2021-05-28 13:48:19 -04:00
---
layout: default
title: API
2021-09-21 15:34:59 -04:00
parent: Access control
2021-05-28 13:48:19 -04:00
nav_order: 90
---
# API
The security plugin REST API lets you programmatically create and manage users, roles, role mappings, action groups, and tenants.
---
#### Table of contents
1. TOC
{:toc}
---
## Access control for the API
Just like OpenSearch permissions, you control access to the security plugin REST API using roles. Specify roles in `opensearch.yml` :
```yml
2021-06-08 18:35:12 -04:00
plugins.security.restapi.roles_enabled: ["< role > ", ...]
2021-05-28 13:48:19 -04:00
```
These roles can now access all APIs. To prevent access to certain APIs:
```yml
2021-06-08 18:35:12 -04:00
plugins.security.restapi.endpoints_disabled.< role > .< endpoint > : ["< method > ", ...]
2021-05-28 13:48:19 -04:00
```
Possible values for `endpoint` are:
- ACTIONGROUPS
- ROLES
- ROLESMAPPING
- INTERNALUSERS
- CONFIG
- CACHE
- LICENSE
- SYSTEMINFO
Possible values for `method` are:
- GET
- PUT
- POST
- DELETE
- PATCH
2021-06-10 14:15:44 -04:00
For example, the following configuration grants three roles access to the REST API, but then prevents `test-role` from making PUT, POST, DELETE, or PATCH requests to `_plugins/_security/api/roles` or `_plugins/_security/api/internalusers` :
2021-05-28 13:48:19 -04:00
```yml
2021-06-08 18:35:12 -04:00
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "test-role"]
plugins.security.restapi.endpoints_disabled.test-role.ROLES: ["PUT", "POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.test-role.INTERNALUSERS: ["PUT", "POST", "DELETE", "PATCH"]
2021-05-28 13:48:19 -04:00
```
To use the PUT and PATCH methods for the [configuration APIs ](#configuration ), add the following line to `opensearch.yml` :
```yml
2021-06-08 18:35:12 -04:00
plugins.security.unsupported.restapi.allow_securityconfig_modification: true
2021-05-28 13:48:19 -04:00
```
## Reserved and hidden resources
You can mark users, role, role mappings, and action groups as reserved. Resources that have this flag set to true can't be changed using the REST API or OpenSearch Dashboards.
To mark a resource as reserved, add the following flag:
```yml
kibana_user:
reserved: true
```
Likewise, you can mark users, role, role mappings, and action groups as hidden. Resources that have this flag set to true are not returned by the REST API and not visible in OpenSearch Dashboards:
```yml
kibana_user:
hidden: true
```
Hidden resources are automatically reserved.
2022-04-14 22:43:08 -04:00
To add or remove these flags, modify `config/opensearch-security/internal_users.yml` and run `plugins/opensearch-security/tools/securityadmin.sh` .
2021-05-28 13:48:19 -04:00
---
## Account
### Get account details
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Returns account details for the current user. For example, if you sign the request as the `admin` user, the response includes details for that user.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/account
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"user_name": "admin",
"is_reserved": true,
"is_hidden": false,
"is_internal_user": true,
"user_requested_tenant": null,
"backend_roles": [
"admin"
],
"custom_attribute_names": [],
"tenants": {
"global_tenant": true,
"admin_tenant": true,
"admin": true
},
"roles": [
"all_access",
"own_index"
]
}
```
### Change password
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Changes the password for the current user.
#### Request
```json
2021-06-10 14:15:44 -04:00
PUT _plugins/_security/api/account
2021-05-28 13:48:19 -04:00
{
"current_password" : "old-password",
"password" : "new-password"
}
```
#### Sample response
```json
{
"status": "OK",
"message": "'test-user' updated."
