 {} \;
 chmod 600 /etc/opensearch/certs/oneunivrs_key.pem
 chmod -R 600 /etc/opensearch/opensearch-security/*
 ```
 ### 6단계: 클러스터 시작 및 적용
 #### 6.1. 클러스터 시작
 마스터가 아닌 노드부터 순차적으로 시작.
 ```bash
 systemctl start opensearch.service # Node3 -> Node2 -> Node1 순으로 실행
 ```
 #### 6.2. 개인키 변환 (PKCS#8)
 `securityadmin.sh`는 PKCS#8 형식을 요구함.
 **[Node1]**
 ```bash
 openssl pkcs8 -topk8 -inform PEM -outform PEM -in /etc/opensearch/certs/oneunivrs_key.pem -out /etc/opensearch/certs/oneunivrs_key.p8.pem -nocrypt
 chown opensearch:opensearch /etc/opensearch/certs/oneunivrs_key.p8.pem
 chmod 600 /etc/opensearch/certs/oneunivrs_key.p8.pem
 ```
 #### 6.3. 보안 설정 적용
 **[Node1]**
 ```bash
 # [중요] 3.1 버전은 REST 포트(9200)와 변환된 키(.p8.pem) 사용
 /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
  -cd /etc/opensearch/opensearch-security/ \
  -cacert /etc/opensearch/certs/root.pem \
  -cert /etc/opensearch/certs/oneunivrs.pem \
  -key /etc/opensearch/certs/oneunivrs_key.p8.pem \
  -h ds-osnode001.oneunivrs.com \
  -p 9200 \
  -icl \
  -nhnv
 ```
 ### 7단계: Dashboards 설정
 **[Node1]**
 #### 7.1. 대시보드용 인증서 복사
 ```bash
 mkdir -p /etc/opensearch-dashboards/certs
 cp /etc/opensearch/certs/*.pem /etc/opensearch-dashboards/certs/
 chown -R opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/certs
 ```
 #### 7.2. `opensearch_dashboards.yml` 설정
 ```yaml
 server.port: 5601
 server.host: "0.0.0.0"
 server.name: "oneunivrs-opensearch-dashboards"
 # 고가용성을 위해 클러스터 노드 모두 기재
 opensearch.hosts:
  - https://ds-osearch001.oneunivrs.com:9200
  - https://ds-osearch002.oneunivrs.com:9200
  - https://ds-osearch003.oneunivrs.com:9200
 # [중요] 2.x 이후 버전의 설정 키 이름
 opensearch.requestHeadersWhitelist: [ "securitytenant", "authorization" ]
 # 대시보드 HTTPS
 server.ssl.enabled: true
 server.ssl.certificate: /etc/opensearch-dashboards/certs/oneunivrs.pem
 server.ssl.key: /etc/opensearch-dashboards/certs/oneunivrs_key.pem
 # [중요] 2.x 이후 버전의 설정 키 이름 (배열)
 opensearch.ssl:
  verificationMode: full
  certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ]
 # 서비스 계정
 opensearch.username: "kibanaserver"
 opensearch.password: "kibanaserver"
 # 보안 연동
 opensearch_security:
  multitenancy.enabled: true
  auth.anonymous_auth_enabled: false
  cookie.password: "강력하고_랜덤한_문자열_사용"
 ```
 ### 8단계: Dashboards 시작 및 확인
 **[Node1]**
 ```bash
 systemctl start opensearch-dashboards.service
 systemctl enable opensearch-dashboards.service
 ```
 브라우저에서 `https://ds-osearch001.oneunivrs.com:5601` 접속. `admin` / `DHp5#r#GYQ9d` 로그인 확인.
 ### 9단계: JWT 인증 테스트
 #### 9.1. 서버에서 직접 토큰 생성
 외부 도구의 키 처리 방식 문제로 서버에서 직접 생성하는 것이 가장 확실.
 **[Node1]**
 ```bash
 pip install pyjwt
 vi create_token.py
 ```
 ```python
 # create_token.py
 import jwt, time, base64
 base64_secret = "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
 # [핵심] Base64 디코딩
 decoded_secret = base64.b64decode(base64_secret)
 payload = { "sub": "admin", "roles": ["admin"], "exp": int(time.time()) + 3600 }
 token = jwt.encode(payload, decoded_secret, algorithm="HS256")
 print(token)
 ```
 ```bash
 python3 create_token.py # 토큰 생성 후 복사
 ```
 #### 9.2. `curl`로 API 호출
 ```bash
 curl -k -H "Authorization: Bearer <방금_생성한_토큰>" "https://ds-osearch001.oneunivrs.com:9200"
 ```
 성공 응답 확인.
 ---
 ## v2.0: LB 중심 아키텍처로 전환
 초기 구축된 클러스터를 프로덕션 환경에 적합하도록 로드 밸런서(LB) 중심의 고가용성 아키텍처로 전환한다.
 ### 10단계: 아키텍처 목표
 *   **AS-IS:** 클라이언트가 개별 노드(`ds-osearch001` 등)에 직접 접속.
 *   **TO-BE:** 클라이언트는 LB의 단일 대표 주소(`ds-opensearch.oneunivrs.com`)에만 접속. 노드들은 내부망에 격리되어 보안 강화.
 ### 11단계: LB 준비 및 Nginx 프록시 구축
 LB의 헬스 체크 제약(200 OK만 허용)을 우회하기 위해, 모든 OpenSearch 노드에 헬스 체크 전용 Nginx 프록시를 설치한다.
 **[모든 노드 (Node1, Node2, Node3)에서 실행]**
 ```bash
 # Nginx 설치
 apt-get update && apt-get install nginx -y
 # Nginx용 SSL 디렉토리 생성 및 인증서 복사
 mkdir -p /etc/nginx/ssl
 cp /etc/opensearch/certs/*.pem /etc/nginx/ssl/
 # 기본 설정 비활성화
 rm /etc/nginx/sites-enabled/default
 # 헬스 체크용 설정 파일 생성
 vi /etc/nginx/sites-available/opensearch-healthcheck
 ```
 `opensearch-healthcheck` 파일에 아래 내용을 작성한다.
 ```nginx
 server {
    listen 9201 ssl;
    # [주의] IPv6 비활성화 환경에서는 아래 라인 주석 처리
    # listen [::]:9201 ssl;
    # 각 노드의 내부 DNS 또는 IP로 설정
    server_name ds-osnode001.oneunivrs.com; # Node2에서는 ds-osnode002...
    ssl_certificate /etc/nginx/ssl/oneunivrs.pem;
    ssl_certificate_key /etc/nginx/ssl/oneunivrs_key.pem;
    location / {
        # 헬스 체크 요청에 무조건 200 OK 응답
        return 200 'Healthy';
        add_header Content-Type text/plain;
        add_header Content-Length 7;
    }
 }
 ```
 ```bash
 # 설정 활성화 및 재시작
 ln -s /etc/nginx/sites-available/opensearch-healthcheck /etc/nginx/sites-enabled/
 nginx -t
 systemctl restart nginx
 systemctl enable nginx
 ```
 ### 12단계: OpenSearch 및 Dashboards 재구성
 **[로드 밸런서 설정]**
 *   **대표 DNS:** `ds-opensearch.oneunivrs.com`을 생성하여 LB의 Public IP에 연결.
 *   **리스너:** `HTTPS:9200` (API용), `HTTPS:5601` (Dashboards용) 생성.
 *   **SSL 인증서:** `oneunivrs.com` 인증서를 LB에 설치.
 *   **`opensearch-api` 타겟 그룹:**
    *   **대상:** `10.0.10.8:9200`, `10.0.10.9:9200`, `10.0.10.10:9200`
    *   **헬스 체크:** `HTTPS`, Port `9201`, Path `/`, Method `GET`
 *   **`opensearch-dashboard` 타겟 그룹:**
    *   **대상:** `10.0.10.8:5601`
    *   **헬스 체크:** `HTTPS`, Port `9201`, Path `/`, Method `GET` (API와 동일한 프록시 사용)
 **[Node1의 Dashboards 설정 변경]**
 `/etc/opensearch-dashboards/opensearch_dashboards.yml`을 수정하여 LB를 바라보게 한다.
 ```yaml
 # opensearch.hosts를 새로운 LB 대표 DNS로 변경
 opensearch.hosts: ["https://ds-opensearch.oneunivrs.com:9200"]
 # [중요] LB <-> Dashboards 간 SNI 문제 해결을 위한 옵션 추가
 opensearch.ssl:
  alwaysPresentCertificate: true
  verificationMode: full
  certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ]
 ```
 ```bash
 # Dashboards 서비스 재시작
 systemctl restart opensearch-dashboards.service
 ```
 ### 13단계: 최종 전환 및 테스트
 1.  LB 콘솔에서 `opensearch-api`와 `opensearch-dashboard` 타겟 그룹의 상태가 모두 `healthy`로 바뀌는지 확인한다.
 2.  모든 클라이언트의 접속 주소를 `https://ds-opensearch.oneunivrs.com`으로 변경한다.
 3.  API와 Dashboards 접속이 모두 정상적으로 이루어지는지 최종 확인한다.
    ```bash
    curl -k -H "Authorization: Bearer <최종_토큰>" "https://ds-opensearch.oneunivrs.com:9200"
    ```
 4.  (선택 사항) 전환이 안정화되면, 개별 노드의 외부 IP를 제거하고 방화벽을 강화하여 보안 수준을 높인다.
 ---
 ## 부록: 운영 및 관리
 ### 주요 트러블슈팅 및 교훈
 1.  **클러스터 형성 실패 (`cluster-manager not discovered`):** `opensearch.yml`의 `node.name`과 `cluster.initial_cluster_manager_nodes` 목록의 이름이 불일치. 클러스터링 관련 설정의 이름은 정확히 일치해야 함.
 2.  **`securityadmin.sh` 실행 실패:**
    *   **원인 1 (`InvalidKeySpecException`):** `securityadmin.sh`는 PKCS#8 형식의 개인키를 필요로 함. `openssl pkcs8` 명령으로 변환하여 해결.
    *   **원인 2 (포트 오류):** OpenSearch 2.12 이후 `securityadmin.sh`는 REST 포트(9200)를 사용.
 3.  **Dashboards 시작 실패:** 2.x 버전 이후 변경된 설정 키 이름 문제 (`requestHeadersWhitelist`, `ssl.ca`). 버전업 시 공식 문서의 Breaking Changes를 반드시 확인해야 함.
 4.  **JWT 인증 실패 (`Unauthorized`):**
    *   **근본 원인:** `signing_key`를 Base64 문자열 그대로 사용.
    *   **해결:** `signing_key`를 **Base64 디코딩**한 바이너리 값을 실제 비밀키로 사용하여 토큰을 생성해야 함.
 5.  **LB 헬스 체크 실패 (`503`, `401`, `405` 등):**
    *   **원인:** 사용하는 LB가 헬스 체크 성공 기준으로 `200 OK`만 허용하는데, 보안이 활성화된 OpenSearch/Dashboards는 인증되지 않은 요청에 `200 OK`를 반환하지 않음.
    *   **해결:** 모든 노드에 Nginx를 헬스 체크 전용 프록시로 설치. LB는 Nginx의 `9201` 포트로 헬스 체크를 요청하고, Nginx는 무조건 `200 OK`를 응답하여 문제를 우회함.
 ### 추가 권장 사항 및 팁
 1.  **롤링 리스타트 시 샤드 재배치 중단:** `/_cluster/settings` API를 통해 `cluster.routing.rebalance.enable`을 `none`으로 설정하면 재시작 속도를 높일 수 있음.
 2.  **인덱스 템플릿 및 ILM:** 데이터가 많아지기 전에 Dashboards의 `Index Management` 메뉴에서 인덱스 템플릿과 ILM(수명 주기 관리) 정책을 설정하여 운영을 자동화할 것.
 3.  **스냅샷 및 복구:** 데이터 유실 방지를 위해 Dashboards의 `Snapshots` 메뉴에서 외부 저장소(S3 등)로의 주기적인 백업을 반드시 설정할 것.
 4.  **방화벽 설정:** LB 전환 후 노드들의 외부 IP를 제거하고, OS 방화벽(UFW 등)을 사용해 신뢰할 수 있는 내부 IP 대역에서의 접속만 허용하여 보안을 강화할 것.
 ### 사용자/역할 추가 (Dashboards UI)
 `admin` 계정으로 Dashboards에 로그인 후, `Security` 메뉴에서 YAML 파일 수정 없이 직관적으로 사용자, 역할, 역할 매핑을 관리할 수 있다. 일회성 작업은 UI를 사용하는 것이 편리하다.
 *   **역할 생성:** `Security > Roles > Create role`
 *   **사용자 생성:** `Security > Internal Users > Create internal user`
 *   **역할 매핑:** `Security > Roles > (역할 선택) > Mapped users > Manage mapping`
 ### 인증서에서 정확한 DN 추출하기
 `opensearch.yml`의 `nodes_dn`, `admin_dn` 설정 시, `openssl` 명령어로 정확한 DN을 추출하여 사용하면 실수를 방지할 수 있다.
