Updates all documentation relevant to securityconfig folder name change in the security plugin build flow
Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Signed-off-by: Oded Shafran <oded@shafranet.com>
This commit is contained in:
parent
cb02f718cf
commit
02f7504a9e
|
@ -43,11 +43,11 @@ services:
|
||||||
- ./admin.pem:/usr/share/opensearch/config/admin.pem
|
- ./admin.pem:/usr/share/opensearch/config/admin.pem
|
||||||
- ./admin-key.pem:/usr/share/opensearch/config/admin-key.pem
|
- ./admin-key.pem:/usr/share/opensearch/config/admin-key.pem
|
||||||
- ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
|
- ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
|
||||||
- ./internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
|
- ./internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml
|
||||||
- ./roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
|
- ./roles_mapping.yml:/usr/share/opensearch/config/opensearch-security/roles_mapping.yml
|
||||||
- ./tenants.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
|
- ./tenants.yml:/usr/share/opensearch/config/opensearch-security/tenants.yml
|
||||||
- ./roles.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
|
- ./roles.yml:/usr/share/opensearch/config/opensearch-security/roles.yml
|
||||||
- ./action_groups.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml
|
- ./action_groups.yml:/usr/share/opensearch/config/opensearch-security/action_groups.yml
|
||||||
ports:
|
ports:
|
||||||
- 9200:9200
|
- 9200:9200
|
||||||
- 9600:9600 # required for Performance Analyzer
|
- 9600:9600 # required for Performance Analyzer
|
||||||
|
@ -79,11 +79,11 @@ services:
|
||||||
- ./admin.pem:/usr/share/opensearch/config/admin.pem
|
- ./admin.pem:/usr/share/opensearch/config/admin.pem
|
||||||
- ./admin-key.pem:/usr/share/opensearch/config/admin-key.pem
|
- ./admin-key.pem:/usr/share/opensearch/config/admin-key.pem
|
||||||
- ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
|
- ./custom-opensearch.yml:/usr/share/opensearch/config/opensearch.yml
|
||||||
- ./internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
|
- ./internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml
|
||||||
- ./roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
|
- ./roles_mapping.yml:/usr/share/opensearch/config/opensearch-security/roles_mapping.yml
|
||||||
- ./tenants.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
|
- ./tenants.yml:/usr/share/opensearch/config/opensearch-security/tenants.yml
|
||||||
- ./roles.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
|
- ./roles.yml:/usr/share/opensearch/config/opensearch-security/roles.yml
|
||||||
- ./action_groups.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml
|
- ./action_groups.yml:/usr/share/opensearch/config/opensearch-security/action_groups.yml
|
||||||
networks:
|
networks:
|
||||||
- opensearch-net
|
- opensearch-net
|
||||||
opensearch-dashboards:
|
opensearch-dashboards:
|
||||||
|
@ -133,7 +133,7 @@ opendistro_security.audit.config.disabled_rest_categories: NONE
|
||||||
opendistro_security.audit.config.disabled_transport_categories: NONE
|
opendistro_security.audit.config.disabled_transport_categories: NONE
|
||||||
```
|
```
|
||||||
|
|
||||||
Use this same override process to specify new [authentication settings]({{site.url}}{{site.baseurl}}/security-plugin/configuration/configuration/) in `/usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml`, as well as new default [internal users, roles, mappings, action groups, and tenants]({{site.url}}{{site.baseurl}}/security-plugin/configuration/yaml/).
|
Use this same override process to specify new [authentication settings]({{site.url}}{{site.baseurl}}/security-plugin/configuration/configuration/) in `/usr/share/opensearch/config/opensearch-security/config.yml`, as well as new default [internal users, roles, mappings, action groups, and tenants]({{site.url}}{{site.baseurl}}/security-plugin/configuration/yaml/).
|
||||||
|
|
||||||
To start the cluster, run `docker-compose up`.
|
To start the cluster, run `docker-compose up`.
|
||||||
|
|
||||||
|
|
|
@ -86,7 +86,7 @@ kibana_user:
|
||||||
|
|
||||||
Hidden resources are automatically reserved.
|
Hidden resources are automatically reserved.
|
||||||
|
|
||||||
To add or remove these flags, modify `plugins/opensearch-security/securityconfig/internal_users.yml` and run `plugins/opensearch-security/tools/securityadmin.sh`.
