At SAS, we use and contribute to a wide range of open source projects. This series – SAS Contributes – highlights how our teams give back to the open source community. In this installment, we’re focusing on OpenSearch.
If you’ve ever sifted through thousands of system logs or product reviews to find a single phrase, you’ve experienced the kind of challenge OpenSearch was designed to solve.
Unlike traditional databases that store structured data in neat rows and columns, OpenSearch is built for unstructured data – massive amounts of text, logs and documents.
“OpenSearch is good at storing that data and then being able to search on it.
We use it on my side for monitoring SAS Viya, collecting all the log messages and allowing administrators to find messages of interest.”
— Greg Smith, Principal Software Developer
Other SAS teams apply it in different ways. Visual Investigator uses OpenSearch to power everything from text and fuzzy searches to geographic lookups and graph-style visualizations. The Risk and Information Catalog also depends on it for various tasks.
Why SAS got involved
SAS’ relationship with OpenSearch has roots in its predecessor, Elasticsearch. Once security features like document-level security controls became premium Elasticsearch add-ons, SAS turned to a commercial plugin, Search Guard, to implement this functionality.
Then Amazon forked Elasticsearch and created OpenSearch, which inherited much of the Search Guard code. For SAS, this fork represented both a fresh start and a chance to shape the future. OpenSearch’s transfer to the Linux Foundation cemented its status as a truly community-driven project – an environment SAS wanted to support and help strengthen.
“At that time, we weren’t just licensing Search Guard – we were already finding bugs, sending fixes, and working directly with their team. So, in a sense, we’d been contributing all along. Now, with OpenSearch open source, it’s just easier.”
— Terry Quigley, Principal Software Developer
SAS' contributions to open-source search
At the heart of SAS’ involvement lies a deep focus on security and compliance. Early on, the team undertook the extensive work required for the security plugin, aiming for FIPS 140-2 compliance – a daunting yet critical benchmark for many enterprise environments. This involved updating hashing algorithms, refining certificate handling, and ensuring seamless integration with trusted libraries such as Bouncy Castle. Bug fixes and enhancements even reached into related projects such as Password4J, helping the entire OpenSearch downstream ecosystem become more robust.
The team also contributed to Helm charts, streamlining Kubernetes deployments so users could more easily spin up and scale OpenSearch clusters. These improvements lowered the barrier for organizations to adopt OpenSearch securely, regardless of the complexity of their infrastructure.
Active participation in plugin meetings became a cornerstone of their engagement, working alongside contributors from Amazon, SAP and other industry leaders. This ongoing dialogue fueled collaboration on crucial issues, such as newly discovered vulnerabilities, major upgrades – including those involving Java and OpenSAML – and the integration of new features.
Investing in OpenSearch is not just about advancing a product; it’s about strengthening an open, collaborative ecosystem that benefits everyone involved.
“Like in any project, but especially in open source projects, they say to start you should pick something simple. This was kind of the opposite. This is like 'pick possibly the most difficult thing to get your head around and a really massive project with hundreds of repositories and do that.'"
— Terry Quigley, Principal Software Developer
Why contribute?
The question naturally arises: Why not keep these advancements private, using them as a competitive edge? Sustainability was a major concern; maintaining a private fork of OpenSearch would have meant rebuilding and merging changes every six weeks, a workload that quickly proved unmanageable.
“If it was just internal, the cost of eternal vigilance would all be on SAS. In open source, we share that responsibility – and it’s the right thing to do.”
— Craig McNulty, Manager, Software Development
And, by contributing openly, quality was never compromised. Public collaboration brought in a wider range of reviewers and perspectives, helping to catch subtle mistakes before they could become real problems.
The commitment to open collaboration not only lightened the load but also reinforced the values, like fairness, that drive both SAS and the wider community.
“SAS uses a lot of open source software. It seems only fair and right that we should contribute back.”
— Terry Quigley, Principal Software Developer
Benefits for SAS and the community
Through open collaboration, SAS ensured its products met rigorous FIPS standards, offering customers heightened trust and compliance, while also sharing these security enhancements with the entire community.
Engaging directly with OpenSearch’s diverse user base gave SAS unique insights into how organizations deploy the technology. This means we can spot potential issues early and respond proactively.
“What we’ve put into it, others will build on in the future. That groundwork makes things easier for everyone – including us.”
— Stewart Brown, Software Developer
Looking ahead
From securing searches to strengthening compliance across SAS® Viya®, OpenSearch has become woven into the fabric of SAS solutions. Contributing to its growth ensures that both SAS and the broader community continue to benefit.
“We can’t scale to solve bigger problems unless we work with people we may think of as competitors.”
— Craig McNulty, Manager, Software Development
1 Comment
While there's a long list of people to thank for getting us to this point - the core SAS team of Terry Quigley, Dan Cecoi, Stewart Brown and Gareth Kelly have been particularly instrumental in delivering FIPS compliance. Hats off to them!