 ```bash
 # [권장] RFC2253 형식으로 출력
 openssl x509 -in /data/cert/oneunivrs.pem -noout -subject -nameopt RFC2253
 ```
 **출력 예시:** `CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\,Ltd.,ST=Seoul,C=KR`
 **`opensearch.yml` 적용 시:** YAML 문자열 내에서 백슬래시(`\`)는 이스케이프해야 하므로 `\\`로 변경해야 한다.
 `"CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"`
 ### `-nameopt RFC2253` 옵션 상세 설명
 이 옵션은 기계가 파싱하기 좋은 표준 형식으로 DN을 출력한다.
 *   `subject=` 같은 불필요한 접두사가 없다.
 *   쉼표(`,`)로만 구분되며 불필요한 공백이 없다.
 *   **가장 중요:** DN 값 자체에 포함된 특수 문자(예: `Co.,Ltd.`의 쉼표)를 백슬래시(`\`)로 자동으로 이스케이프 처리해준다.
 *   OpenSearch 보안 플러그인은 이 형식을 가장 안정적으로 인식하므로, DN 설정 시 반드시 사용하는 것이 좋다.
--- a/cert/oneunivrs.pem
+++ b/cert/oneunivrs.pem
@ -0,0 +1,74 @@
 -----BEGIN CERTIFICATE-----
 MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB
 lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
 A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
 EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
 dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE
 BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s
 THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0
 6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET
 c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1
 iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5
 AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D
 mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD
 VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA
 DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
 JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
 AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
 gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
 ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
 bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
 Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
 dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp
 BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor
 BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G
 pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc
 7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ
 htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC
 IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2
 PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h
 qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy
 QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ
 KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp
 3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1
 PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS
 N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M
 k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg
 rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
 BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
 MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
 BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
 ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
 YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
 9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
 on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
 fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
 rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
 YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
 HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
 Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
 AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
 BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
 cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
 bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
 dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
 aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
 lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
 pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
 bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
 OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
 R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
 SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
 FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
 s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
 6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
 idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
 MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
 -----END CERTIFICATE-----
--- a/cert/oneunivrs_key.pem
+++ b/cert/oneunivrs_key.pem
@ -0,0 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4
 Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm
 O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13
 Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih
 AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU
 JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy
 mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ
 jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg
 uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS
 TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN
 NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ
 7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg
 RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN
 DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM
 Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO
 Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M
 peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN
 e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2
 JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1
 C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n
 gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd
 r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt
 Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J
 Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD
 ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG
 -----END RSA PRIVATE KEY-----
--- a/cert/oneunivrs_key_pkcs8.pem
+++ b/cert/oneunivrs_key_pkcs8.pem
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY5fgocCi0pQQn
 dodxndIDDSrfrgOMO5Drxiv9dt4aw/TpSHgeLiPtvFphIT+I49RFsi24925ikjXr
 K5aiunjCeewkzRjzXKefNUfvBcUhARNzZOY7UGbqwf+cT/vTNNC+t6XbVvEOM1GO
 vnaooz+mC1yPzuWM568T6ScyCUmQtjWJLXcrDPkSjUbKngYUgKMWqi8RNKzBTEoV
 YKhXFRCLLc02yMtlhAZjlCxwE5HdxPkAeKEAnIVCK+GXQbsPh8G9fX36QrKu1Qcc
 hyVUd9RElVnvycakkq65krB0HruHDsOY8lQmccsYkWyDqa/PN2oFBD0EzPKiIp+/
 raDAPn5rAgMBAAECggEAd7yEgTZhkk/iejKZ1OPt8tdLCs5SkRC1ESOGV1dOh3IT
 +tCR1v9bwDsRnbswCs7S+WLCkPCvFGVotJmMf+r3DU0nSq2aj4Zf1qkgO9hwmaax
 aSuTWb0qA4DzLgSNnWvzrMVPH0XgrxkvdeC5OqFcWrq873qlCGNCKHi2tY2g+exI
 B5yCnVZn/EU06ndy8pBPfJMikG8s580r9NJNbQgrXz2NxgfyuaHreQ0UatBUMirG
 cWQ6Z6mGa6tbZcuaHwgLM9Ip4SLc8AKBwI006WOHLlG4gGx17sxaeprARr+KS4Ci
 cf6tCTgrYwMcSH4bWHjQdOrefFGrwJbCEJDvG6PCKQKBgQD5w5t55KgE+Ak1lmXI
 aBXG/0Wa+IE8t5D/T4xskPWxsTyZNtJt2uBE2OMI90/D3NYUA7ypfLGA4oKwHZWc
 O7+MklWFkN58rH7JAlKGo0WwJapEmJaguY0M2t8aGS7iYvteabHbOvowSqTvTdgP
 AWxOTVxYO08VzhrulQw1XpiwxQKBgQDeUEwObZhHr81t2faxk73o18+vk0sQt+Xg
 cV5yIsqwpWsJToAD4NzEGnwsA1zkcBpxR84amTlh5RRAZ4eYVnO5/eVaRQezJAeA
 2zOnf1tjxRNwSygmTF7fN/EFeNkgiWdPHgyl5SduHl3SeIyW5os6MDEkgvUrWRUK
 Kk4Ye54FbwKBgQC5MZMM9MCovomFlHjv+k17ejhQSkb5kFsRFBjZPzsOgI6gRIgP
 MKXuJqthMI+SeSK7QHIZcf3jxRCGKcmPSLYlMzP6j4qJAxYXUYODlXjMvYDc0A+Q
 KUUu7PNUVKvw7NfaD6DzH233dMGLNzsnFTULck0wlvly/5n0oculnvi0yQKBgCE+
 UKE3sjXGDCoJFeKn/RX8b4oJtIfjd/R//2eB3F1d3wudOXdbAKgyba8HMbTXLp0R
 57gCgZop70VSNeyJwPRnCwzclbIsCRMztB2v5bKdnbKFCpPvh6BJdTkkQROkeFZU
 X//OrH7C+7SlYiCOiPNCkZasHo1E3OiQOu1eTtrxAoGAE3AzTW14NBDnLYpNt9Zs
 /xQy8cnX0M8OIBTbJJnv6mHpyFz64COAPoknGt/RoD125E4KTM6WxukNM6zP3UAP
 44yZs4PdIZ6eGwRUuLnYvAc9s85V19Mk4YO6D9gw+tL50t2ioF8QNLc6pEgGar7M
 yAWa3W8XnjQfjjI4fN8E44Y=
 -----END PRIVATE KEY-----
--- a/cert/root.pem
+++ b/cert/root.pem
@ -0,0 +1,34 @@
 -----BEGIN CERTIFICATE-----
 MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
 BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
 MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
 BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
 aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
 dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
 AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
 tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
 Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
 Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
 c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
 UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
 Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
 BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
 A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
 Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
 VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
 iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
 Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
 XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
 qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
 VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
 L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
 jjxDah2nGN59PRbxYvnKkKj9
 -----END CERTIFICATE-----
--- a/create_jwt.py
+++ b/create_jwt.py
@ -0,0 +1,26 @@
 # create_jwt.py
 import jwt
 import time
 import base64
 # ★★★★★ 1단계에서 생성한 동일한 비밀 키를 сюда 붙여넣습니다 ★★★★★
 secret_key = "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
 secret_key_64 = base64.b64decode(secret_key)
 # 페이로드 데이터 정의 (이전과 동일)
 payload = {
    'sub': 'admin',
    'roles': ['admin'],
    'exp': int(time.time()) + 3600,
    'iat': int(time.time())
 }
 # ★★★★★ JWT 생성 (알고리즘: HS256) ★★★★★
 token = jwt.encode(
    payload,
    secret_key_64,
    algorithm='HS256'
 )
 # 생성된 토큰 출력
 print(token)
--- a/opensearch-dashboards/certs/oneunivrs.pem
+++ b/opensearch-dashboards/certs/oneunivrs.pem
@ -0,0 +1,74 @@
 -----BEGIN CERTIFICATE-----
 MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB
 lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
 A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
 EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
 dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE
 BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s
 THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0
 6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET
 c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1
 iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5
 AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D
 mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD
 VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA
 DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
 JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
 AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
 gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
 ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
 bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
 Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
 dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp
 BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor
 BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G
 pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc
 7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ
 htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC
 IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2
 PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h
 qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy
 QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ
 KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp
 3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1
 PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS
 N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M
 k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg
 rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
 BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
 MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
 BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
 ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
 YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
 9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
 on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
 fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
 rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
 YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
 HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
 Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
 AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
 BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
 cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
 bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
 dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
 aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
 lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
 pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
 bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
 OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
 R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
 SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
 FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
 s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
 6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
 idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
 MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
 -----END CERTIFICATE-----
--- a/opensearch-dashboards/certs/oneunivrs_key.pem
+++ b/opensearch-dashboards/certs/oneunivrs_key.pem
@ -0,0 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4
 Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm
 O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13
 Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih
 AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU
 JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy
 mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ
 jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg
 uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS
 TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN
 NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ
 7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg
 RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN
 DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM
 Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO
 Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M
 peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN
 e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2
 JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1
 C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n
 gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd
 r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt
 Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J
 Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD
 ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG
 -----END RSA PRIVATE KEY-----
--- a/opensearch-dashboards/certs/root.pem
+++ b/opensearch-dashboards/certs/root.pem
@ -0,0 +1,34 @@
 -----BEGIN CERTIFICATE-----
 MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
 BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
 MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
 BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
 aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
 dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
 AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
 tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
 Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
 Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
 c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
 UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
 Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
 BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
 A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
 Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
 VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
 iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
 Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
 XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
 qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
 VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
 L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
 jjxDah2nGN59PRbxYvnKkKj9
 -----END CERTIFICATE-----
--- a/opensearch-dashboards/node.options
+++ b/opensearch-dashboards/node.options
@ -0,0 +1,9 @@
 ## Node command line options
 ## See `node --help` and `node --v8-options` for available options
 ## Please note you should specify one option per line
 ## max size of old space in megabytes
 #--max-old-space-size=4096
 ## max size of semi space in megabytes
 #--max-semi-space-size=64
--- a/opensearch-dashboards/opensearch_dashboards.yml
+++ b/opensearch-dashboards/opensearch_dashboards.yml
@ -0,0 +1,47 @@
 # ================= DUAL USE: DO NOT EDIT =================
 # OpenSearch Dashboards가 사용할 포트. 기본값 5601.
 server.port: 5601
 # 외부에서 접속할 수 있도록 모든 네트워크 인터페이스에서 리슨.
 server.host: "0.0.0.0"
 # 브라우저에 표시될 대시보드 서버 이름.
 server.name: "oneunivrs-opensearch-dashboards"
 # 연결할 OpenSearch 클러스터 노드 목록. (HTTPS 필수)
 # 고가용성을 위해 3개 노드를 모두 기재.
 #opensearch.hosts:
 #  - https://ds-osearch001.oneunivrs.com:9200
 #  - https://ds-osearch002.oneunivrs.com:9200
 #  - https://ds-osearch003.oneunivrs.com:9200
 # [원상 복구] LB의 대표 주소 하나만 사용하되, https로 변경
 opensearch.hosts: ["https://ds-opensearch.oneunivrs.com:9200"]
 # 인증 관련 헤더를 허용 목록에 추가.
 opensearch.requestHeadersWhitelist: [ "securitytenant", "authorization" ]
 # 대시보드와 브라우저 간 통신을 HTTPS로 암호화.
 server.ssl.enabled: true
 server.ssl.certificate: /etc/opensearch-dashboards/certs/oneunivrs.pem
 server.ssl.key: /etc/opensearch-dashboards/certs/oneunivrs_key.pem
 # 대시보드가 OpenSearch 클러스터와 통신 시 SSL/TLS 설정.
 opensearch.ssl:
  verificationMode: full
  # 서버 인증서 검증에 사용할 CA 루트 인증서.
  certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ]
 # OpenSearch 클러스터에 접속할 서비스 계정.
 # 보안상 admin 대신 기본 제공되는 kibanaserver 계정 사용을 권장.
 # (kibanaserver 계정의 기본 PW는 계정명과 동일)
 opensearch.username: "kibanaserver"
 opensearch.password: "mY9!lytaVBkX"
 # OpenSearch Security 플러그인과 연동 설정.
 opensearch_security:
  # 멀티 테넌시 기능 활성화.
  multitenancy.enabled: true
  # 로그인하지 않은 사용자는 접속 불가.
  auth.anonymous_auth_enabled: false
  # 쿠키의 비밀번호. 임의의 긴 문자열로 변경하는 것을 권장.
  cookie.password: "ChpPaDg2agzDD2czacgdAgivjXh1JSOPZuz+EhF3jDg="