}
```
---
## Action groups
### Get action group
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves one action group.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/actiongroups/< action-group >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"custom_action_group": {
"reserved": false,
"hidden": false,
"allowed_actions": [
"kibana_all_read",
"indices:admin/aliases/get",
"indices:admin/aliases/exists"
],
"description": "My custom action group",
"static": false
}
}
```
### Get action groups
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves all action groups.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/actiongroups/
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"read": {
"reserved": true,
"hidden": false,
"allowed_actions": [
"indices:data/read*",
"indices:admin/mappings/fields/get*"
],
"type": "index",
"description": "Allow all read operations",
"static": true
},
...
}
```
### Delete action group
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
#### Request
```
2021-06-10 14:15:44 -04:00
DELETE _plugins/_security/api/actiongroups/< action-group >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"status":"OK",
"message":"actiongroup SEARCH deleted."
}
```
### Create action group
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates or replaces the specified action group.
#### Request
```json
2021-06-10 14:15:44 -04:00
PUT _plugins/_security/api/actiongroups/< action-group >
2021-05-28 13:48:19 -04:00
{
"allowed_actions": [
"indices:data/write/index*",
"indices:data/write/update*",
"indices:admin/mapping/put",
"indices:data/write/bulk*",
"read",
"write"
]
}
```
#### Sample response
```json
{
"status": "CREATED",
"message": "'my-action-group' created."
}
```
### Patch action group
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Updates individual attributes of an action group.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/actiongroups/< action-group >
2021-05-28 13:48:19 -04:00
[
{
"op": "replace", "path": "/allowed_actions", "value": ["indices:admin/create", "indices:admin/mapping/put"]
}
]
```
#### Sample response
```json
{
"status":"OK",
"message":"actiongroup SEARCH deleted."
}
```
### Patch action groups
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates, updates, or deletes multiple action groups in a single call.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/actiongroups
2021-05-28 13:48:19 -04:00
[
{
"op": "add", "path": "/CREATE_INDEX", "value": { "allowed_actions": ["indices:admin/create", "indices:admin/mapping/put"] }
},
{
"op": "remove", "path": "/CRUD"
}
]
```
#### Sample response
```json
{
"status":"OK",
"message":"actiongroup SEARCH deleted."
}
```
---
## Users
These calls let you create, update, and delete internal users. If you use an external authentication backend, you probably don't need to worry about internal users.
### Get user
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/internalusers/< username >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"kirk": {
"hash": "",
"roles": [ "captains", "starfleet" ],
"attributes": {
"attribute1": "value1",
"attribute2": "value2",
}
}
}
```
### Get users
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/internalusers/
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"kirk": {
"hash": "",
"roles": [ "captains", "starfleet" ],
"attributes": {
"attribute1": "value1",
"attribute2": "value2",
}
}
}
```
### Delete user
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
#### Request
```
2021-06-10 14:15:44 -04:00
DELETE _plugins/_security/api/internalusers/< username >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"status":"OK",
"message":"user kirk deleted."
}
```
### Create user
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates or replaces the specified user. You must specify either `password` (plain text) or `hash` (the hashed user password). If you specify `password` , the security plugin automatically hashes the password before storing it.
2021-08-12 17:25:46 -04:00
Note that any role you supply in the `opendistro_security_roles` array must already exist for the security plugin to map the user to that role. To see predefined roles, refer to [the list of predefined roles ]({{site.url}}{{site.baseurl}}/security-plugin/access-control/users-roles#predefined-roles ). For instructions on how to create a role, refer to [creating a role ](#create-role ).
