For example, the following configuration grants three roles access to the REST API, but then prevents `test-role` from making PUT, POST, DELETE, or PATCH requests to `_opensearch/_security/api/roles` or `_opensearch/_security/api/internalusers`:
You can mark users, role, role mappings, and action groups as reserved. Resources that have this flag set to true can't be changed using the REST API or OpenSearch Dashboards.
To mark a resource as reserved, add the following flag:
Likewise, you can mark users, role, role mappings, and action groups as hidden. Resources that have this flag set to true are not returned by the REST API and not visible in OpenSearch Dashboards:
To add or remove these flags, you need to modify `plugins/opensearch-security/securityconfig/internal_users.yml` and run `plugins/opensearch-security/tools/securityadmin.sh`.
These calls let you create, update, and delete internal users. If you use an external authentication backend, you probably don't need to worry about internal users.
### Get user
#### Request
```
GET _opensearch/_security/api/internalusers/<username>
Creates or replaces the specified user. You must specify either `password` (plain text) or `hash` (the hashed user password). If you specify `password`, the security plugin automatically hashes the password before storing it.
Note that any role you supply in the `opensearch_security_roles` array must already exist for the security plugin to map the user to that role. To see predefined roles, refer to [the list of predefined roles](../users-roles/#predefined-roles). For instructions on how to create a role, refer to [creating a role](./#create-role).
#### Request
```json
PUT _opensearch/_security/api/internalusers/<username>
Add, delete, or modify multiple tenants in a single call.
#### Request
```json
PATCH _opensearch/_security/api/tenants/
[
{
"op": "replace",
"path": "/human_resources/description",
"value": "An updated description"
},
{
"op": "add",
"path": "/another_tenant",
"value": {
"description": "Another description."
}
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
---
## Configuration
### Get configuration
Retrieves the current security plugin configuration in JSON format.
#### Request
```
GET _opensearch/_security/api/securityconfig
```
### Update configuration
Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
#### Request
```json
PUT _opensearch/_security/api/securityconfig/config
"description": "Authenticate via HTTP Basic against internal users database"
}
},
"auth_failure_listeners": {},
"do_not_fail_on_forbidden": false,
"multi_rolespan_enabled": true,
"hosts_resolver_mode": "ip-only",
"do_not_fail_on_forbidden_empty": false
}
}
```
#### Sample response
```json
{
"status": "OK",
"message": "'config' updated."
}
```
### Patch configuration
Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
Retrieves the current security plugin configuration in JSON format.
#### Request
```
GET _opensearch/_security/api/securityconfig
```
### Update configuration
Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
#### Request
```json
PUT _opensearch/_security/api/securityconfig/config
"description": "Authenticate via HTTP Basic against internal users database"
}
},
"auth_failure_listeners": {},
"do_not_fail_on_forbidden": false,
"multi_rolespan_enabled": true,
"hosts_resolver_mode": "ip-only",
"do_not_fail_on_forbidden_empty": false
}
}
```
#### Sample response
```json
{
"status": "OK",
"message": "'config' updated."
}
```
### Patch configuration
Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
Flushes the security plugin user, authentication, and authorization cache.
#### Request
```
DELETE _opensearch/_security/api/cache
```
#### Sample response
```json
{
"status": "OK",
"message": "Cache flushed successfully."
}
```
---
## Health
### Health check
Checks to see if the security plugin is up and running. If you operate your cluster behind a load balancer, this operation is useful for determining node health and doesn't require a signed request.