--- a/opensearch-dashboards/opensearch_dashboards.yml.bak
+++ b/opensearch-dashboards/opensearch_dashboards.yml.bak
@ -0,0 +1,233 @@
 ---
 # Copyright OpenSearch Contributors
 # SPDX-License-Identifier: Apache-2.0
 # Description:
 # Default configuration for OpenSearch Dashboards
 # OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
 # server.port: 5601
 # Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
 # The default is 'localhost', which usually means remote machines will not be able to connect.
 # To allow connections from remote users, set this parameter to a non-loopback address.
 # server.host: "localhost"
 # Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
 # Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
 # from requests it receives, and to prevent a deprecation warning at startup.
 # This setting cannot end in a slash.
 # server.basePath: ""
 # Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
 # `server.basePath` or require that they are rewritten by your reverse proxy.
 # server.rewriteBasePath: false
 # The maximum payload size in bytes for incoming server requests.
 # server.maxPayloadBytes: 1048576
 # The OpenSearch Dashboards server's name.  This is used for display purposes.
 # server.name: "your-hostname"
 # The URLs of the OpenSearch instances to use for all your queries.
 # opensearch.hosts: ["http://localhost:9200"]
 # OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
 # dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
 # opensearchDashboards.index: ".opensearch_dashboards"
 # The default application to load.
 # opensearchDashboards.defaultAppId: "home"
 # Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
 # This settings should be used for large clusters or for clusters with ingest heavy nodes.
 # It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
 #
 # It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
 # This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
 # e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
 # Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
 # opensearch.optimizedHealthcheckId: "cluster_id"
 # If your OpenSearch is protected with basic authentication, these settings provide
 # the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
 # index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
 # is proxied through the OpenSearch Dashboards server.
 # opensearch.username: "opensearch_dashboards_system"
 # opensearch.password: "pass"
 # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
 # These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
 # server.ssl.enabled: false
 # server.ssl.certificate: /path/to/your/server.crt
 # server.ssl.key: /path/to/your/server.key
 # Optional settings that provide the paths to the PEM-format SSL certificate and key files.
 # These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
 # xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
 # opensearch.ssl.certificate: /path/to/your/client.crt
 # opensearch.ssl.key: /path/to/your/client.key
 # Optional setting that enables you to specify a path to the PEM file for the certificate
 # authority for your OpenSearch instance.
 # opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
 # To disregard the validity of SSL certificates, change this setting's value to 'none'.
 # opensearch.ssl.verificationMode: full
 # Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
 # the opensearch.requestTimeout setting.
 # opensearch.pingTimeout: 1500
 # Time in milliseconds to wait for responses from the back end or OpenSearch. This value
 # must be a positive integer.
 # opensearch.requestTimeout: 30000
 # List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
 # headers, set this value to [] (an empty list).
 # opensearch.requestHeadersWhitelist: [ authorization ]
 # Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
 # by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
 # opensearch.customHeaders: {}
 # Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
 # opensearch.shardTimeout: 30000
 # Logs queries sent to OpenSearch. Requires logging.verbose set to true.
 # opensearch.logQueries: false
 # Specifies the path where OpenSearch Dashboards creates the process ID file.
 # pid.file: /var/run/opensearchDashboards.pid
 # Enables you to specify a file where OpenSearch Dashboards stores log output.
 # logging.dest: stdout
 # 2.15 Ignore 'ENOSPC' error for logging stream.
 # When set to true, the 'ENOSPC' error message will not cause the OpenSearch Dashboards process to crash. Otherwise,
 # the original behavior will be maintained. It is disabled by default.
 # logging.ignoreEnospcError: false
 # Set the value of this setting to true to suppress all logging output.
 # logging.silent: false
 # Set the value of this setting to true to suppress all logging output other than error messages.
 # logging.quiet: false
 # Set the value of this setting to true to log all events, including system usage information
 # and all requests.
 # logging.verbose: false
 # Set the interval in milliseconds to sample system and process performance
 # metrics. Minimum is 100ms. Defaults to 5000.
 # ops.interval: 5000
 # Specifies locale to be used for all localizable strings, dates and number formats.
 # Supported languages are the following: English - en , by default , Chinese - zh-CN .
 # i18n.locale: "en"
 # Set the allowlist to check input graphite Url. Allowlist is the default check list.
 # vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
 # Set the blocklist to check input graphite Url. Blocklist is an IP list.
 # Below is an example for reference
 # vis_type_timeline.graphiteBlockedIPs: [
 #  //Loopback
 #  '127.0.0.0/8',
 #  '::1/128',
 #  //Link-local Address for IPv6
 #  'fe80::/10',
 #  //Private IP address for IPv4
 #  '10.0.0.0/8',
 #  '172.16.0.0/12',
 #  '192.168.0.0/16',
 #  //Unique local address (ULA)
 #  'fc00::/7',
 #  //Reserved IP address
 #  '0.0.0.0/8',
 #  '100.64.0.0/10',
 #  '192.0.0.0/24',
 #  '192.0.2.0/24',
 #  '198.18.0.0/15',
 #  '192.88.99.0/24',
 #  '198.51.100.0/24',
 #  '203.0.113.0/24',
 #  '224.0.0.0/4',
 #  '240.0.0.0/4',
 #  '255.255.255.255/32',
 #  '::/128',
 #  '2001:db8::/32',
 #  'ff00::/8',
 # ]
 # vis_type_timeline.graphiteBlockedIPs: []
 # opensearchDashboards.branding:
 #   logo:
 #     defaultUrl: ""
 #     darkModeUrl: ""
 #   mark:
 #     defaultUrl: ""
 #     darkModeUrl: ""
 #   loadingLogo:
 #     defaultUrl: ""
 #     darkModeUrl: ""
 #   faviconUrl: ""
 #   applicationTitle: ""
 # Set the value of this setting to true to capture region blocked warnings and errors
 # for your map rendering services.
 # map.showRegionBlockedWarning: false%
 # Set the value of this setting to false to suppress search usage telemetry
 # for reducing the load of OpenSearch cluster.
 # data.search.usageTelemetry.enabled: false
 # 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false'
 # Set the value of this setting to false to disable VisBuilder
 # functionality in Visualization.
 # vis_builder.enabled: false
 # 2.4 New Experimental Feature
 # Set the value of this setting to true to enable the experimental multiple data source
 # support feature. Use with caution.
 # data_source.enabled: false
 # Set the value of these settings to customize crypto materials to encryption saved credentials
 # in data sources.
 # data_source.encryption.wrappingKeyName: 'changeme'
 # data_source.encryption.wrappingKeyNamespace: 'changeme'
 # data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 # 2.6 New ML Commons Dashboards Feature
 # Set the value of this setting to true to enable the ml commons dashboards
 # ml_commons_dashboards.enabled: false
 # 2.12 New Experimental Assistant Dashboards Feature
 # Set the value of this setting to true to enable the assistant dashboards
 # assistant.chat.enabled: false
 # 2.13 New Query Assistant Feature
 # Set the value of this setting to false to disable the query assistant
 # observability.query_assist.enabled: false
 # 2.14 Enable Ui Metric Collectors in Usage Collector
 # Set the value of this setting to true to enable UI Metric collections
 # usageCollection.uiMetric.enabled: false
 # 2.18 New Experimental Settings
 # Set the value to true to enable
 # assistant.alertInsight.enabled: false
 # assistant.smartAnomalyDetector.enabled: false
 # assistant.text2viz.enabled: false
 # queryEnhancements.queryAssist.summary.enabled: false
 opensearch.hosts: [https://localhost:9200]
 opensearch.ssl.verificationMode: none
 opensearch.username: kibanaserver
 opensearch.password: kibanaserver
 opensearch.requestHeadersWhitelist: [authorization, securitytenant]
 opensearch_security.multitenancy.enabled: true
 opensearch_security.multitenancy.tenants.preferred: [Private, Global]
 opensearch_security.readonly_mode.roles: [kibana_read_only]