2021-05-28 13:48:19 -04:00
#### Request
```json
2021-06-10 14:15:44 -04:00
PUT _plugins/_security/api/internalusers/< username >
2021-05-28 13:48:19 -04:00
{
"password": "kirkpass",
2021-08-12 17:25:46 -04:00
"opendistro_security_roles": ["maintenance_staff", "weapons"],
2021-05-28 13:48:19 -04:00
"backend_roles": ["captains", "starfleet"],
"attributes": {
"attribute1": "value1",
"attribute2": "value2"
}
}
```
#### Sample response
```json
{
"status":"CREATED",
"message":"User kirk created"
}
```
### Patch user
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Updates individual attributes of an internal user.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/internalusers/< username >
2021-05-28 13:48:19 -04:00
[
{
"op": "replace", "path": "/backend_roles", "value": ["klingons"]
},
{
2021-08-12 17:25:46 -04:00
"op": "replace", "path": "/opendistro_security_roles", "value": ["ship_manager"]
2021-05-28 13:48:19 -04:00
},
{
"op": "replace", "path": "/attributes", "value": { "newattribute": "newvalue" }
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "'kirk' updated."
}
```
### Patch users
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates, updates, or deletes multiple internal users in a single call.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/internalusers
2021-05-28 13:48:19 -04:00
[
{
"op": "add", "path": "/spock", "value": { "password": "testpassword1", "backend_roles": ["testrole1"] }
},
{
"op": "add", "path": "/worf", "value": { "password": "testpassword2", "backend_roles": ["testrole2"] }
},
{
"op": "remove", "path": "/riker"
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
---
## Roles
### Get role
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves one role.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/roles/< role >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"test-role": {
"reserved": false,
"hidden": false,
"cluster_permissions": [
"cluster_composite_ops",
"indices_monitor"
],
"index_permissions": [{
"index_patterns": [
"movies*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}],
"tenant_permissions": [{
"tenant_patterns": [
"human_resources"
],
"allowed_actions": [
"kibana_all_read"
]
}],
"static": false
}
}
```
### Get roles
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves all roles.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/roles/
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"manage_snapshots": {
"reserved": true,
"hidden": false,
"description": "Provide the minimum permissions for managing snapshots",
"cluster_permissions": [
"manage_snapshots"
],
"index_permissions": [{
"index_patterns": [
"*"
],
"fls": [],
"masked_fields": [],
"allowed_actions": [
"indices:data/write/index",
"indices:admin/create"
]
}],
"tenant_permissions": [],
"static": true
},
...
}
```
### Delete role
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
#### Request
```
2021-06-10 14:15:44 -04:00
DELETE _plugins/_security/api/roles/< role >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"status":"OK",
"message":"role test-role deleted."
}
```
### Create role
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates or replaces the specified role.
#### Request
```json
2021-06-10 14:15:44 -04:00
PUT _plugins/_security/api/roles/< role >
2021-05-28 13:48:19 -04:00
{
"cluster_permissions": [
"cluster_composite_ops",
"indices_monitor"
],
"index_permissions": [{
"index_patterns": [
"movies*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}],
"tenant_permissions": [{
"tenant_patterns": [
"human_resources"
],
"allowed_actions": [
"kibana_all_read"
]
}]
}
```
#### Sample response
```json
{
"status": "OK",
"message": "'test-role' updated."
}
```
2022-09-27 16:29:19 -04:00
>Due to word boundaries associated with Unicode special characters, the Unicode standard analyzer cannot index a [text field type ](https://opensearch.org/docs/2.2/opensearch/supported-field-types/text/ ) value as a whole value when it includes one of these special characters. As a result, a text field value that includes a special character is parsed by the standard analyzer as multiple values separated by the special character, effectively tokenizing the different elements on either side of it.
>
>For example, since the values in the fields ```"user.id": "User-1"``` and ```"user.id": "User-2"``` contain the hyphen/minus sign, this special character will prevent the analyzer from distinguishing between the two different users for `user.id` and interpret them as one and the same. This can lead to unintentional filtering of documents and potentially compromise control over their access.
>
>To avoid this circumstance, you can use a custom analyzer or map the field as `keyword` , which performs an exact-match search. See [Keyword field type ](https://opensearch.org/docs/2.2/opensearch/supported-field-types/keyword/ ) for the latter option.
>
>For a list of characters that should be avoided when field type is `text` , see [Word Boundaries ](https://unicode.org/reports/tr29/#Word_Boundaries ).
