From 30df98e07894df8dd9498f891021cf5e4e1fa2d4 Mon Sep 17 00:00:00 2001 From: keithhc2 Date: Wed, 28 Jul 2021 11:41:08 -0700 Subject: [PATCH 1/2] Added whitelist.yml --- _security-plugin/configuration/yaml.md | 53 +++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/_security-plugin/configuration/yaml.md b/_security-plugin/configuration/yaml.md index 066a7d76..ba4a6329 100644 --- a/_security-plugin/configuration/yaml.md +++ b/_security-plugin/configuration/yaml.md @@ -121,8 +121,57 @@ If you want to run your users' passwords against some validation, specify a regu Note that OpenSearch validates only users and passwords created through OpenSearch Dashboards or the REST API. ```yml -plugins.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' -plugins.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character." +plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' +plugins.security.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character." +``` + +## whitelist.yml + +You can use `whitelist.yml` to whitelist any endpoints and associated HTTP requests. If enabled, all users except the SuperAdmin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are not allowed. For example, if `_cluster/settings` is whitelisted with the GET operation, users are not allowed to submit PUT requests to `_cluster/settings` to update cluster settings. + +```yml +--- +_meta: + type: "whitelist" + config_version: 2 + +# Description: +# enabled - feature flag. +# if enabled is false, whitelisting is disabled. +# if enabled is true, whitelisting is enabled, and all users except SuperAdmin can submit requests only to the specified endpoints. +# SuperAdmin can access all APIs. +# SuperAdmin is defined by the SuperAdmin certificate, which is configured with the opensearch.yml setting plugins.security.authcz.admin_dn: +# Refer to the example setting in opensearch.yml to learn more about configuring SuperAdmin. +# +# requests - map of whitelisted endpoints and HTTP requests + +#this name must be config +config: + enabled: true + requests: + /_cluster/settings: + - GET + /_cat/nodes: + - GET +``` + +To enable PUT requests to cluster settings, add PUT to the list of allowed operations under `/_cluster/settings`. + +```yml +requests: + /_cluster/settings: + - GET + - PUT +``` + +You can also whitelist custom indices. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to whitelist. + +```yml +requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1 + /sample-index1/_doc/1: + - GET + /sample-index2/_doc/1: + - GET ``` From dc2f349d7e3bb5baff41a96305bdf26475a09a53 Mon Sep 17 00:00:00 2001 From: keithhc2 Date: Wed, 28 Jul 2021 13:21:25 -0700 Subject: [PATCH 2/2] Addressed comment and added note about users and roles --- _security-plugin/configuration/yaml.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/_security-plugin/configuration/yaml.md b/_security-plugin/configuration/yaml.md index ba4a6329..30a70f14 100644 --- a/_security-plugin/configuration/yaml.md +++ b/_security-plugin/configuration/yaml.md @@ -127,7 +127,9 @@ plugins.security.restapi.password_validation_error_message: "Password must be mi ## whitelist.yml -You can use `whitelist.yml` to whitelist any endpoints and associated HTTP requests. If enabled, all users except the SuperAdmin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are not allowed. For example, if `_cluster/settings` is whitelisted with the GET operation, users are not allowed to submit PUT requests to `_cluster/settings` to update cluster settings. +You can use `whitelist.yml` to allow list any endpoints and HTTP requests. If enabled, all users except the SuperAdmin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is allow listed, users cannot submit PUT requests to `_cluster/settings` to update cluster settings. + +Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings. ```yml --- @@ -137,13 +139,13 @@ _meta: # Description: # enabled - feature flag. -# if enabled is false, whitelisting is disabled. -# if enabled is true, whitelisting is enabled, and all users except SuperAdmin can submit requests only to the specified endpoints. +# if enabled is false, all endpoints are accessible. +# if enabled is true, all users except the SuperAdmin can only submit the allowed requests to the specified endpoints. # SuperAdmin can access all APIs. # SuperAdmin is defined by the SuperAdmin certificate, which is configured with the opensearch.yml setting plugins.security.authcz.admin_dn: # Refer to the example setting in opensearch.yml to learn more about configuring SuperAdmin. # -# requests - map of whitelisted endpoints and HTTP requests +# requests - map of allow listed endpoints and HTTP requests #this name must be config config: @@ -164,7 +166,7 @@ requests: - PUT ``` -You can also whitelist custom indices. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to whitelist. +You can also allow list custom indices. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to allow list. ```yml requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1