 # Use this setting if you are running opensearch-dashboards without https
 opensearch_security.cookie.secure: false
--- a/opensearch/certs/oneunivrs.pem
+++ b/opensearch/certs/oneunivrs.pem
@ -0,0 +1,75 @@
 -----BEGIN CERTIFICATE-----
 MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB
 lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
 A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
 EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
 dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE
 BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s
 THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0
 6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET
 c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1
 iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5
 AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D
 mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD
 VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA
 DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
 JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
 AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
 gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
 ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
 bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
 Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
 dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp
 BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor
 BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G
 pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc
 7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ
 htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC
 IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2
 PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h
 qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy
 QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ
 KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp
 3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1
 PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS
 N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M
 k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg
 rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
 BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
 MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
 BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
 ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
 YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
 9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
 on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
 fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
 rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
 YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
 HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
 Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
 AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
 BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
 cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
 bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
 dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
 aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
 lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
 pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
 bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
 OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
 R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
 SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
 FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
 s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
 6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
 idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
 MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
 -----END CERTIFICATE-----
--- a/opensearch/certs/oneunivrs_key.p8.pem
+++ b/opensearch/certs/oneunivrs_key.p8.pem
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY5fgocCi0pQQn
 dodxndIDDSrfrgOMO5Drxiv9dt4aw/TpSHgeLiPtvFphIT+I49RFsi24925ikjXr
 K5aiunjCeewkzRjzXKefNUfvBcUhARNzZOY7UGbqwf+cT/vTNNC+t6XbVvEOM1GO
 vnaooz+mC1yPzuWM568T6ScyCUmQtjWJLXcrDPkSjUbKngYUgKMWqi8RNKzBTEoV
 YKhXFRCLLc02yMtlhAZjlCxwE5HdxPkAeKEAnIVCK+GXQbsPh8G9fX36QrKu1Qcc
 hyVUd9RElVnvycakkq65krB0HruHDsOY8lQmccsYkWyDqa/PN2oFBD0EzPKiIp+/
 raDAPn5rAgMBAAECggEAd7yEgTZhkk/iejKZ1OPt8tdLCs5SkRC1ESOGV1dOh3IT
 +tCR1v9bwDsRnbswCs7S+WLCkPCvFGVotJmMf+r3DU0nSq2aj4Zf1qkgO9hwmaax
 aSuTWb0qA4DzLgSNnWvzrMVPH0XgrxkvdeC5OqFcWrq873qlCGNCKHi2tY2g+exI
 B5yCnVZn/EU06ndy8pBPfJMikG8s580r9NJNbQgrXz2NxgfyuaHreQ0UatBUMirG
 cWQ6Z6mGa6tbZcuaHwgLM9Ip4SLc8AKBwI006WOHLlG4gGx17sxaeprARr+KS4Ci
 cf6tCTgrYwMcSH4bWHjQdOrefFGrwJbCEJDvG6PCKQKBgQD5w5t55KgE+Ak1lmXI
 aBXG/0Wa+IE8t5D/T4xskPWxsTyZNtJt2uBE2OMI90/D3NYUA7ypfLGA4oKwHZWc
 O7+MklWFkN58rH7JAlKGo0WwJapEmJaguY0M2t8aGS7iYvteabHbOvowSqTvTdgP
 AWxOTVxYO08VzhrulQw1XpiwxQKBgQDeUEwObZhHr81t2faxk73o18+vk0sQt+Xg
 cV5yIsqwpWsJToAD4NzEGnwsA1zkcBpxR84amTlh5RRAZ4eYVnO5/eVaRQezJAeA
 2zOnf1tjxRNwSygmTF7fN/EFeNkgiWdPHgyl5SduHl3SeIyW5os6MDEkgvUrWRUK
 Kk4Ye54FbwKBgQC5MZMM9MCovomFlHjv+k17ejhQSkb5kFsRFBjZPzsOgI6gRIgP
 MKXuJqthMI+SeSK7QHIZcf3jxRCGKcmPSLYlMzP6j4qJAxYXUYODlXjMvYDc0A+Q
 KUUu7PNUVKvw7NfaD6DzH233dMGLNzsnFTULck0wlvly/5n0oculnvi0yQKBgCE+
 UKE3sjXGDCoJFeKn/RX8b4oJtIfjd/R//2eB3F1d3wudOXdbAKgyba8HMbTXLp0R
 57gCgZop70VSNeyJwPRnCwzclbIsCRMztB2v5bKdnbKFCpPvh6BJdTkkQROkeFZU
 X//OrH7C+7SlYiCOiPNCkZasHo1E3OiQOu1eTtrxAoGAE3AzTW14NBDnLYpNt9Zs
 /xQy8cnX0M8OIBTbJJnv6mHpyFz64COAPoknGt/RoD125E4KTM6WxukNM6zP3UAP
 44yZs4PdIZ6eGwRUuLnYvAc9s85V19Mk4YO6D9gw+tL50t2ioF8QNLc6pEgGar7M
 yAWa3W8XnjQfjjI4fN8E44Y=
 -----END PRIVATE KEY-----
--- a/opensearch/certs/oneunivrs_key.pem
+++ b/opensearch/certs/oneunivrs_key.pem
@ -0,0 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4
 Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm
 O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13
 Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih
 AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU
 JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy
 mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ
 jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg
 uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS
 TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN
 NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ
 7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg
 RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN
 DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM
 Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO
 Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M
 peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN
 e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2
 JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1
 C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n
 gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd
 r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt
 Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J
 Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD
 ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG
 -----END RSA PRIVATE KEY-----
--- a/opensearch/certs/root.pem
+++ b/opensearch/certs/root.pem
@ -0,0 +1,34 @@
 -----BEGIN CERTIFICATE-----
 MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
 BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
 MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
 BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
 aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
 dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
 AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
 tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
 Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
 Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
 c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
 UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
 Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
 BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
 A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
 Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
 VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
 iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
 Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
 XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
 qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
 VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
 L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
 jjxDah2nGN59PRbxYvnKkKj9
 -----END CERTIFICATE-----
--- a/opensearch/fips_java.security
+++ b/opensearch/fips_java.security
@ -0,0 +1,10 @@
 # Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in approved-only mode
 # Intended to be used complementary with a single equal sign e.g. 'java.security.properties=fips_java.security'
 security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
 security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
 security.provider.3=SUN
 security.provider.4=SunJGSS
 ssl.KeyManagerFactory.algorithm=PKIX
 ssl.TrustManagerFactory.algorithm=PKIX
--- a/opensearch/jvm.options
+++ b/opensearch/jvm.options
@ -0,0 +1,98 @@
 ## JVM configuration
 ################################################################
 ## IMPORTANT: JVM heap size
 ################################################################
 ##
 ## You should always set the min and max JVM heap
 ## size to the same value. For example, to set
 ## the heap to 4 GB, set:
 ##
 ## -Xms4g
 ## -Xmx4g
 ##
 ## See https://opensearch.org/docs/opensearch/install/important-settings/
 ## for more information
 ##
 ################################################################
 # Xms represents the initial size of total heap space
 # Xmx represents the maximum size of total heap space
 #-Xms1g
 #-Xmx1g
 ################################################################
 ## Expert settings
 ################################################################
 ##
 ## All settings below this section are considered
 ## expert settings. Don't tamper with them unless
 ## you understand what you are doing
 ##
 ################################################################
 ## GC configuration
 8-10:-XX:+UseConcMarkSweepGC
 8-10:-XX:CMSInitiatingOccupancyFraction=75
 8-10:-XX:+UseCMSInitiatingOccupancyOnly
 ## G1GC Configuration
 # NOTE: G1GC is the default GC for all JDKs 11 and newer
 11-:-XX:+UseG1GC
 # See https://github.com/elastic/elasticsearch/pull/46169 for the history
 # behind these settings, but the tl;dr is that default values can lead
 # to situations where heap usage grows enough to trigger a circuit breaker
 # before GC kicks in.
 11-:-XX:G1ReservePercent=25
 11-:-XX:InitiatingHeapOccupancyPercent=30
 ## JVM temporary directory
 -Djava.io.tmpdir=${OPENSEARCH_TMPDIR}
 ## heap dumps
 # generate a heap dump when an allocation from the Java heap fails
 # heap dumps are created in the working directory of the JVM
 -XX:+HeapDumpOnOutOfMemoryError
 # specify an alternative path for heap dumps; ensure the directory exists and
 # has sufficient space
 -XX:HeapDumpPath=/var/lib/opensearch
 # specify an alternative path for JVM fatal error logs
 -XX:ErrorFile=/var/log/opensearch/hs_err_pid%p.log
 ## JDK 8 GC logging
 8:-XX:+PrintGCDetails
 8:-XX:+PrintGCDateStamps
 8:-XX:+PrintTenuringDistribution
 8:-XX:+PrintGCApplicationStoppedTime
 8:-Xloggc:/var/log/opensearch/gc.log
 8:-XX:+UseGCLogFileRotation
 8:-XX:NumberOfGCLogFiles=32
 8:-XX:GCLogFileSize=64m
 # JDK 9+ GC logging
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/opensearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
 # JDK 20+ Incubating Vector Module for SIMD optimizations;
 # disabling may reduce performance on vector optimized lucene
 20-:--add-modules=jdk.incubator.vector
 # See please https://bugs.openjdk.org/browse/JDK-8341127 (openjdk/jdk#21283)
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
 21-:-javaagent:agent/opensearch-agent.jar
 21-:--add-opens=java.base/java.nio=org.apache.arrow.memory.core,ALL-UNNAMED
 ## OpenSearch Performance Analyzer
 -Dclk.tck=100
 -Djdk.attach.allowAttachSelf=true
 -Djava.security.policy=file:///etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy
 --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED
 # Set heap size to 31GB
 -Xms31g
 -Xmx31g
--- a/opensearch/log4j2.properties
+++ b/opensearch/log4j2.properties
@ -0,0 +1,275 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 # The OpenSearch Contributors require contributions made to
 # this file be licensed under the Apache-2.0 license or a
 # compatible open source license.
 #
 # Modifications Copyright OpenSearch Contributors. See
 # GitHub history for details.
 #
 status = error
 appender.console.type = Console
 appender.console.name = console
 appender.console.layout.type = PatternLayout
 appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 ######## Server JSON ############################
 appender.rolling.type = RollingFile
 appender.rolling.name = rolling
 appender.rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_server.json
 appender.rolling.filePermissions = rw-r-----
 appender.rolling.layout.type = OpenSearchJsonLayout
 appender.rolling.layout.type_name = server
 appender.rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz
 appender.rolling.policies.type = Policies
 appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.rolling.policies.time.interval = 1
 appender.rolling.policies.time.modulate = true
 appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.rolling.policies.size.size = 128MB
 appender.rolling.strategy.type = DefaultRolloverStrategy
 appender.rolling.strategy.fileIndex = nomax
 appender.rolling.strategy.action.type = Delete
 appender.rolling.strategy.action.basepath = ${sys:opensearch.logs.base_path}
 appender.rolling.strategy.action.condition.type = IfFileName
 appender.rolling.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-*
 appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
 appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
 ################################################
 ######## Server -  old style pattern ###########
 appender.rolling_old.type = RollingFile
 appender.rolling_old.name = rolling_old
 appender.rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}.log
 appender.rolling_old.filePermissions = rw-r-----
 appender.rolling_old.layout.type = PatternLayout
 appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 appender.rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz
 appender.rolling_old.policies.type = Policies
 appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy
 appender.rolling_old.policies.time.interval = 1
 appender.rolling_old.policies.time.modulate = true
 appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy
 appender.rolling_old.policies.size.size = 128MB
 appender.rolling_old.strategy.type = DefaultRolloverStrategy
 appender.rolling_old.strategy.fileIndex = nomax
 appender.rolling_old.strategy.action.type = Delete
 appender.rolling_old.strategy.action.basepath = ${sys:opensearch.logs.base_path}
 appender.rolling_old.strategy.action.condition.type = IfFileName
 appender.rolling_old.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-*
 appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
 appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB
 ################################################
 rootLogger.level = info
 rootLogger.appenderRef.console.ref = console
 rootLogger.appenderRef.rolling.ref = rolling
 rootLogger.appenderRef.rolling_old.ref = rolling_old
 ######## Deprecation JSON #######################
 appender.deprecation_rolling.type = RollingFile
 appender.deprecation_rolling.name = deprecation_rolling
 appender.deprecation_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.json
 appender.deprecation_rolling.filePermissions = rw-r-----
 appender.deprecation_rolling.layout.type = OpenSearchJsonLayout
 appender.deprecation_rolling.layout.type_name = deprecation
 appender.deprecation_rolling.layout.opensearchmessagefields=x-opaque-id
 appender.deprecation_rolling.filter.rate_limit.type = RateLimitingFilter
 appender.deprecation_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation-%i.json.gz
 appender.deprecation_rolling.policies.type = Policies
 appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.deprecation_rolling.policies.size.size = 1GB
 appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy
 appender.deprecation_rolling.strategy.max = 4
 appender.header_warning.type = HeaderWarningAppender
 appender.header_warning.name = header_warning
 #################################################
 ######## Deprecation -  old style pattern #######
 appender.deprecation_rolling_old.type = RollingFile
 appender.deprecation_rolling_old.name = deprecation_rolling_old
 appender.deprecation_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.log
 appender.deprecation_rolling_old.filePermissions = rw-r-----
 appender.deprecation_rolling_old.layout.type = PatternLayout
 appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 appender.deprecation_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _deprecation-%i.log.gz
 appender.deprecation_rolling_old.policies.type = Policies
 appender.deprecation_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
 appender.deprecation_rolling_old.policies.size.size = 1GB
 appender.deprecation_rolling_old.strategy.type = DefaultRolloverStrategy
 appender.deprecation_rolling_old.strategy.max = 4
 #################################################
 logger.deprecation.name = org.opensearch.deprecation
 logger.deprecation.level = deprecation
 logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling
 logger.deprecation.appenderRef.deprecation_rolling_old.ref = deprecation_rolling_old
 logger.deprecation.appenderRef.header_warning.ref = header_warning
 logger.deprecation.additivity = false
 ######## Search Request Slowlog JSON ####################
 appender.search_request_slowlog_json_appender.type = RollingFile
 appender.search_request_slowlog_json_appender.name = search_request_slowlog_json_appender
 appender.search_request_slowlog_json_appender.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
  .cluster_name}_index_search_slowlog.json
 appender.search_request_slowlog_json_appender.filePermissions = rw-r-----
 appender.search_request_slowlog_json_appender.layout.type = OpenSearchJsonLayout
 appender.search_request_slowlog_json_appender.layout.type_name = search_request_slowlog
 appender.search_request_slowlog_json_appender.layout.opensearchmessagefields=message,took,took_millis,phase_took,total_hits,search_type,shards,source,id
 appender.search_request_slowlog_json_appender.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
  .cluster_name}_index_search_slowlog-%i.json.gz
 appender.search_request_slowlog_json_appender.policies.type = Policies
 appender.search_request_slowlog_json_appender.policies.size.type = SizeBasedTriggeringPolicy
 appender.search_request_slowlog_json_appender.policies.size.size = 1GB
 appender.search_request_slowlog_json_appender.strategy.type = DefaultRolloverStrategy
 appender.search_request_slowlog_json_appender.strategy.max = 4
 #################################################
 ######## Search Request Slowlog Log File -  old style pattern ####
 appender.search_request_slowlog_log_appender.type = RollingFile
 appender.search_request_slowlog_log_appender.name = search_request_slowlog_log_appender
 appender.search_request_slowlog_log_appender.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_search_slowlog.log
 appender.search_request_slowlog_log_appender.filePermissions = rw-r-----
 appender.search_request_slowlog_log_appender.layout.type = PatternLayout
 appender.search_request_slowlog_log_appender.layout.pattern = [%d{ISO8601}][%-5p][%c{1.}] [%node_name]%marker %m%n