|
To add or remove these flags, modify `config/opensearch-security/internal_users.yml` and run `plugins/opensearch-security/tools/securityadmin.sh`.
|
||||||
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
|
@ -29,7 +29,7 @@ http://<opensearch_dashboards_host>:5601/app/opensearch-dashboards?security_tena
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
Multi-tenancy is enabled by default, but you can disable it or change its settings using `plugins/opensearch-security/securityconfig/config.yml`:
|
Multi-tenancy is enabled by default, but you can disable it or change its settings using `config/opensearch-security/config.yml`:
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
config:
|
config:
|
||||||
|
|
|
@ -15,7 +15,7 @@ Understanding the authentication flow is a great way to get started with configu
|
||||||
|
|
||||||
2. The security plugin authenticates the user's credentials against a backend: the internal user database, Lightweight Directory Access Protocol (LDAP), Active Directory, Kerberos, or JSON web tokens.
|
2. The security plugin authenticates the user's credentials against a backend: the internal user database, Lightweight Directory Access Protocol (LDAP), Active Directory, Kerberos, or JSON web tokens.
|
||||||
|
|
||||||
The plugin supports chaining backends in `securityconfig/config.yml`. If more than one backend is present, the plugin tries to authenticate the user sequentially against each until one succeeds. A common use case is to combine the internal user database of the security plugin with LDAP/Active Directory.
|
The plugin supports chaining backends in `config/opensearch-security/config.yml`. If more than one backend is present, the plugin tries to authenticate the user sequentially against each until one succeeds. A common use case is to combine the internal user database of the security plugin with LDAP/Active Directory.
|
||||||
|
|
||||||
3. After a backend verifies the user's credentials, the plugin collects any backend roles. These roles can be arbitrary strings in the internal user database, but in most cases, these backend roles come from LDAP/Active Directory.
|
3. After a backend verifies the user's credentials, the plugin collects any backend roles. These roles can be arbitrary strings in the internal user database, but in most cases, these backend roles come from LDAP/Active Directory.
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ nav_order: 2
|
||||||
|
|
||||||
One of the first steps to using the security plugin is to decide on an authentication backend, which handles [steps 2-3 of the authentication flow]({{site.url}}{{site.baseurl}}/security-plugin/configuration/concepts#authentication-flow). The plugin has an internal user database, but many people prefer to use an existing authentication backend, such as an LDAP server, or some combination of the two.
|
One of the first steps to using the security plugin is to decide on an authentication backend, which handles [steps 2-3 of the authentication flow]({{site.url}}{{site.baseurl}}/security-plugin/configuration/concepts#authentication-flow). The plugin has an internal user database, but many people prefer to use an existing authentication backend, such as an LDAP server, or some combination of the two.
|
||||||
|
|
||||||
The main configuration file for authentication and authorization backends is `plugins/opensearch-security/securityconfig/config.yml`. It defines how the security plugin retrieves the user credentials, how it verifies these credentials, and how to fetch additional roles from backend systems (optional).
|
The main configuration file for authentication and authorization backends is `config/opensearch-security/config.yml`. It defines how the security plugin retrieves the user credentials, how it verifies these credentials, and how to fetch additional roles from backend systems (optional).
|
||||||
|
|
||||||
`config.yml` has three main parts:
|
`config.yml` has three main parts:
|
||||||
|
|
||||||
|
@ -123,7 +123,7 @@ These are the possible values for `type`:
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
The default `plugins/opensearch-security/securityconfig/config.yml` that ships with OpenSearch contains many configuration examples. Use these examples as a starting point, and customize them to your needs.
|
The default `config/opensearch-security/config.yml` that ships with OpenSearch contains many configuration examples. Use these examples as a starting point, and customize them to your needs.