{: .warning}
2021-05-28 13:48:19 -04:00
### Patch role
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Updates individual attributes of a role.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/roles/< role >
2021-05-28 13:48:19 -04:00
[
{
"op": "replace", "path": "/index_permissions/0/fls", "value": ["myfield1", "myfield2"]
},
{
"op": "remove", "path": "/index_permissions/0/dls"
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "'< role > ' updated."
}
```
### Patch roles
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates, updates, or deletes multiple roles in a single call.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/roles
2021-05-28 13:48:19 -04:00
[
{
"op": "replace", "path": "/role1/index_permissions/0/fls", "value": ["test1", "test2"]
},
{
"op": "remove", "path": "/role1/index_permissions/0/dls"
},
{
"op": "add", "path": "/role2/cluster_permissions", "value": ["manage_snapshots"]
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
---
## Role mappings
### Get role mapping
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves one role mapping.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/rolesmapping/< role >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"role_starfleet" : {
"backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
"hosts" : [ "*.starfleetintranet.com" ],
"users" : [ "worf" ]
}
}
```
### Get role mappings
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves all role mappings.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/rolesmapping
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"role_starfleet" : {
"backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
"hosts" : [ "*.starfleetintranet.com" ],
"users" : [ "worf" ]
}
}
```
### Delete role mapping
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Deletes the specified role mapping.
#### Request
```
2021-06-10 14:15:44 -04:00
DELETE _plugins/_security/api/rolesmapping/< role >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"status": "OK",
"message": "'my-role' deleted."
}
```
### Create role mapping
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates or replaces the specified role mapping.
#### Request
```json
2021-06-10 14:15:44 -04:00
PUT _plugins/_security/api/rolesmapping/< role >
2021-05-28 13:48:19 -04:00
{
"backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
"hosts" : [ "*.starfleetintranet.com" ],
"users" : [ "worf" ]
}
```
#### Sample response
```json
{
"status": "CREATED",
"message": "'my-role' created."
}
```
### Patch role mapping
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Updates individual attributes of a role mapping.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/rolesmapping/< role >
2021-05-28 13:48:19 -04:00
[
{
"op": "replace", "path": "/users", "value": ["myuser"]
},
{
"op": "replace", "path": "/backend_roles", "value": ["mybackendrole"]
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "'my-role' updated."
}
```
### Patch role mappings
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates or updates multiple role mappings in a single call.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/rolesmapping
2021-05-28 13:48:19 -04:00
[
{
"op": "add", "path": "/human_resources", "value": { "users": ["user1"], "backend_roles": ["backendrole2"] }
},
{
"op": "add", "path": "/finance", "value": { "users": ["user2"], "backend_roles": ["backendrole2"] }
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
---
## Tenants
### Get tenant
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves one tenant.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/tenants/< tenant >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"human_resources": {
"reserved": false,
"hidden": false,
"description": "A tenant for the human resources team.",
"static": false
}
}
```
### Get tenants
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves all tenants.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/tenants/
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"global_tenant": {
"reserved": true,
"hidden": false,
"description": "Global tenant",
"static": true
},
"human_resources": {
"reserved": false,
"hidden": false,
"description": "A tenant for the human resources team.",
"static": false
}
}
```
### Delete tenant
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Deletes the specified tenant.
#### Request
```
2021-06-10 14:15:44 -04:00
DELETE _plugins/_security/api/tenants/< tenant >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"status":"OK",
"message":"tenant human_resources deleted."
}
```
### Create tenant
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates or replaces the specified tenant.
#### Request
```json
2021-06-10 14:15:44 -04:00
PUT _plugins/_security/api/tenants/< tenant >
2021-05-28 13:48:19 -04:00
{
"description": "A tenant for the human resources team."
}
```
#### Sample response
```json
{
"status":"CREATED",
"message":"tenant human_resources created"
}
```
### Patch tenant
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Add, delete, or modify a single tenant.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/tenants/< tenant >
2021-05-28 13:48:19 -04:00
[
{
"op": "replace", "path": "/description", "value": "An updated description"
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
### Patch tenants
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Add, delete, or modify multiple tenants in a single call.