 appender.search_request_slowlog_log_appender.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_search_slowlog-%i.log.gz
 appender.search_request_slowlog_log_appender.policies.type = Policies
 appender.search_request_slowlog_log_appender.policies.size.type = SizeBasedTriggeringPolicy
 appender.search_request_slowlog_log_appender.policies.size.size = 1GB
 appender.search_request_slowlog_log_appender.strategy.type = DefaultRolloverStrategy
 appender.search_request_slowlog_log_appender.strategy.max = 4
 #################################################
 logger.search_request_slowlog_logger.name = cluster.search.request.slowlog
 logger.search_request_slowlog_logger.level = trace
 logger.search_request_slowlog_logger.appenderRef.search_request_slowlog_json_appender.ref = search_request_slowlog_json_appender
 logger.search_request_slowlog_logger.appenderRef.search_request_slowlog_log_appender.ref = search_request_slowlog_log_appender
 logger.search_request_slowlog_logger.additivity = false
 ######## Search slowlog JSON ####################
 appender.index_search_slowlog_rolling.type = RollingFile
 appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
 appender.index_search_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
  .cluster_name}_index_search_slowlog.json
 appender.index_search_slowlog_rolling.filePermissions = rw-r-----
 appender.index_search_slowlog_rolling.layout.type = OpenSearchJsonLayout
 appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog
 appender.index_search_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id
 appender.index_search_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
  .cluster_name}_index_search_slowlog-%i.json.gz
 appender.index_search_slowlog_rolling.policies.type = Policies
 appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.index_search_slowlog_rolling.policies.size.size = 1GB
 appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy
 appender.index_search_slowlog_rolling.strategy.max = 4
 #################################################
 ######## Search slowlog -  old style pattern ####
 appender.index_search_slowlog_rolling_old.type = RollingFile
 appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old
 appender.index_search_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_search_slowlog.log
 appender.index_search_slowlog_rolling_old.filePermissions = rw-r-----
 appender.index_search_slowlog_rolling_old.layout.type = PatternLayout
 appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 appender.index_search_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_search_slowlog-%i.log.gz
 appender.index_search_slowlog_rolling_old.policies.type = Policies
 appender.index_search_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
 appender.index_search_slowlog_rolling_old.policies.size.size = 1GB
 appender.index_search_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
 appender.index_search_slowlog_rolling_old.strategy.max = 4
 #################################################
 logger.index_search_slowlog_rolling.name = index.search.slowlog
 logger.index_search_slowlog_rolling.level = trace
 logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling
 logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling_old.ref = index_search_slowlog_rolling_old
 logger.index_search_slowlog_rolling.additivity = false
 ######## Indexing slowlog JSON ##################
 appender.index_indexing_slowlog_rolling.type = RollingFile
 appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
 appender.index_indexing_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_indexing_slowlog.json
 appender.index_indexing_slowlog_rolling.filePermissions = rw-r-----
 appender.index_indexing_slowlog_rolling.layout.type = OpenSearchJsonLayout
 appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog
 appender.index_indexing_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,doc_type,id,routing,source
 appender.index_indexing_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_indexing_slowlog-%i.json.gz
 appender.index_indexing_slowlog_rolling.policies.type = Policies
 appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.index_indexing_slowlog_rolling.policies.size.size = 1GB
 appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy
 appender.index_indexing_slowlog_rolling.strategy.max = 4
 #################################################
 ######## Indexing slowlog -  old style pattern ##
 appender.index_indexing_slowlog_rolling_old.type = RollingFile
 appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old
 appender.index_indexing_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_indexing_slowlog.log
 appender.index_indexing_slowlog_rolling_old.filePermissions = rw-r-----
 appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout
 appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 appender.index_indexing_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
  _index_indexing_slowlog-%i.log.gz
 appender.index_indexing_slowlog_rolling_old.policies.type = Policies
 appender.index_indexing_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
 appender.index_indexing_slowlog_rolling_old.policies.size.size = 1GB
 appender.index_indexing_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
 appender.index_indexing_slowlog_rolling_old.strategy.max = 4
 #################################################
 logger.index_indexing_slowlog.name = index.indexing.slowlog.index
 logger.index_indexing_slowlog.level = trace
 logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling
 logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling_old.ref = index_indexing_slowlog_rolling_old
 logger.index_indexing_slowlog.additivity = false
 ######## Task details log JSON ####################
 appender.task_detailslog_rolling.type = RollingFile
 appender.task_detailslog_rolling.name = task_detailslog_rolling
 appender.task_detailslog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.json
 appender.task_detailslog_rolling.filePermissions = rw-r-----
 appender.task_detailslog_rolling.layout.type = OpenSearchJsonLayout
 appender.task_detailslog_rolling.layout.type_name = task_detailslog
 appender.task_detailslog_rolling.layout.opensearchmessagefields=taskId,type,action,description,start_time_millis,resource_stats,metadata
 appender.task_detailslog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.json.gz
 appender.task_detailslog_rolling.policies.type = Policies
 appender.task_detailslog_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.task_detailslog_rolling.policies.size.size = 1GB
 appender.task_detailslog_rolling.strategy.type = DefaultRolloverStrategy
 appender.task_detailslog_rolling.strategy.max = 4
 #################################################
 ######## Task details log -  old style pattern ####
 appender.task_detailslog_rolling_old.type = RollingFile
 appender.task_detailslog_rolling_old.name = task_detailslog_rolling_old
 appender.task_detailslog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.log
 appender.task_detailslog_rolling_old.filePermissions = rw-r-----
 appender.task_detailslog_rolling_old.layout.type = PatternLayout
 appender.task_detailslog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 appender.task_detailslog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.log.gz
 appender.task_detailslog_rolling_old.policies.type = Policies
 appender.task_detailslog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
 appender.task_detailslog_rolling_old.policies.size.size = 1GB
 appender.task_detailslog_rolling_old.strategy.type = DefaultRolloverStrategy
 appender.task_detailslog_rolling_old.strategy.max = 4
 #################################################
 logger.task_detailslog_rolling.name = task.detailslog
 logger.task_detailslog_rolling.level = trace
 logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling.ref = task_detailslog_rolling
 logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling_old.ref = task_detailslog_rolling_old
 logger.task_detailslog_rolling.additivity = false
--- a/opensearch/opensearch-notifications-core/notifications-core.yml
+++ b/opensearch/opensearch-notifications-core/notifications-core.yml
@ -0,0 +1,19 @@
 ---
 ##
 # Copyright OpenSearch Contributors
 # SPDX-License-Identifier: Apache-2.0
 ##
 # configuration file for the notifications-core plugin
 opensearch.notifications.core:
  email:
    size_limit: 10000000
    minimum_header_length: 160
  http:
    max_connections: 60
    max_connection_per_route: 20
    connection_timeout: 5000 # in milliseconds
    socket_timeout: 50000
    host_deny_list: []
  allowed_config_types: ["slack","chime","microsoft_teams","webhook","email","sns","ses_account","smtp_account","email_group"]
  tooltip_support: true
--- a/opensearch/opensearch-notifications/notifications.yml
+++ b/opensearch/opensearch-notifications/notifications.yml
@ -0,0 +1,12 @@
 ---
 ##
 # Copyright OpenSearch Contributors
 # SPDX-License-Identifier: Apache-2.0
 ##
 # configuration file for the notifications plugin
 opensearch.notifications:
  general:
    operation_timeout_ms: 60000 # 60 seconds, Minimum 100ms
    default_items_query_count: 100 # default number of items to query
    filter_send_by_backend_roles: false # Does sendNotification needs to validate user's backend roles
--- a/opensearch/opensearch-observability/observability.yml
+++ b/opensearch/opensearch-observability/observability.yml
@ -0,0 +1,28 @@
 ---
 ##
 # Copyright OpenSearch Contributors
 # SPDX-License-Identifier: Apache-2.0
 ##
 # configuration file for the observability plugin
 opensearch.notebooks:
  general:
    operationTimeoutMs: 60000 # 60 seconds, Minimum 100ms
    defaultItemsQueryCount: 100 # default number of items to query
  polling:
    jobLockDurationSeconds: 300 # 5 Minutes, Minimum 10 seconds
    minPollingDurationSeconds: 300 # 5 Minutes, Minimum 60 seconds
    maxPollingDurationSeconds: 900 # 15 Minutes, Minimum 5 Minutes
    maxLockRetries: 1 # Max number of retries to retry locking
  access:
    adminAccess: "AllObservabilityObjects"
    # adminAccess values:
    ## Standard -> Admin user access follows standard user
    ## AllObservabilityObjects -> Admin user with "all_access" role can see all observability objects of all users.
    filterBy: "NoFilter" # Applied when tenant != __user__
    # filterBy values:
    ## NoFilter -> everyone see each other's observability objects
    ## User -> observability objects are visible to only themselves
    ## Roles -> observability objects are visible to users having any one of the role of creator
    ## BackendRoles -> observability objects are visible to users having any one of the backend role of creator
    ignoreRoles: ["own_index", "kibana_user", "observability_full_access", "observability_read_access"]
--- a/opensearch/opensearch-reports-scheduler/reports-scheduler.yml
+++ b/opensearch/opensearch-reports-scheduler/reports-scheduler.yml
@ -0,0 +1,11 @@
 ---
 ##
 # Copyright OpenSearch Contributors
 # SPDX-License-Identifier: Apache-2.0
 ##
 # configuration file for the reports scheduler plugin
 opensearch.reports:
  general:
    operationTimeoutMs: 60000 # 60 seconds, Minimum 100ms
    defaultItemsQueryCount: 100 # default number of items to query
--- a/opensearch/opensearch-security/action_groups.yml
+++ b/opensearch/opensearch-security/action_groups.yml
@ -0,0 +1,3 @@
 _meta:
  type: "actiongroups"
  config_version: 2
--- a/opensearch/opensearch-security/allowlist.yml
+++ b/opensearch/opensearch-security/allowlist.yml
@ -0,0 +1,69 @@
 ---
 _meta:
  type: "allowlist"
  config_version: 2
 # Description:
 # enabled - feature flag.
 # if enabled is false, the allowlisting feature is removed.
 # This is like removing the check that checks if an API is allowlisted.
 # This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting.
 # if enabled is true, then all users except SuperAdmin can access only the APIs in requests
 # SuperAdmin can access all APIs.
 # SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn:
 # Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin.
 #
 # requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints
 # Examples showing how to configure this yml file (make sure the _meta data from above is also there):
 # Example 1:
 # To enable allowlisting and allowlist GET /_cluster/settings
 #
 #config:
 #  enabled: true
 #  requests:
 #    /_cluster/settings:
 #      - GET
 #
 # Example 2:
 # If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT):
 #
 #config:
 #  enabled: true
 #  requests:
 #    /_cluster/settings:
 #      - GET
 #      - PUT
 #
 # Example 3:
 # If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards:
 #
 #config:
 #  enabled: true
 #  requests:
 #    /_cluster/settings:
 #      - GET
 #      - PUT
 #    /_cat/nodes:
 #      - GET
 #    /_cat/shards:
 #      - GET
 #
 # Example 4:
 # If you want to disable the allowlisting feature, set enabled to false.
 #  enabled: false
 #  requests:
 #    /_cluster/settings:
 #      - GET
 #
 #At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant.
 #this name must be config
 config:
  enabled: false
  requests:
    /_cluster/settings:
      - GET
    /_cat/nodes:
      - GET
--- a/opensearch/opensearch-security/audit.yml
+++ b/opensearch/opensearch-security/audit.yml
@ -0,0 +1,85 @@
 _meta:
  type: "audit"
  config_version: 2
 config:
  # enable/disable audit logging
  enabled: true
  audit:
    # Enable/disable REST API auditing
    enable_rest: true
    # Categories to exclude from REST API auditing
    disabled_rest_categories:
      - AUTHENTICATED
      - GRANTED_PRIVILEGES
    # Enable/disable Transport API auditing
    enable_transport: true
    # Categories to exclude from Transport API auditing
    disabled_transport_categories:
      - AUTHENTICATED
      - GRANTED_PRIVILEGES
    # Users to be excluded from auditing. Wildcard patterns are supported. Eg:
    # ignore_users: ["test-user", "employee-*"]
    ignore_users:
      - kibanaserver
    # Requests to be excluded from auditing. Wildcard patterns are supported. Eg:
    # ignore_requests: ["indices:data/read/*", "SearchRequest"]
    ignore_requests: []
    # Log individual operations in a bulk request
    resolve_bulk_requests: false
    # Include the body of the request (if available) for both REST and the transport layer
    log_request_body: true
    # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns
    resolve_indices: true
    # Exclude sensitive headers from being included in the logs. Eg: Authorization
    exclude_sensitive_headers: true
  compliance:
    # enable/disable compliance
    enabled: true
    # Log updates to internal security changes
    internal_config: true
    # Log external config files for the node
    external_config: false
    # Log only metadata of the document for read events
    read_metadata_only: true
    # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg:
    # read_watched_fields: {
    #   "twitter": ["message"]
    #   "logs-*": ["id", "attr*"]
    # }
    read_watched_fields: {}
    # List of users to ignore for read events. Wildcard patterns are supported. Eg:
    # read_ignore_users: ["test-user", "employee-*"]
    read_ignore_users:
      - kibanaserver
    # Log only metadata of the document for write events
    write_metadata_only: true
    # Log only diffs for document updates
    write_log_diffs: false
    # List of indices to watch for write events. Wildcard patterns are supported
    # write_watched_indices: ["twitter", "logs-*"]
    write_watched_indices: []
    # List of users to ignore for write events. Wildcard patterns are supported. Eg:
    # write_ignore_users: ["test-user", "employee-*"]
    write_ignore_users:
      - kibanaserver
--- a/opensearch/opensearch-security/config.yml
+++ b/opensearch/opensearch-security/config.yml
@ -0,0 +1,49 @@
 ---
 _meta:
  type: "config"
  config_version: 2
 config:
  dynamic:
    http:
      # 익명(로그인 안 한) 사용자의 요청을 차단
      anonymous_auth_enabled: false
      xff:
        # X-Forwarded-For 헤더 처리 활성화 (LB/Proxy 환경)
        enabled: true
        # 프록시의 내부 IP. 필요시 로드밸런서 IP 추가
        internalProxies: "10\\.0\\.20\\.\\d{1,3}" # 10.0.20.x 대역을 내부 프록시로 인식
        # 원격 클라이언트 IP를 가져올 헤더
        remoteIpHeader: "x-forwarded-for"
    authc:
      # 기본 내부 인증(internal_users.yml 사용)
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal
      # JWT 인증 설정
      jwt_auth_domain:
        http_enabled: true
        transport_enabled: false # HTTP API에만 사용
        order: 0
        http_authenticator:
          type: jwt
          # challenge: false 이므로 JWT 토큰이 없으면 다음 인증(basic) 시도
          challenge: false
          config:
            # 토큰 서명에 사용할 키
            signing_key: "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
            # JWT 헤더 파싱 설정 추가
            jwt_header: "Authorization"
            # JWT 토큰에서 사용자 이름을 가져올 필드
            subject_key: sub
            # JWT 토큰에서 역할(role)을 가져올 필드
            roles_key: roles
        authentication_backend:
          # JWT 토큰 내 사용자 정보로 인증 처리
          type: noop
--- a/opensearch/opensearch-security/config.yml.bak
+++ b/opensearch/opensearch-security/config.yml.bak
@ -0,0 +1,250 @@
 ---
 # This is the main OpenSearch Security configuration file where authentication
 # and authorization is defined.
 #
 # You need to configure at least one authentication domain in the authc of this file.
 # An authentication domain is responsible for extracting the user credentials from
 # the request and for validating them against an authentication backend like Active Directory for example.
 #
 # If more than one authentication domain is configured the first one which succeeds wins.
 # If all authentication domains fail then the request is unauthenticated.
 # In this case an exception is thrown and/or the HTTP status is set to 401.
 #
 # After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
 # the roles from a given backend for the authenticated user.
 #
 # Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
 #        http_enabled: true
 #        transport_enabled: true
 #
 # For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
 # find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
 # If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous"
 # and one role named "anonymous_backendrole".
 # If you enable anonymous authentication all HTTP authenticators will not challenge.
 #
 #
 # Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
 # first and the challenging one last.
 # Because it's not possible to challenge a client with two different authentication methods (for example
 # Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
 # by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
 #
 # Default value of the challenge flag is true.
 #
 #
 # HTTP
 #   basic (challenging)
 #   proxy (not challenging, needs xff)
 #   kerberos (challenging)
 #   clientcert (not challenging, needs https)
 #   jwt (not challenging)
 #   host (not challenging) #DEPRECATED, will be removed in a future version.
 #                          host based authentication is configurable in roles_mapping
 # Authc
 #   internal
 #   noop
 #   ldap
 # Authz
 #   ldap
 #   noop
 _meta:
  type: "config"
  config_version: 2
 config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    #kibana:
    # Kibana multitenancy
    #multitenancy_enabled: true
    #private_tenant_enabled: true
    #default_tenant: ""
    #server_username: kibanaserver
    #index: '.kibana'
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        #remoteIpHeader:  'x-forwarded-for'
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: false
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: false
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            jwt_clock_skew_tolerance_seconds: 30
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: disabled
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          #config goes here ...
