Added whitelist.yml

This commit is contained in:
keithhc2 2021-07-28 11:41:08 -07:00
parent c961ca45d0
commit 30df98e078
1 changed files with 51 additions and 2 deletions

View File

@ -121,8 +121,57 @@ If you want to run your users' passwords against some validation, specify a regu
Note that OpenSearch validates only users and passwords created through OpenSearch Dashboards or the REST API. Note that OpenSearch validates only users and passwords created through OpenSearch Dashboards or the REST API.
```yml ```yml
plugins.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}'
plugins.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character." plugins.security.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character."
```
## whitelist.yml
You can use `whitelist.yml` to whitelist any endpoints and associated HTTP requests. If enabled, all users except the SuperAdmin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are not allowed. For example, if `_cluster/settings` is whitelisted with the GET operation, users are not allowed to submit PUT requests to `_cluster/settings` to update cluster settings.
```yml
---
_meta:
type: "whitelist"
config_version: 2
# Description:
# enabled - feature flag.
# if enabled is false, whitelisting is disabled.
# if enabled is true, whitelisting is enabled, and all users except SuperAdmin can submit requests only to the specified endpoints.
# SuperAdmin can access all APIs.
# SuperAdmin is defined by the SuperAdmin certificate, which is configured with the opensearch.yml setting plugins.security.authcz.admin_dn:
# Refer to the example setting in opensearch.yml to learn more about configuring SuperAdmin.
#
# requests - map of whitelisted endpoints and HTTP requests
#this name must be config
config:
enabled: true
requests:
/_cluster/settings:
- GET
/_cat/nodes:
- GET
```
To enable PUT requests to cluster settings, add PUT to the list of allowed operations under `/_cluster/settings`.
```yml
requests:
/_cluster/settings:
- GET
- PUT
```
You can also whitelist custom indices. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to whitelist.
```yml
requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1
/sample-index1/_doc/1:
- GET
/sample-index2/_doc/1:
- GET
``` ```