From 79b647ee6236d5edb0df56e74deb5602b93838d5 Mon Sep 17 00:00:00 2001 From: aetter Date: Fri, 9 Jul 2021 15:33:35 -0700 Subject: [PATCH] Add SSL configuration for Dashboards --- .gitignore | 1 + _dashboards/install/ssl.md | 41 +++++++++++++++++++++++++ _security-plugin/configuration/index.md | 12 ++++---- index.md | 7 +++-- 4 files changed, 53 insertions(+), 8 deletions(-) create mode 100644 _dashboards/install/ssl.md diff --git a/.gitignore b/.gitignore index ba3d9259..ae2249e7 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ _site .DS_Store Gemfile.lock .idea +.jekyll-cache diff --git a/_dashboards/install/ssl.md b/_dashboards/install/ssl.md new file mode 100644 index 00000000..412a5e7b --- /dev/null +++ b/_dashboards/install/ssl.md @@ -0,0 +1,41 @@ +--- +layout: default +title: Configure SSL +parent: Install OpenSearch Dashboards +nav_order: 40 +--- + +# Configure SSL for OpenSearch Dashboards + +By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable SSL, update the following settings in `opensearch_dashboards.yml`. + +Setting | Description +:--- | :--- +opensearch.ssl.verificationMode | This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are `full`, `certificate`, or `none`. We recommend `full` if you enable SSL, which enables hostname verification. `certificate` just checks the certificate, not the hostname, and `none` performs no checks (suitable for HTTP). Default is `full`. +opensearch.ssl.certificateAuthorities | If `opensearch.ssl.verificationMode` is `full` or `certificate`, specify the full path (e.g. `[ "/usr/share/opensearch-dashboards-1.0.0/config/root-ca.pem" ]` to the certificate authority for your OpenSearch cluster. +server.ssl.enabled | This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP. +server.ssl.certificate | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert.pem` to a valid client certificate for your OpenSearch cluster. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority. +server.ssl.key | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem` to the key for your client certificate. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority. +opensearch_security.cookie.secure | If you enable SSL for OpenSearch Dashboards, change this setting to `true`. For HTTP, set it to `false`. + +This `opensearch_dashboards.yml` configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration: + +```yml +opensearch.hosts: ["https://localhost:9200"] +opensearch.ssl.verificationMode: full +opensearch.username: "kibanaserver" +opensearch.password: "kibanaserver" +opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] +server.ssl.enabled: true +server.ssl.certificate: /usr/share/opensearch-1.0.0/config/client-cert.pem +server.ssl.key: /usr/share/opensearch-1.0.0/config/client-cert-key.pem +opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-1.0.0/config/root-ca.pem" ] +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +opensearch_security.cookie.secure: true +``` + +If you use the Docker install, you can pass a custom `opensearch_dashboards.yml` to the container. To learn more, see the [Docker installation page]({{site.url}}{{site.baseurl}}/opensearch/install/docker/). + +After enabling these settings and starting OpenSearch Dashboards, you can connect to it at `https://localhost:5601`. You might have to acknowledge a browser warning if your certificates are self-signed. diff --git a/_security-plugin/configuration/index.md b/_security-plugin/configuration/index.md index 702fe685..6ce2565f 100644 --- a/_security-plugin/configuration/index.md +++ b/_security-plugin/configuration/index.md @@ -13,12 +13,12 @@ redirect_from: The plugin includes demo certificates so that you can get up and running quickly, but before using OpenSearch in a production environment, you must configure it manually: -1. [Replace the demo certificates]({{site.url}}{{site.baseurl}}/opensearch/install/docker-security) -1. [Reconfigure opensearch.yml to use your certificates]({{site.url}}{{site.baseurl}}/security-plugin/configuration/tls) -1. [Reconfigure config.yml to use your authentication backend]({{site.url}}{{site.baseurl}}/security-plugin/configuration/configuration/) (if you don't plan to use the internal user database) -1. [Modify the configuration YAML files]({{site.url}}{{site.baseurl}}/security-plugin/configuration/yaml) -1. [Apply changes using securityadmin.sh]({{site.url}}{{site.baseurl}}/security-plugin/configuration/security-admin) +1. [Replace the demo certificates]({{site.url}}{{site.baseurl}}/opensearch/install/docker-security). +1. [Reconfigure opensearch.yml to use your certificates]({{site.url}}{{site.baseurl}}/security-plugin/configuration/tls). +1. [Reconfigure config.yml to use your authentication backend]({{site.url}}{{site.baseurl}}/security-plugin/configuration/configuration/) (if you don't plan to use the internal user database). +1. [Modify the configuration YAML files]({{site.url}}{{site.baseurl}}/security-plugin/configuration/yaml). +1. [Apply changes using securityadmin.sh]({{site.url}}{{site.baseurl}}/security-plugin/configuration/security-admin). 1. Start OpenSearch. -1. [Add users, roles, role mappings, and tenants]({{site.url}}{{site.baseurl}}/security-plugin/access-control/index/) +1. [Add users, roles, role mappings, and tenants]({{site.url}}{{site.baseurl}}/security-plugin/access-control/index/). If you don't want to use the plugin, see [Disable security]({{site.url}}{{site.baseurl}}/security-plugin/configuration/disable). diff --git a/index.md b/index.md index 625020ba..253e246d 100755 --- a/index.md +++ b/index.md @@ -37,7 +37,7 @@ Component | Purpose [Anomaly Detection]({{site.url}}{{site.baseurl}}/monitoring-plugins/ad/) | Identify atypical data and receive automatic notifications [Asynchronous Search]({{site.url}}{{site.baseurl}}/search-plugins/async/) | Run search requests in the background -You can install OpenSearch plugins [individually]({{site.url}}{{site.baseurl}}/opensearch/install/plugins/) or use the [all-in-one packages]({{site.url}}{{site.baseurl}}/opensearch/install/). Most of these OpenSearch plugins have corresponding OpenSearch Dashboards plugins that provide a convenient, unified user interface. +Most of OpenSearch plugins have a corresponding OpenSearch Dashboards plugin that provide a convenient, unified user interface. For specifics around the project, see the [FAQ](https://opensearch.org/faq/). @@ -65,7 +65,10 @@ Docker To learn more, see [Install and configure OpenSearch]({{site.url}}{{site.baseurl}}/opensearch/install/) and [Install and configure OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/dashboards/install/). ---- +## The secure path forward + +OpenSearch includes a demo configuration so that you can get up and running quickly, but before using OpenSearch in a production environment, you must [configure the security plugin manually]({{site.url}}{{site.baseurl}}/security-plugin/configuration/index/): your own certificates, your own authentication method, your own users, and your own passwords. + ## Looking for the Javadoc?