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/tenants/
2021-05-28 13:48:19 -04:00
[
{
"op": "replace",
"path": "/human_resources/description",
"value": "An updated description"
},
{
"op": "add",
"path": "/another_tenant",
"value": {
"description": "Another description."
}
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
---
## Configuration
### Get configuration
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Retrieves the current security plugin configuration in JSON format.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/api/securityconfig
2021-05-28 13:48:19 -04:00
```
### Update configuration
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Creates or updates the existing configuration using the REST API. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead, which is far safer. See [Access control for the API ](#access-control-for-the-api ) for how to enable this operation.
#### Request
```json
2021-06-10 14:15:44 -04:00
PUT _plugins/_security/api/securityconfig/config
2021-05-28 13:48:19 -04:00
{
"dynamic": {
"filtered_alias_mode": "warn",
"disable_rest_auth": false,
"disable_intertransport_auth": false,
"respect_request_indices_options": false,
"opensearch-dashboards": {
"multitenancy_enabled": true,
"server_username": "kibanaserver",
"index": ".opensearch-dashboards"
},
"http": {
"anonymous_auth_enabled": false
},
"authc": {
"basic_internal_auth_domain": {
"http_enabled": true,
"transport_enabled": true,
"order": 0,
"http_authenticator": {
"challenge": true,
"type": "basic",
"config": {}
},
"authentication_backend": {
"type": "intern",
"config": {}
},
"description": "Authenticate via HTTP Basic against internal users database"
}
},
"auth_failure_listeners": {},
"do_not_fail_on_forbidden": false,
"multi_rolespan_enabled": true,
"hosts_resolver_mode": "ip-only",
"do_not_fail_on_forbidden_empty": false
}
}
```
#### Sample response
```json
{
"status": "OK",
"message": "'config' updated."
}
```
### Patch configuration
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Updates the existing configuration using the REST API. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead, which is far safer. See [Access control for the API ](#access-control-for-the-api ) for how to enable this operation.
2021-09-27 20:07:38 -04:00
Before you can execute the operation, you must first add the following line to `opensearch.yml` :
```yml
plugins.security.unsupported.restapi.allow_securityconfig_modification: true
```
2021-05-28 13:48:19 -04:00
#### Request
```json
2021-06-10 14:15:44 -04:00
PATCH _plugins/_security/api/securityconfig
2021-05-28 13:48:19 -04:00
[
{
"op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
---
2021-09-24 17:13:26 -04:00
## Distinguished names
2021-05-28 13:48:19 -04:00
2021-09-27 13:07:37 -04:00
These REST APIs let a super admin add, retrieve, update, or delete any distinguished names from an allow list to enable communication between clusters and/or nodes.
2021-05-28 13:48:19 -04:00
2021-09-27 13:07:37 -04:00
Before you can use the REST API to configure the allow list, you must first add the following line to `opensearch.yml` :
2021-09-24 17:13:26 -04:00
```yml
plugins.security.nodes_dn_dynamic_config_enabled: true
```
### Get distinguished names
2021-09-27 13:07:37 -04:00
Retrieves all distinguished names in the allow list.
2021-05-28 13:48:19 -04:00
#### Request
```
2021-09-24 17:13:26 -04:00
GET _plugins/_security/api/nodesdn
2021-05-28 13:48:19 -04:00
```
2021-09-24 17:13:26 -04:00
#### Sample response
2021-05-28 13:48:19 -04:00
2021-09-24 17:13:26 -04:00
```json
{
"cluster1": {
"nodes_dn": [
"CN=cluster1.example.com"
]
}
}
```
2021-05-28 13:48:19 -04:00
2021-09-27 13:07:37 -04:00
To get the distinguished names from a specific cluster's or node's allow list, include the cluster's name in the request path.