  #    auth_failure_listeners:
  #      ip_rate_limiting:
  #        type: ip
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000
  #      internal_authentication_backend_limiting:
  #        type: username
  #        authentication_backend: intern
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000
--- a/opensearch/opensearch-security/internal_users.yml
+++ b/opensearch/opensearch-security/internal_users.yml
@ -0,0 +1,50 @@
 ---
 _meta:
  type: "internalusers"
  config_version: 2
 admin:
  hash: "$2y$12$PH5uup5xBDwmAAHr9fRvTO2zRgKEDeVzEjFuhZYoohj338BvdaLKG"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"
 anomalyadmin:
  hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
  reserved: false
  opendistro_security_roles:
  - "anomaly_full_access"
  description: "Demo anomaly admin user, using internal role"
 kibanaserver:
  #  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
  hash: "$2y$12$xFMwJISLbh2vh8xEUg0kguyGDZVyHyM65opF3Emvdq1Cmnj1hlUNS"
  reserved: true
  description: "Demo OpenSearch Dashboards user"
 kibanaro:
  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo OpenSearch Dashboards read only user, using external role mapping"
 logstash:
  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"
 readall:
  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user, using external role mapping"
 snapshotrestore:
  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user, using external role mapping"
--- a/opensearch/opensearch-security/nodes_dn.yml
+++ b/opensearch/opensearch-security/nodes_dn.yml
@ -0,0 +1,8 @@
 _meta:
  type: "nodesdn"
  config_version: 2
 # Define nodesdn mapping name and corresponding values
 # cluster1:
 #   nodes_dn:
 #       - CN=*.example.com
--- a/opensearch/opensearch-security/opensearch.yml.example
+++ b/opensearch/opensearch-security/opensearch.yml.example
@ -0,0 +1,228 @@
 ############## OpenSearch Security configuration ###############
 ###########################################################
 # Add the following settings to your standard opensearch.yml
 # alongside with the OpenSearch Security TLS settings.
 # Settings must always be the same on all nodes in the cluster.
 ############## Common configuration settings ##############
 # Specify a list of DNs which denote the other nodes in the cluster.
 # This settings support wildcards and regular expressions
 # The list of DNs are also read from security index **in addition** to the yml configuration if
 # plugins.security.nodes_dn_dynamic_config_enabled is true.
 # NOTE: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set.
 plugins.security.nodes_dn:
  - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE"
  - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE"
 # The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to
 # manage the allowlisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured
 # Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs
 # which provide means to update/retrieve nodesdn dynamically.
 #
 # NOTE: The overall allowlisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored
 # in security index.
 # (default: false)
 # NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set.
 plugins.security.nodes_dn_dynamic_config_enabled: false
 # Defines the DNs (distinguished names) of certificates
 # to which admin privileges should be assigned (mandatory)
 plugins.security.authcz.admin_dn:
  - "CN=kirk,OU=client,O=client,l=tEst, C=De"
 # Define how backend roles should be mapped to Security roles
 # MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default)
 # BACKENDROLES_ONLY - backend roles are mapped to Security roles directly. Settings in roles_mapping.yml have no effect.
 # BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition
 plugins.security.roles_mapping_resolution: MAPPING_ONLY
 ############## REST Management API configuration settings ##############
 # Enable or disable role based access to the REST management API
 # Default is that no role is allowed to access the REST management API.
 #plugins.security.restapi.roles_enabled: ["all_access","xyz_role"]
 # Disable particular endpoints and their HTTP methods for roles. 
 # By default all endpoints/methods are allowed.
 #plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: <array of http methods>
 # Example:
 #plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"]
 #plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"]
 # The following endpoints exist:
 # ACTIONGROUPS
 # CACHE
 # CONFIG
 # ROLES
 # ROLESMAPPING
 # INTERNALUSERS
 # SYSTEMINFO
 # PERMISSIONSINFO
 ############## Auditlog configuration settings ##############
 # General settings
 # Enable/disable rest request logging (default: true)
 #plugins.security.audit.enable_rest: true
 # Enable/disable transport request logging (default: false)
 #plugins.security.audit.enable_transport: false
 # Enable/disable bulk request logging (default: false)
 # If enabled all subrequests in bulk requests will be logged too
 #plugins.security.audit.resolve_bulk_requests: false
 # Disable some categories
 #plugins.security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"]
 # Disable some requests (wildcard or regex of actions or rest request paths)
 #plugins.security.audit.ignore_requests: ["indices:data/read/*","*_bulk"]
 # Tune threadpool size, default is 10
 #plugins.security.audit.threadpool.size: 10
 # Tune threadpool max size queue length, default is 100000
 #plugins.security.audit.threadpool.max_queue_len: 100000
 # Ignore users, e.g. do not log audit requests from that users (default: no ignored users)
 #plugins.security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']"
 # Destination of the auditlog events
 plugins.security.audit.type: internal_opensearch
 #plugins.security.audit.type: external_opensearch
 #plugins.security.audit.type: debug
 #plugins.security.audit.type: webhook
 # external_opensearch settings
 #plugins.security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']"
 # Auditlog index can be a static one or one with a date pattern (default is 'auditlog6')
 #plugins.security.audit.config.index: auditlog6 # make sure you secure this index properly
 #plugins.security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly
 #plugins.security.audit.config.type: auditlog
 #plugins.security.audit.config.username: auditloguser
 #plugins.security.audit.config.password: auditlogpassword
 #plugins.security.audit.config.enable_ssl: false
 #plugins.security.audit.config.verify_hostnames: false
 #plugins.security.audit.config.enable_ssl_client_auth: false
 #plugins.security.audit.config.cert_alias: mycert
 #plugins.security.audit.config.pemkey_filepath: key.pem
 #plugins.security.audit.config.pemkey_content: <...pem base 64 content>
 #plugins.security.audit.config.pemkey_password: secret
 #plugins.security.audit.config.pemcert_filepath: cert.pem
 #plugins.security.audit.config.pemcert_content: <...pem base 64 content>
 #plugins.security.audit.config.pemtrustedcas_filepath: ca.pem
 #plugins.security.audit.config.pemtrustedcas_content: <...pem base 64 content>
 # webhook settings
 #plugins.security.audit.config.webhook.url: "http://mywebhook/endpoint"
 # One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK
 #plugins.security.audit.config.webhook.format: JSON
 #plugins.security.audit.config.webhook.ssl.verify: false
 #plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem
 #plugins.security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content>
 # log4j settings
 #plugins.security.audit.config.log4j.logger_name: auditlogger
 #plugins.security.audit.config.log4j.level: INFO
 ############## Kerberos configuration settings ##############
 # If Kerberos authentication should be used you have to configure:
 # The Path to the krb5.conf file
 # Can be absolute or relative to the OpenSearch config directory
 #plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf'
 # The Path to the keytab where the acceptor_principal credentials are stored.           
 # Must be relative to the OpenSearch config directory
 #plugins.security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab'
 # Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
 #plugins.security.kerberos.acceptor_principal: 'HTTP/localhost'
 ############## Advanced configuration settings ##############
 # Enable transport layer impersonation
 # Allow DNs (distinguished names) to impersonate as other users
 #plugins.security.authcz.impersonation_dn:
 #  "CN=spock,OU=client,O=client,L=Test,C=DE":
 #    - worf
 #  "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
 #    - user2
 #    - user1
 # Enable rest layer impersonation
 # Allow users to impersonate as other users
 #plugins.security.authcz.rest_impersonation_user:
 #  "picard":
 #    - worf
 #  "john":
 #    - steve
 #    - martin
 # If this is set to true OpenSearch Security will automatically initialize the configuration index
 # with the files in the config directory if the index does not exist.
 # WARNING: This will use well-known default passwords.
 #          Use only in a private network/environment.
 #plugins.security.allow_default_init_securityindex: false
 # If this is set to true then allow to startup with demo certificates.
 # These are certificates issued by floragunn GmbH for demo purposes.
 # WARNING: This certificates are well known and therefore unsafe
 #          Use only in a private network/environment.
 #plugins.security.allow_unsafe_democertificates: false
 # Password strength rules for password complexity. 
 # If you want to set up password strength rules for internal users, you can use the below settings for it. 
 # Password validation rules can be configured through regex. In the below regex example, a user must need 
 # a password with minimum 8 characters length and must include minimum one uppercase, one lower case, one digit, and one special character. 
 # And a custom error message can be configured, in case if a password is not created according to the password strength rule.   
 # plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}'
 # plugins.security.restapi.password_validation_error_message: "A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character."
 ############## Expert settings ##############
 # WARNING: Expert settings, do only use if you know what you are doing
 # If you set wrong values here this this could be a security risk
 # or make OpenSearch Security stop working
 # Name of the index where .opendistro_security stores its configuration.
 #plugins.security.config_index_name: .opendistro_security
 # This defines the OID of server node certificates
 #plugins.security.cert.oid: '1.2.3.4.5.5'
 # This specifies the implementation of org.opensearch.security.transport.InterClusterRequestEvaluator
 # that is used to determine inter-cluster request.
 # Instances of org.opensearch.security.transport.InterClusterRequestEvaluator must implement a single argument
 # constructor that takes an org.opensearch.common.settings.Settings
 #plugins.security.cert.intercluster_request_evaluator_class: org.opensearch.security.transport.DefaultInterClusterRequestEvaluator
 # By default, normal users can restore snapshots if they have the priviliges 'cluster:admin/snapshot/restore', 
 # 'indices:admin/create', and 'indices:data/write/index' for the indices to be restored.
 # To disable snapshot restore for normal users set 'plugins.security.enable_snapshot_restore_privilege: false'.
 # This makes it so that only snapshot restore requests signed by an admin TLS certificate are accepted.
 # A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index
 # If 'plugins.security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted.
 #plugins.security.enable_snapshot_restore_privilege: true
 #plugins.security.check_snapshot_restore_write_privileges: true
 # Authentication cache timeout in minutes (A value of 0 disables caching, default is 60)
 #plugins.security.cache.ttl_minutes: 60
 # Disable OpenSearch Security
 # WARNING: This can expose your configuration (including passwords) to the public.
 #plugins.security.disabled: false
 # Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role
 # to be visible, listed in the plugins.security.protected_indices.roles setting.
 # Enable protected indices
 # plugins.security.protected_indices.enabled: true
 # Specify a list of roles a user must be member of to touch any protected index.
 # plugins.security.protected_indices.roles: ['all_access']
 # Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role.
 # plugins.security.protected_indices.indices: []
 # System indices are similar to security index, except the contents are not encrypted.
 # Indices configured as system indices can be accessed by only super-admin and no role will provide access to these indices.
