Skip to main content

Aiven for OpenSearch® limits and limitations

Aiven for OpenSearch® has configuration, API, and feature restrictions that differ from upstream OpenSearch to maintain service stability and security.

Configuration restrictions

You cannot directly modify OpenSearch configuration files or settings in Aiven for OpenSearch. These restrictions apply:

RestrictionDescription
No shell accessYou cannot access or modify YAML configuration files
JVM tuningYou cannot modify JVM options directly
Advanced configurationOnly supported options are available through Advanced configuration in the Aiven Console
Configuration filesYou cannot access or modify static configuration files

To request support for additional configuration options, contact Aiven support.

Connection requirements

All connections to Aiven for OpenSearch must meet these requirements:

RequirementDetails
ProtocolHTTPS only
AuthenticationUser authentication always required
AuthorizationManaged using Aiven ACLs or OpenSearch Security (when security management is enabled)

API restrictions

Aiven restricts access to certain OpenSearch APIs to maintain service stability and security. Attempting to access blocked endpoints returns a 403 Forbidden - Request forbidden by administrative rules error.

API endpointAllowed methodsRestrictions
/_cluster/*GET onlyLimited to specific read-only endpoints; all other /_cluster/ endpoints are blocked
/_tasksGET onlyView tasks only; you cannot cancel tasks using /_tasks/_cancel
/_nodesGET onlyRead-only access to node information
/_snapshotNoneAutomated by Aiven; no direct access
/_cat/repositoriesNoneNo access allowed

Allowed cluster endpoints

You can access these read-only cluster endpoints:

  • /_cluster/allocation/explain/
  • /_cluster/health/
  • /_cluster/pending_tasks/
  • /_cluster/stats/
  • /_cluster/state/
  • /_cluster/settings/

Snapshot management

FeatureBehavior
Automated snapshotsDaily or hourly snapshots managed automatically by Aiven
API accessYou cannot access the snapshot API directly without configuring custom repositories
OpenSearch API
Dashboard limitationsDashboard suggestions for snapshot management that require configuration file changes cannot be completed

See snapshot management limitations for details.

Plugin restrictions

You can only use pre-approved plugins with Aiven for OpenSearch.

AspectDetails
Supported pluginsOnly a defined set of plugins is available
Custom pluginsYou cannot install custom plugins
Plugin listSee available plugins

To request support for additional plugins, contact Aiven support.

Access control models

Security management disabled (default)

FeatureBehavior
User managementYou manage users through Aiven API, CLI, Console, or Terraform
Access controlYou configure access using Aiven ACLs
Permission scopeIndex-level access only
User equalityAll service users have equal privileges within their ACL permissions
Dashboard tenancyPrivate dashboards per user plus global dashboards
Password changesPassword changes you make in the dashboard reset within 24 hours

Security management enabled

FeatureBehavior
User managementYou manage users directly in OpenSearch using OpenSearch Security API or dashboard
Access controlYou configure access using OpenSearch Security roles and permissions
Permission scopeDocument-level access control available
Dashboard tenancyFull multi-tenancy support
External authenticationSAML and OpenID Connect supported
Aiven API supportLimited; displays state at enablement time only
warning

You cannot reverse security management after you enable it. Once enabled, you manage all users and permissions directly in OpenSearch.

note

The security plugin is always present in Aiven for OpenSearch. Security management is an additional feature you can enable to gain full control over security configurations.

ACL limitations

Security plugin services

ACL typeBehavior
Index patternsConverted to OpenSearch Security roles with appropriate permissions
Top-level APIsIgnored; OpenSearch Security enforces index-level permissions
Access levelsMapped to predefined action groups (admin, read, write)

ACL access levels

ACL levelPermissions granted
adminFull access to matching indices
readRead-only access to matching indices
writeWrite access to matching indices
readwriteRead and write access to matching indices

Reserved users

Aiven creates and manages these special users. You cannot delete or modify their permissions.

UsernamePurpose
avnadminDefault administrator user for your service
metrics_user_datadogMetrics collection by Datadog integration
osd_internal_userInternal OpenSearch Dashboards operations
replication_userCross-cluster replication
os-sec-adminSecurity management access (created when you enable security management)

Reserved roles

You cannot modify the reserved roles.

Role namePurpose
service_security_admin_accessGrants access to security management API and dashboard
provider_service_userBase permissions for all service users
provider_index_all_accessFull index access (when ACLs are disabled)
provider_managed_user_role_<username>Individual user permissions (when ACLs are enabled)

Unsupported features

These OpenSearch features are not supported in Aiven for OpenSearch:

FeatureStatusNotes
Machine Learning (ML)Not supportedRequires dedicated ML nodes; available on request
gRPC transport layerNot supportedHigh-speed data ingestion not available
Ingest pipelines managementNot supportedYou cannot manage ingest pipelines through Aiven
Data PrepperNot supportedNot available in managed service
Tiered storageNot supportedSearchable snapshots planned for future release

To request support for ML features, contact Aiven support.

Known issues and limitations

Security dashboard

IssueDescription
Get started sectionMost content is not applicable to Aiven for OpenSearch; only multi-tenancy section applies
Configuration file instructionsDashboard help text references configuration file modifications that you cannot perform in managed services
Password changesWhen security management is disabled, password changes in the dashboard reset within 24 hours

Security management

IssueDescriptionSolution
REST API permissionsYou cannot create roles with REST API permissionsMap your users to the service_security_admin_access role
Self-lockoutYou can unmap yourself from security admin roleContact Aiven support to remap the os-sec-admin user
os-sec-admin deletionYou cannot delete the os-sec-admin userUser remains but you can unmap it from admin role

Permissions model

BehaviorDescription
Multiple permissions per requestSingle API requests often require multiple permissions
Index creationWriting to non-existent index requires both write and create permissions
Error messagesPermission errors specify the missing permission in error.root_cause

Differences from upstream OpenSearch

FeatureUpstream OpenSearchAiven for OpenSearch
Configuration filesDirect file accessYou manage configuration using Advanced configuration options
Snapshot managementFull API accessAutomated; you cannot access the API directly
Security pluginOptionalAlways enabled
User managementDirect configurationYou manage users using Aiven tools or Security API (when security management is enabled)
Cluster settingsFull API accessLimited to approved settings using Advanced configuration
Plugin installationInstall any pluginOnly pre-approved plugins available
API accessFull access to all APIsRestricted access to certain management APIs
JVM tuningDirect access to JVM optionsNot available

Elasticsearch compatibility

Aiven for OpenSearch diverged from Elasticsearch 7 and is not compatible with Elasticsearch-specific features.

AspectDetails
Client librariesYou must use OpenSearch-compatible client libraries
APIsElasticsearch-specific APIs are not supported
Query languageQuery syntax differs from Elasticsearch
MigrationVerify compatibility when migrating from Elasticsearch

Service tiers and quotas

For information about service-specific limits based on your plan, see:

Related pages