2021-05-28 13:48:19 -04:00
#### Request
2021-09-24 17:13:26 -04:00
```
GET _plugins/_security/api/nodesdn/< cluster-name >
```
#### Sample response
2021-05-28 13:48:19 -04:00
```json
{
2021-09-24 17:13:26 -04:00
"cluster3": {
"nodes_dn": [
"CN=cluster3.example.com"
]
2021-05-28 13:48:19 -04:00
}
}
```
2021-09-24 17:13:26 -04:00
2021-09-24 17:23:17 -04:00
### Update distinguished names
2021-09-24 17:13:26 -04:00
2021-09-24 17:23:17 -04:00
Adds or updates the specified distinguished names in the cluster's or node's allow list.
2021-09-24 17:13:26 -04:00
#### Request
```json
PUT _plugins/_security/api/nodesdn/< cluster-name >
{
"nodes_dn": [
"CN=cluster3.example.com"
]
}
```
#### Sample response
```json
{
"status": "CREATED",
"message": "'cluster3' created."
}
```
2021-05-28 13:48:19 -04:00
2021-09-24 17:13:26 -04:00
### Delete distinguished names
2021-05-28 13:48:19 -04:00
2021-09-27 13:07:37 -04:00
Deletes all distinguished names in the specified cluster's or node's allow list.
2021-05-28 13:48:19 -04:00
#### Request
2021-09-24 17:13:26 -04:00
```
DELETE _plugins/_security/api/nodesdn/< cluster-name >
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"status": "OK",
2021-09-24 17:13:26 -04:00
"message": "'cluster3' deleted."
2021-05-28 13:48:19 -04:00
}
```
2021-09-24 17:13:26 -04:00
---
## Certificates
### Get certificates
Introduced 1.0
{: .label .label-purple }
2021-09-24 17:53:33 -04:00
Retrieves the cluster's security certificates.
2021-09-24 17:13:26 -04:00
#### Request
```
2022-05-23 17:03:11 -04:00
GET _plugins/_security/api/ssl/certs
2021-09-24 17:13:26 -04:00
```
#### Sample response
```json
{
"http_certificates_list": [
{
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
"not_before": "2018-04-22T03:43:47Z",
"not_after": "2028-04-19T03:43:47Z"
}
],
"transport_certificates_list": [
{
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
"not_before": "2018-04-22T03:43:47Z",
"not_after": "2028-04-19T03:43:47Z"
}
]
}
```
2022-07-05 10:58:50 -04:00
### Reload certificates
Introduced 1.0
{: .label .label-purple }
Reloads SSL certificates that are about to expire without restarting the OpenSearch node.
This call assumes that new certificates are in the same location specified by the security configurations in opensearch.yml. To keep sensitive certificate reloads secure, this call only allows hot reload with certificates issued by the same issuer and subject DN and SAN with expiry dates after the current certificate.
#### Request
```
PUT _opendistro/_security/api/ssl/transport/reloadcerts
PUT _opendistro/_security/api/ssl/http/reloadcerts
```
#### Sample response
```json
{
"message": "updated http certs"
}
```
2021-05-28 13:48:19 -04:00
---
## Cache
### Flush cache
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Flushes the security plugin user, authentication, and authorization cache.
#### Request
```
2021-06-10 14:15:44 -04:00
DELETE _plugins/_security/api/cache
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"status": "OK",
"message": "Cache flushed successfully."
}
```
---
## Health
### Health check
2021-07-26 19:14:22 -04:00
Introduced 1.0
{: .label .label-purple }
2021-05-28 13:48:19 -04:00
Checks to see if the security plugin is up and running. If you operate your cluster behind a load balancer, this operation is useful for determining node health and doesn't require a signed request.
#### Request
```
2021-06-10 14:15:44 -04:00
GET _plugins/_security/health
2021-05-28 13:48:19 -04:00
```
#### Sample response
```json
{
"message": null,
"mode": "strict",
"status": "UP"
}
```