 # Enable system indices
 # plugins.security.system_indices.enabled: true
 # Specify a list of indices to mark as system. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role.
 # plugins.security.system_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*', '.opendistro-reports-*', '.opensearch-notifications-*', '.opensearch-notebooks', '.opensearch-observability', '.opendistro-asynchronous-search-response*', '.replication-metadata-store']
--- a/opensearch/opensearch-security/roles.yml
+++ b/opensearch/opensearch-security/roles.yml
@ -0,0 +1,538 @@
 _meta:
  type: "roles"
  config_version: 2
 # Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
 kibana_read_only:
  reserved: true
 # The security REST API access role is used to assign specific users access to change the security settings through the REST API.
 security_rest_api_access:
  reserved: true
 security_rest_api_full_access:
  reserved: true
  cluster_permissions:
    - 'restapi:admin/actiongroups'
    - 'restapi:admin/allowlist'
    - 'restapi:admin/config/update'
    - 'restapi:admin/internalusers'
    - 'restapi:admin/nodesdn'
    - 'restapi:admin/roles'
    - 'restapi:admin/rolesmapping'
    - 'restapi:admin/ssl/certs/info'
    - 'restapi:admin/ssl/certs/reload'
    - 'restapi:admin/tenants'
 # Allows users to view monitors, destinations and alerts
 alerting_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/alerting/alerts/get'
    - 'cluster:admin/opendistro/alerting/destination/get'
    - 'cluster:admin/opendistro/alerting/monitor/get'
    - 'cluster:admin/opendistro/alerting/monitor/search'
    - 'cluster:admin/opensearch/alerting/comments/search'
    - 'cluster:admin/opensearch/alerting/findings/get'
    - 'cluster:admin/opensearch/alerting/remote/indexes/get'
    - 'cluster:admin/opensearch/alerting/workflow/get'
    - 'cluster:admin/opensearch/alerting/workflow_alerts/get'
 # Allows users to view and acknowledge alerts
 alerting_ack_alerts:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/alerting/alerts/*'
    - 'cluster:admin/opendistro/alerting/chained_alerts/*'
    - 'cluster:admin/opendistro/alerting/workflow_alerts/*'
    - 'cluster:admin/opensearch/alerting/comments/*'
 # Allows users to use all alerting functionality
 alerting_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/alerting/*'
    - 'cluster:admin/opensearch/alerting/*'
    - 'cluster:admin/opensearch/notifications/feature/publish'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/aliases/get'
        - 'indices:admin/mappings/get'
        - 'indices_monitor'
 # Allow users to read Anomaly Detection detectors and results
 anomaly_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/ad/detector/info'
    - 'cluster:admin/opendistro/ad/detector/search'
    - 'cluster:admin/opendistro/ad/detector/validate'
    - 'cluster:admin/opendistro/ad/detectors/get'
    - 'cluster:admin/opendistro/ad/result/search'
    - 'cluster:admin/opendistro/ad/result/topAnomalies'
    - 'cluster:admin/opendistro/ad/tasks/search'
 # Allows users to use all Anomaly Detection functionality
 anomaly_full_access:
  reserved: true
  cluster_permissions:
    - "cluster:admin/ingest/pipeline/delete"
    - "cluster:admin/ingest/pipeline/put"
    - 'cluster:admin/opendistro/ad/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/aliases/get'
        - 'indices:admin/mappings/fields/get'
        - 'indices:admin/mappings/fields/get*'
        - 'indices:admin/mappings/get'
        - 'indices:admin/resolve/index'
        - 'indices:admin/setting/put'
        - 'indices:data/read/field_caps*'
        - 'indices:data/read/search'
        - 'indices_monitor'
 # Allow users to execute read only k-NN actions
 knn_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/knn_get_model_action'
    - 'cluster:admin/knn_search_model_action'
    - 'cluster:admin/knn_stats_action'
 # Allow users to use all k-NN functionality
 knn_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/knn_delete_model_action'
    - 'cluster:admin/knn_get_model_action'
    - 'cluster:admin/knn_remove_model_from_cache_action'
    - 'cluster:admin/knn_search_model_action'
    - 'cluster:admin/knn_stats_action'
    - 'cluster:admin/knn_training_job_route_decision_info_action'
    - 'cluster:admin/knn_training_job_router_action'
    - 'cluster:admin/knn_training_model_action'
    - 'cluster:admin/knn_update_model_graveyard_action'
    - 'cluster:admin/knn_warmup_action'
 # Allow users to execute read only ip2geo datasource action
 ip2geo_datasource_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/geospatial/datasource/get'
 # Allow users to use all ip2geo datasource action
 ip2geo_datasource_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/geospatial/datasource/*'
 # Allows users to read Notebooks
 notebooks_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/notebooks/get'
    - 'cluster:admin/opendistro/notebooks/list'
 # Allows users to all Notebooks functionality
 notebooks_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/notebooks/create'
    - 'cluster:admin/opendistro/notebooks/delete'
    - 'cluster:admin/opendistro/notebooks/get'
    - 'cluster:admin/opendistro/notebooks/list'
    - 'cluster:admin/opendistro/notebooks/update'
 # Allows users to read observability objects
 observability_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/observability/get'
 # Allows users to all Observability functionality
 observability_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/observability/create'
    - 'cluster:admin/opensearch/observability/delete'
    - 'cluster:admin/opensearch/observability/get'
    - 'cluster:admin/opensearch/observability/update'
 # Allows users to all PPL functionality
 ppl_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ppl'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/mappings/get'
        - 'indices:data/read/search*'
        - 'indices:monitor/settings/get'
 # Allows users to read and download Reports
 reports_instances_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/reports/instance/get'
    - 'cluster:admin/opendistro/reports/instance/list'
    - 'cluster:admin/opendistro/reports/menu/download'
 # Allows users to read and download Reports and Report-definitions
 reports_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/reports/definition/get'
    - 'cluster:admin/opendistro/reports/definition/list'
    - 'cluster:admin/opendistro/reports/instance/get'
    - 'cluster:admin/opendistro/reports/instance/list'
    - 'cluster:admin/opendistro/reports/menu/download'
 # Allows users to all Reports functionality
 reports_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/reports/definition/create'
    - 'cluster:admin/opendistro/reports/definition/delete'
    - 'cluster:admin/opendistro/reports/definition/get'
    - 'cluster:admin/opendistro/reports/definition/list'
    - 'cluster:admin/opendistro/reports/definition/on_demand'
    - 'cluster:admin/opendistro/reports/definition/update'
    - 'cluster:admin/opendistro/reports/instance/get'
    - 'cluster:admin/opendistro/reports/instance/list'
    - 'cluster:admin/opendistro/reports/menu/download'
 # Allows users to use all asynchronous-search functionality
 asynchronous_search_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/asynchronous_search/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:data/read/search*'
 # Allows users to read stored asynchronous-search results
 asynchronous_search_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/asynchronous_search/get'
 # Allows user to use all index_management actions - ism policies, rollups, transforms
 index_management_full_access:
  reserved: true
  cluster_permissions:
    - "cluster:admin/opendistro/ism/*"
    - "cluster:admin/opendistro/rollup/*"
    - "cluster:admin/opendistro/transform/*"
    - "cluster:admin/opensearch/controlcenter/lron/*"
    - "cluster:admin/opensearch/notifications/channels/get"
    - "cluster:admin/opensearch/notifications/feature/publish"
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/opensearch/ism/*'
        - 'indices:internal/plugins/replication/index/stop'
 # Allows users to use all cross cluster replication functionality at leader cluster
 cross_cluster_replication_leader_full_access:
  reserved: true
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:data/read/plugins/replication/changes"
        - "indices:data/read/plugins/replication/file_chunk"
 # Allows users to use all cross cluster replication functionality at follower cluster
 cross_cluster_replication_follower_full_access:
  reserved: true
  cluster_permissions:
    - "cluster:admin/plugins/replication/autofollow/update"
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - "indices:admin/plugins/replication/index/pause"
        - "indices:admin/plugins/replication/index/resume"
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:admin/plugins/replication/index/start"
        - "indices:admin/plugins/replication/index/status_check"
        - "indices:admin/plugins/replication/index/stop"
        - "indices:admin/plugins/replication/index/update"
        - "indices:data/write/plugins/replication/changes"
 # Allows users to use all cross cluster search functionality at remote cluster
 cross_cluster_search_remote_full_access:
  reserved: true
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/shards/search_shards'
        - 'indices:data/read/search'
 # Allow users to operate query assistant
 query_assistant_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/config/get'
    - 'cluster:admin/opensearch/ml/execute'
    - 'cluster:admin/opensearch/ml/predict'
    - 'cluster:admin/opensearch/ppl'
 # Allow users to read ML stats/models/tasks
 ml_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/config/get'
    - 'cluster:admin/opensearch/ml/connectors/get'
    - 'cluster:admin/opensearch/ml/connectors/search'
    - 'cluster:admin/opensearch/ml/controllers/get'
    - 'cluster:admin/opensearch/ml/memory/conversation/get'
    - 'cluster:admin/opensearch/ml/memory/conversation/interaction/search'
    - 'cluster:admin/opensearch/ml/memory/conversation/list'
    - 'cluster:admin/opensearch/ml/memory/conversation/search'
    - 'cluster:admin/opensearch/ml/memory/interaction/get'
    - 'cluster:admin/opensearch/ml/memory/interaction/list'
    - 'cluster:admin/opensearch/ml/memory/trace/get'
    - 'cluster:admin/opensearch/ml/model_groups/get'
    - 'cluster:admin/opensearch/ml/model_groups/search'
    - 'cluster:admin/opensearch/ml/models/get'
    - 'cluster:admin/opensearch/ml/models/search'
    - 'cluster:admin/opensearch/ml/profile/nodes'
    - 'cluster:admin/opensearch/ml/stats/nodes'
    - 'cluster:admin/opensearch/ml/tasks/get'
    - 'cluster:admin/opensearch/ml/tasks/search'
    - 'cluster:admin/opensearch/ml/tools/get'
    - 'cluster:admin/opensearch/ml/tools/list'
 # Allows users to use all ML functionality
 ml_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'
 # Allows users to use all Notifications functionality
 notifications_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/notifications/*'
 # Allows users to read Notifications config/channels
 notifications_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/notifications/channels/get'
    - 'cluster:admin/opensearch/notifications/configs/get'
    - 'cluster:admin/opensearch/notifications/features'
 # Allows users to use all snapshot management functionality
 snapshot_management_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/notifications/feature/publish'
    - 'cluster:admin/opensearch/snapshot_management/*'
    - 'cluster:admin/repository/*'
    - 'cluster:admin/snapshot/*'
 # Allows users to see snapshots, repositories, and snapshot management policies
 snapshot_management_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/snapshot_management/policy/explain'
    - 'cluster:admin/opensearch/snapshot_management/policy/get'
    - 'cluster:admin/opensearch/snapshot_management/policy/search'
    - 'cluster:admin/repository/get'
    - 'cluster:admin/snapshot/get'
 # Allows user to use point in time functionality
 point_in_time_full_access:
  reserved: true
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'manage_point_in_time'
 # Allows users to see security analytics detectors and others
 security_analytics_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/securityanalytics/alerts/get'
    - 'cluster:admin/opensearch/securityanalytics/correlationAlerts/get'
    - 'cluster:admin/opensearch/securityanalytics/correlations/findings'
    - 'cluster:admin/opensearch/securityanalytics/correlations/list'
    - 'cluster:admin/opensearch/securityanalytics/detector/get'
    - 'cluster:admin/opensearch/securityanalytics/detector/search'
    - 'cluster:admin/opensearch/securityanalytics/findings/get'
    - 'cluster:admin/opensearch/securityanalytics/logtype/search'
    - 'cluster:admin/opensearch/securityanalytics/mapping/get'
    - 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
    - 'cluster:admin/opensearch/securityanalytics/rule/get'
    - 'cluster:admin/opensearch/securityanalytics/rule/search'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/alerts/get'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/iocs/findings/get'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/iocs/list'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/monitors/search'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/sources/get'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/sources/search'
 # Allows users to use all security analytics functionality
 security_analytics_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/securityanalytics/alerts/*'
    - 'cluster:admin/opensearch/securityanalytics/connections/*'
    - 'cluster:admin/opensearch/securityanalytics/correlationAlerts/*'
    - 'cluster:admin/opensearch/securityanalytics/correlations/*'
    - 'cluster:admin/opensearch/securityanalytics/detector/*'
    - 'cluster:admin/opensearch/securityanalytics/findings/*'
    - 'cluster:admin/opensearch/securityanalytics/logtype/*'
    - 'cluster:admin/opensearch/securityanalytics/mapping/*'
    - 'cluster:admin/opensearch/securityanalytics/rule/*'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/mapping/put'
        - 'indices:admin/mappings/get'
 # Allows users to view and acknowledge alerts
 security_analytics_ack_alerts:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/securityanalytics/alerts/*'
    - 'cluster:admin/opensearch/securityanalytics/correlationAlerts/*'
    - 'cluster:admin/opensearch/securityanalytics/threatintel/alerts/*'
 # Allows users to use all Flow Framework functionality
 flow_framework_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/flow_framework/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/aliases/get'
        - 'indices:admin/mappings/get'
        - 'indices_monitor'
 # Allow users to read flow framework's workflows and their state
 flow_framework_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/flow_framework/workflow/get'
    - 'cluster:admin/opensearch/flow_framework/workflow/search'
    - 'cluster:admin/opensearch/flow_framework/workflow_state/get'
    - 'cluster:admin/opensearch/flow_framework/workflow_state/search'
    - 'cluster:admin/opensearch/flow_framework/workflow_step/get'
 # Allows users to use all query insights APIs
 query_insights_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/insights/top_queries/*'
  index_permissions:
    - index_patterns:
        - 'top_queries_by_*'
      allowed_actions:
        - "indices_all"
 # Allow users to execute read only LTR actions
 ltr_read_access:
  reserved: true
  cluster_permissions:
    - cluster:admin/ltr/caches/stats
    - cluster:admin/ltr/featurestore/list
    - cluster:admin/ltr/stats
 # Allow users to execute all LTR actions
 ltr_full_access:
  reserved: true
  cluster_permissions:
    - cluster:admin/ltr/*
 # Allow users to use all Search Relevance functionalities
 search_relevance_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/search_relevance/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/mappings/get'
        - 'indices:data/read/search*'
 # Allow users to read Search Relevance resources
 search_relevance_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/search_relevance/experiment/get'
    - 'cluster:admin/opensearch/search_relevance/judgment/get'
    - 'cluster:admin/opensearch/search_relevance/queryset/get'
    - 'cluster:admin/opensearch/search_relevance/search_configuration/get'
 # Allow users to read Forecast resources
 forecast_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/plugin/forecast/forecaster/info'
    - 'cluster:admin/plugin/forecast/forecaster/stats'
    - 'cluster:admin/plugin/forecast/forecaster/suggest'
    - 'cluster:admin/plugin/forecast/forecaster/validate'
    - 'cluster:admin/plugin/forecast/forecasters/get'
    - 'cluster:admin/plugin/forecast/forecasters/info'
    - 'cluster:admin/plugin/forecast/forecasters/search'
    - 'cluster:admin/plugin/forecast/result/topForecasts'
    - 'cluster:admin/plugin/forecast/tasks/search'
  index_permissions:
    - index_patterns:
        - 'opensearch-forecast-result*'
      allowed_actions:
        - 'indices:admin/mappings/fields/get*'
        - 'indices:admin/resolve/index'
        - 'indices:data/read*'
 # Allows users to use all Forecasting functionality
 forecast_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/plugin/forecast/*'
    - 'cluster:admin/settings/update'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/aliases/get'
        - 'indices:admin/mapping/get'
        - 'indices:admin/mapping/put'
        - 'indices:admin/mappings/fields/get*'
        - 'indices:admin/mappings/get'
        - 'indices:admin/resolve/index'
        - 'indices:data/read*'
        - 'indices:data/read/field_caps*'
        - 'indices:data/read/search'
        - 'indices:data/write*'
        - 'indices_monitor'