|
||||||
|
|
||||||
|
|
||||||
## HTTP basic
|
## HTTP basic
|
||||||
|
|
|
@ -55,7 +55,7 @@ We provide a fully functional example that can help you understand how to use an
|
||||||
|
|
||||||
## Connection settings
|
## Connection settings
|
||||||
|
|
||||||
To enable LDAP authentication and authorization, add the following lines to `plugins/opensearch-security/securityconfig/config.yml`:
|
To enable LDAP authentication and authorization, add the following lines to `config/opensearch-security/config.yml`:
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
authc:
|
authc:
|
||||||
|
@ -247,7 +247,7 @@ Name | Description
|
||||||
|
|
||||||
## Use Active Directory and LDAP for authentication
|
## Use Active Directory and LDAP for authentication
|
||||||
|
|
||||||
To use Active Directory/LDAP for authentication, first configure a respective authentication domain in the `authc` section of `plugins/opensearch-security/securityconfig/config.yml`:
|
To use Active Directory/LDAP for authentication, first configure a respective authentication domain in the `authc` section of `config/opensearch-security/config.yml`:
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
authc:
|
authc:
|
||||||
|
|
|
@ -37,7 +37,7 @@ We provide a fully functional example that can help you understand how to use SA
|
||||||
|
|
||||||
## Activating SAML
|
## Activating SAML
|
||||||
|
|
||||||
To use SAML for authentication, you need to configure a respective authentication domain in the `authc` section of `plugins/opensearch-security/securityconfig/config.yml`. Because SAML works solely on the HTTP layer, you do not need any `authentication_backend` and can set it to `noop`. Place all SAML-specific configuration options in this chapter in the `config` section of the SAML HTTP authenticator:
|
To use SAML for authentication, you need to configure a respective authentication domain in the `authc` section of `config/opensearch-security/config.yml`. Because SAML works solely on the HTTP layer, you do not need any `authentication_backend` and can set it to `noop`. Place all SAML-specific configuration options in this chapter in the `config` section of the SAML HTTP authenticator:
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
authc:
|
authc:
|
||||||
|
|
|
@ -9,12 +9,12 @@ nav_order: 20
|
||||||
|
|
||||||
The security plugin stores its configuration---including users, roles, and permissions---in an index on the OpenSearch cluster (`.opendistro_security`). Storing these settings in an index lets you change settings without restarting the cluster and eliminates the need to edit configuration files on every single node.
|
The security plugin stores its configuration---including users, roles, and permissions---in an index on the OpenSearch cluster (`.opendistro_security`). Storing these settings in an index lets you change settings without restarting the cluster and eliminates the need to edit configuration files on every single node.
|
||||||
|
|
||||||
To initialize the `.opendistro_security` index, however, you must run `plugins/opensearch-security/tools/securityadmin.sh`. This script loads your initial configuration into the index using the configuration files in `plugins/opensearch-security/securityconfig`. After the `.opendistro_security` index is initialized, use OpenSearch Dashboards or the REST API to manage your users, roles, and permissions.
|
To initialize the `.opendistro_security` index, however, you must run `plugins/opensearch-security/tools/securityadmin.sh`. This script loads your initial configuration into the index using the configuration files in `config/opensearch-security`. After the `.opendistro_security` index is initialized, use OpenSearch Dashboards or the REST API to manage your users, roles, and permissions.
|
||||||
|
|
||||||
|
|
||||||
## A word of caution
|
## A word of caution
|
||||||
|
|
||||||
If you make changes to the configuration files in `plugins/opensearch-security/securityconfig`, OpenSearch does _not_ automatically apply these changes. Instead, you must run `securityadmin.sh` to load the updated files into the index.
|
If you make changes to the configuration files in `config/opensearch-security`, OpenSearch does _not_ automatically apply these changes. Instead, you must run `securityadmin.sh` to load the updated files into the index.
|
||||||
|
|
||||||
Running `securityadmin.sh` **overwrites** one or more portions of the `.opendistro_security` index. Run it with extreme care to avoid losing your existing resources. Consider the following example:
|
Running `securityadmin.sh` **overwrites** one or more portions of the `.opendistro_security` index. Run it with extreme care to avoid losing your existing resources. Consider the following example:
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ To avoid this situation, back up your current configuration before making change
|
||||||
If you use the `-f` argument rather than `-cd`, you can load a single YAML file into the index rather than the entire directory of YAML files. For example, if you create ten new roles, you can safely load `internal_users.yml` into the index without losing your roles; only the internal users get overwritten.
|
If you use the `-f` argument rather than `-cd`, you can load a single YAML file into the index rather than the entire directory of YAML files. For example, if you create ten new roles, you can safely load `internal_users.yml` into the index without losing your roles; only the internal users get overwritten.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh -f ../securityconfig/internal_users.yml \
|
./securityadmin.sh -f ../../../config/opensearch-security/internal_users.yml \
|
||||||
-t internalusers \
|
-t internalusers \
|
||||||
-icl \
|
-icl \
|
||||||
-nhnv \
|
-nhnv \
|
||||||
|
@ -50,7 +50,7 @@ If you use the `-f` argument rather than `-cd`, you can load a single YAML file
|
||||||
To resolve all environment variables before applying the security configurations, use the `-rev` parameter.