--- a/opensearch/opensearch-security/roles_mapping.yml
+++ b/opensearch/opensearch-security/roles_mapping.yml
@ -0,0 +1,49 @@
 ---
 # In this file users, backendroles and hosts can be mapped to Security roles.
 # Permissions for OpenSearch roles are configured in roles.yml
 _meta:
  type: "rolesmapping"
  config_version: 2
 # Define your roles mapping here
 ## Demo roles mapping
 all_access:
  reserved: false
  backend_roles:
  - "admin"
  description: "Maps admin to all_access"
 own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"
 logstash:
  reserved: false
  backend_roles:
  - "logstash"
 kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  description: "Maps kibanauser to kibana_user"
 readall:
  reserved: false
  backend_roles:
  - "readall"
 manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"
 kibana_server:
  reserved: true
  users:
  - "kibanaserver"
--- a/opensearch/opensearch-security/tenants.yml
+++ b/opensearch/opensearch-security/tenants.yml
@ -0,0 +1,11 @@
 ---
 _meta:
  type: "tenants"
  config_version: 2
 # Define your tenants here
 ## Demo tenants
 admin_tenant:
  reserved: false
  description: "Demo tenant for admin user"
--- a/opensearch/opensearch.keystore
+++ b/opensearch/opensearch.keystore
--- a/opensearch/opensearch.yml
+++ b/opensearch/opensearch.yml
@ -0,0 +1,73 @@
 # ======================== OpenSearch Configuration =========================
 # 클러스터 이름. 모든 노드가 동일해야 함.
 cluster.name: ds-cluster
 # 노드 이름. 각 노드마다 고유해야 함.
 node.name: ds-osnode001.oneunivrs.com
 # 마스터 노드 및 데이터 노드 역할 부여
 node.roles: [ cluster_manager, data ]
 # 데이터와 로그 파일 경로 지정
 path.data: /data/opensearch/data
 path.logs: /data/opensearch/logs
 # 스와핑 방지를 위한 메모리 잠금 (성능 향상)
 bootstrap.memory_lock: true
 # 네트워크 설정
 # 모든 네트워크 인터페이스에서 접속 허용. 외부/내부 통신 모두 처리.
 network.host: 0.0.0.0
 http.port: 9200
 transport.port: 9300
 # 클러스터 구성을 위한 노드 탐색 설정 (내부 DNS 사용)
 discovery.seed_hosts:
  - ds-osnode001.oneunivrs.com
  - ds-osnode002.oneunivrs.com
  - ds-osnode003.oneunivrs.com
 # 클러스터 최초 구동 시 마스터 후보 노드 목록 (내부 DNS 사용)
 cluster.initial_cluster_manager_nodes:
  - ds-osnode001.oneunivrs.com
  - ds-osnode002.oneunivrs.com
  - ds-osnode003.oneunivrs.com
 # ======================== Security Plugin Configuration ========================
 plugins.security.ssl.transport.enabled: true # 노드 간 통신(9300) TLS 활성화
 plugins.security.ssl.transport.pemcert_filepath: certs/oneunivrs.pem
 plugins.security.ssl.transport.pemkey_filepath: certs/oneunivrs_key.pem
 plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root.pem
 plugins.security.ssl.transport.enforce_hostname_verification: false # 호스트 이름 검증 비활성화 (권장사항은 true 이나, 초기 설정 편의를 위해 false)
 plugins.security.ssl.http.enabled: true # HTTP API(9200) TLS(HTTPS) 활성화
 plugins.security.ssl.http.pemcert_filepath: certs/oneunivrs.pem
 plugins.security.ssl.http.pemkey_filepath: certs/oneunivrs_key.pem
 plugins.security.ssl.http.pemtrustedcas_filepath: certs/root.pem
 # 클러스터에 참여할 수 있는 노드의 DN(Distinguished Name) 목록
 # O 필드의 쉼표(,)는 백슬래시 두 개(\\)로 이스케이프 처리
 plugins.security.nodes_dn:
  - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
 # 관리자 권한을 가질 사용자의 DN 목록
 plugins.security.authcz.admin_dn:
  - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
 # 보안 플러그인 초기화 시 데모 설정 비활성화
 plugins.security.allow_unsafe_democertificates: false
 # 최초 구동 시 .opensearch-observability, .opensearch-notifications-config 인덱스 생성 허용
 plugins.security.unsupported.allow_now_in_dls: true
 # 최초 구동 시 보안 인덱스 자동 생성 허용
 plugins.security.allow_default_init_securityindex: true
 # 감사 로그를 내부 OpenSearch 인덱스에 기록
 plugins.security.audit.type: internal_opensearch
 #plugins.security.audit.config.log_external_config: false
 #plugins.security.audit.config.log_internal_config: false
 #plugins.security.audit.config.log_security_config: false
 # REST API를 통해 역할(Role)을 관리할 수 있도록 허용
 plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
--- a/opensearch/opensearch.yml.bak
+++ b/opensearch/opensearch.yml.bak
@ -0,0 +1,155 @@
 # ======================== OpenSearch Configuration =========================
 #
 # NOTE: OpenSearch comes with reasonable defaults for most settings.
 #       Before you set out to tweak and tune the configuration, make sure you
 #       understand what are you trying to accomplish and the consequences.
 #
 # The primary way of configuring a node is via this file. This template lists
 # the most important settings you may want to configure for a production cluster.
 #
 # Please consult the documentation for further information on configuration options:
 # https://www.opensearch.org
 #
 # ---------------------------------- Cluster -----------------------------------
 #
 # Use a descriptive name for your cluster:
 #
 #cluster.name: my-application
 #
 # ------------------------------------ Node ------------------------------------
 #
 # Use a descriptive name for the node:
 #
 #node.name: node-1
 #
 # Add custom attributes to the node:
 #
 #node.attr.rack: r1
 #
 # ----------------------------------- Paths ------------------------------------
 #
 # Path to directory where to store the data (separate multiple locations by comma):
 #
 path.data: /var/lib/opensearch
 #
 # Path to log files:
 #
 path.logs: /var/log/opensearch
 #
 # ----------------------------------- Memory -----------------------------------
 #
 # Lock the memory on startup:
 #
 #bootstrap.memory_lock: true
 #
 # Make sure that the heap size is set to about half the memory available
 # on the system and that the owner of the process is allowed to use this
 # limit.
 #
 # OpenSearch performs poorly when the system is swapping the memory.
 #
 # ---------------------------------- Network -----------------------------------
 #
 # Set the bind address to a specific IP (IPv4 or IPv6):
 #
 #network.host: 192.168.0.1
 #
 # Set a custom port for HTTP:
 #
 #http.port: 9200
 #
 # For more information, consult the network module documentation.
 #
 # --------------------------------- Discovery ----------------------------------
 #
 # Pass an initial list of hosts to perform discovery when this node is started:
 # The default list of hosts is ["127.0.0.1", "[::1]"]
 #
 #discovery.seed_hosts: ["host1", "host2"]
 #
 # Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
 #
 #cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
 #
 # For more information, consult the discovery and cluster formation module documentation.
 #
 # ---------------------------------- Gateway -----------------------------------
 #
 # Block initial recovery after a full cluster restart until N nodes are started:
 #
 #gateway.recover_after_data_nodes: 3
 #
 # For more information, consult the gateway module documentation.
 #
 # ---------------------------------- Various -----------------------------------
 #
 # Require explicit names when deleting indices:
 #
 #action.destructive_requires_name: true
 #
 # ---------------------------------- Remote Store -----------------------------------
 # Controls whether cluster imposes index creation only with remote store enabled
 # cluster.remote_store.enabled: true
 #
 # Repository to use for segment upload while enforcing remote store for an index
 # node.attr.remote_store.segment.repository: my-repo-1
 #
 # Repository to use for translog upload while enforcing remote store for an index
 # node.attr.remote_store.translog.repository: my-repo-1
 #
 # ---------------------------------- Experimental Features -----------------------------------
 # Gates the visibility of the experimental segment replication features until they are production ready.
 #
 #opensearch.experimental.feature.segment_replication_experimental.enabled: false
 #
 # Gates the functionality of a new parameter to the snapshot restore API
 # that allows for creation of a new index type that searches a snapshot
 # directly in a remote repository without restoring all index data to disk
 # ahead of time.
 #
 #opensearch.experimental.feature.searchable_snapshot.enabled: false
 #
 #
 # Gates the functionality of enabling extensions to work with OpenSearch.
 # This feature enables applications to extend features of OpenSearch outside of
 # the core.
 #
 #opensearch.experimental.feature.extensions.enabled: false
 #
 #
 # Gates the optimization of datetime formatters caching along with change in default datetime formatter
 # Once there is no observed impact on performance, this feature flag can be removed.
 #
 #opensearch.experimental.optimization.datetime_formatter_caching.enabled: false
 ######## Start OpenSearch Security Demo Configuration ########
 # WARNING: revise all the lines below before you go into production
 plugins.security.ssl.transport.pemcert_filepath: esnode.pem
 plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
 plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
 plugins.security.ssl.transport.enforce_hostname_verification: false
 plugins.security.ssl.http.enabled: true
 plugins.security.ssl.http.pemcert_filepath: esnode.pem
 plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
 plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
 plugins.security.allow_unsafe_democertificates: true
 plugins.security.allow_default_init_securityindex: true
 plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
 plugins.security.audit.type: internal_opensearch
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
 plugins.security.system_indices.enabled: true
 plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state, .plugins-search-relevance-experiment, .plugins-search-relevance-judgment-cache]
 node.max_local_storage_nodes: 3
 ######## End OpenSearch Security Demo Configuration ########
--- a/opensearch/securityadmin_demo.sh
+++ b/opensearch/securityadmin_demo.sh
@ -0,0 +1,2 @@
 #!/bin/bash
 sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/etc/opensearch/opensearch-security" -icl -key "/etc/opensearch/kirk-key.pem" -cert "/etc/opensearch/kirk.pem" -cacert "/etc/opensearch/root-ca.pem" -nhnv
		`@ -0,0 +1,2 @@`
							`#!/bin/bash`
							`sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/etc/opensearch/opensearch-security" -icl -key "/etc/opensearch/kirk-key.pem" -cert "/etc/opensearch/kirk.pem" -cacert "/etc/opensearch/root-ca.pem" -nhnv`