|
To resolve all environment variables before applying the security configurations, use the `-rev` parameter.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh -cd ../securityconfig/ \
|
./securityadmin.sh -cd ../../../config/opensearch-security/ \
|
||||||
-rev \
|
-rev \
|
||||||
-cacert ../../../root-ca.pem \
|
-cacert ../../../root-ca.pem \
|
||||||
-cert ../../../kirk.pem \
|
-cert ../../../kirk.pem \
|
||||||
|
@ -95,7 +95,7 @@ To print all available command line options, run the script with no arguments:
|
||||||
To load your initial configuration (all YAML files), you might use the following command:
|
To load your initial configuration (all YAML files), you might use the following command:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh -cd ../securityconfig/ -icl -nhnv \
|
./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv \
|
||||||
-cacert ../../../config/root-ca.pem \
|
-cacert ../../../config/root-ca.pem \
|
||||||
-cert ../../../config/kirk.pem \
|
-cert ../../../config/kirk.pem \
|
||||||
-key ../../../config/kirk-key.pem
|
-key ../../../config/kirk-key.pem
|
||||||
|
@ -118,32 +118,32 @@ Name | Description
|
||||||
|
|
||||||
## Sample commands
|
## Sample commands
|
||||||
|
|
||||||
Apply all YAML files in `securityconfig` using PEM certificates:
|
Apply all YAML files in `config/opensearch-security/` using PEM certificates:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
|
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
|
||||||
-cacert /etc/opensearch/root-ca.pem \
|
-cacert /etc/opensearch/root-ca.pem \
|
||||||
-cert /etc/opensearch/kirk.pem \
|
-cert /etc/opensearch/kirk.pem \
|
||||||
-key /etc/opensearch/kirk-key.pem \
|
-key /etc/opensearch/kirk-key.pem \
|
||||||
-cd /usr/share/opensearch/plugins/opensearch-security/securityconfig/
|
-cd /usr/share/opensearch/config/opensearch-security/
|
||||||
```
|
```
|
||||||
|
|
||||||
Apply a single YAML file (`config.yml`) using PEM certificates:
|
Apply a single YAML file (`config.yml`) using PEM certificates:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh \
|
./securityadmin.sh \
|
||||||
-f ../securityconfig/config.yml \
|
-f ../../../config/opensearch-security/config.yml \
|
||||||
-icl -nhnv -cert /etc/opensearch/kirk.pem \
|
-icl -nhnv -cert /etc/opensearch/kirk.pem \
|
||||||
-cacert /etc/opensearch/root-ca.pem \
|
-cacert /etc/opensearch/root-ca.pem \
|
||||||
-key /etc/opensearch/kirk-key.pem \
|
-key /etc/opensearch/kirk-key.pem \
|
||||||
-t config
|
-t config
|
||||||
```
|
```
|
||||||
|
|
||||||
Apply all YAML files in `securityconfig` with keystore and truststore files:
|
Apply all YAML files in `config/opensearch-security/` with keystore and truststore files:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh \
|
./securityadmin.sh \
|
||||||
-cd /usr/share/opensearch/plugins/opensearch-security/securityconfig/ \
|
-cd /usr/share/opensearch/config/opensearch-security/ \
|
||||||
-ks /path/to/keystore.jks \
|
-ks /path/to/keystore.jks \
|
||||||
-kspass changeit \
|
-kspass changeit \
|
||||||
-ts /path/to/truststore.jks \
|
-ts /path/to/truststore.jks \
|
||||||
|
@ -158,7 +158,7 @@ Apply all YAML files in `securityconfig` with keystore and truststore files:
|
||||||
You can also use keystore files in JKS format in conjunction with `securityadmin.sh`:
|
You can also use keystore files in JKS format in conjunction with `securityadmin.sh`:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh -cd ../securityconfig -icl -nhnv
|
./securityadmin.sh -cd ../../../config/opensearch-security -icl -nhnv
|
||||||
-ts <path/to/truststore> -tspass <truststore password>
|
-ts <path/to/truststore> -tspass <truststore password>
|
||||||
-ks <path/to/keystore> -kspass <keystore password>
|
-ks <path/to/keystore> -kspass <keystore password>
|
||||||
```
|
```
|
||||||
|
@ -216,13 +216,13 @@ Name | Description
|
||||||
To upload all configuration files in a directory, use this:
|
To upload all configuration files in a directory, use this:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh -cd ../securityconfig -ts ... -tspass ... -ks ... -kspass ...
|
./securityadmin.sh -cd ../../../config/opensearch-security -ts ... -tspass ... -ks ... -kspass ...
|
||||||
```
|
```
|
||||||
|
|
||||||
If you want to push a single configuration file, use this:
|
If you want to push a single configuration file, use this:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh -f ../securityconfig/internal_users.yml -t internalusers \
|
./securityadmin.sh -f ../../../config/opensearch-security/internal_users.yml -t internalusers \
|
||||||
-ts ... -tspass ... -ks ... -kspass ...
|
-ts ... -tspass ... -ks ... -kspass ...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -274,7 +274,7 @@ To upload the dumped files to another cluster:
|
||||||
To migrate configuration YAML files from the Open Distro for Elasticsearch 0.x.x format to the OpenSearch 1.x.x format:
|
To migrate configuration YAML files from the Open Distro for Elasticsearch 0.x.x format to the OpenSearch 1.x.x format:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./securityadmin.sh -migrate ../securityconfig -ts ... -tspass ... -ks ... -kspass ...
|
./securityadmin.sh -migrate ../../../config/opensearch-security -ts ... -tspass ... -ks ... -kspass ...
|
||||||
```
|
```
|
||||||
|
|
||||||
Name | Description
|
Name | Description
|
||||||
|
|
|
@ -7,7 +7,7 @@ nav_order: 3
|
||||||
|
|
||||||
# YAML files
|
# YAML files
|
||||||
|
|
||||||
Before running `securityadmin.sh` to load the settings into the `.opendistro_security` index, configure the YAML files in `plugins/opensearch-security/securityconfig`. You might want to back up these files so that you can reuse them on other clusters.
|
Before running `securityadmin.sh` to load the settings into the `.opendistro_security` index, configure the YAML files in `config/opensearch-security`. You might want to back up these files so that you can reuse them on other clusters.
|
||||||
|
|
||||||
The best use of these YAML files is to configure [reserved and hidden resources]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api#reserved-and-hidden-resources), such as the `admin` and `kibanaserver` users. You might find it easier to create other users, roles, mappings, action groups, and tenants using OpenSearch Dashboards or the REST API.
|
The best use of these YAML files is to configure [reserved and hidden resources]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api#reserved-and-hidden-resources), such as the `admin` and `kibanaserver` users. You might find it easier to create other users, roles, mappings, action groups, and tenants using OpenSearch Dashboards or the REST API.
|
||||||
|
|
||||||
|
|
|
@ -100,7 +100,7 @@ You must use an admin certificate when executing the script. To learn more, see
|
||||||
For more information on why `securityadmin.sh` is not executing, add the `--diagnose` option:
|
For more information on why `securityadmin.sh` is not executing, add the `--diagnose` option:
|
||||||
|
|
||||||
```
|
```
|
||||||
./securityadmin.sh -diagnose -cd ../securityconfig/ -cacert ... -cert ... -key ... -keypass ...
|
./securityadmin.sh -diagnose -cd ../../../config/opensearch-security/ -cacert ... -cert ... -key ... -keypass ...
|
||||||
```
|
```
|
||||||
|
|
||||||
The script prints the location of the generated diagnostic file.
|
The script prints the location of the generated diagnostic file.
|
||||||
|
|
|
@ -21,7 +21,7 @@ This page includes troubleshooting steps for configuring TLS certificates with t
|
||||||
|
|
||||||
## Validate YAML
|
## Validate YAML
|
||||||
|
|
||||||
`opensearch.yml` and the files in `opensearch_security/securityconfig/` are in the YAML format. A linter like [YAML Validator](https://codebeautify.org/yaml-validator) can help verify that you don't have any formatting errors.
|
`opensearch.yml` and the files in `config/opensearch-security/` are in the YAML format. A linter like [YAML Validator](https://codebeautify.org/yaml-validator) can help verify that you don't have any formatting errors.
|
||||||
|
|
||||||
|
|
||||||
## View contents of PEM certificates
|
## View contents of PEM certificates
|
||||||
|
|
Loading…
Reference in New Issue