Merge pull request #183 from opensearch-project/security-yml-files

Add descriptions to config yaml files and added some security APIs
2021-09-27 17:08:12 -07:00 · 2021-09-27 17:08:12 -07:00 · a38eb15400
parent 268f1d9571 dc69f8010b
commit a38eb15400
2 changed files with 136 additions and 86 deletions
--- a/_security-plugin/access-control/api.md
+++ b/_security-plugin/access-control/api.md
@ -1159,6 +1159,12 @@ Introduced 1.0

 Updates the existing configuration using the REST API. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead, which is far safer. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.

+Before you can execute the operation, you must first add the following line to `opensearch.yml`:
+
+```yml
+plugins.security.unsupported.restapi.allow_securityconfig_modification: true
+```
+
 #### Request

 ```json
@ -1179,6 +1185,106 @@ PATCH _plugins/_security/api/securityconfig
 }
 ```

+---
+
+## Distinguished names
+
+These REST APIs let a super admin add, retrieve, update, or delete any distinguished names from an allow list to enable communication between clusters and/or nodes.
+
+Before you can use the REST API to configure the allow list, you must first add the following line to `opensearch.yml`:
+
+```yml
+plugins.security.nodes_dn_dynamic_config_enabled: true
+```
+
+
+### Get distinguished names
+
+Retrieves all distinguished names in the allow list.
+
+#### Request
+
+```
+GET _plugins/_security/api/nodesdn
+```
+
+#### Sample response
+
+```json
+{
+  "cluster1": {
+    "nodes_dn": [
+      "CN=cluster1.example.com"
+    ]
+  }
+}
+```
+
+To get the distinguished names from a specific cluster's or node's allow list, include the cluster's name in the request path.
+
+#### Request
+
+```
+GET _plugins/_security/api/nodesdn/<cluster-name>
+```
+
+#### Sample response
+
+```json
+{
+  "cluster3": {
+    "nodes_dn": [
+      "CN=cluster3.example.com"
+    ]
+  }
+}
+```
+
+
+### Update distinguished names
+
+Adds or updates the specified distinguished names in the cluster's or node's allow list.
+
+#### Request
+
+```json
+PUT _plugins/_security/api/nodesdn/<cluster-name>
+{
+  "nodes_dn": [
+    "CN=cluster3.example.com"
+  ]
+}
+```
+
+#### Sample response
+
+```json
+{
+  "status": "CREATED",
+  "message": "'cluster3' created."
+}
+```
+
+
+### Delete distinguished names
+
+Deletes all distinguished names in the specified cluster's or node's allow list.
+
+#### Request
+
+```
+DELETE _plugins/_security/api/nodesdn/<cluster-name>
+```
+
+#### Sample response
+
+```json
+{
+  "status": "OK",
+  "message": "'cluster3' deleted."
+}
+```
+

 ---

@ -1188,101 +1294,38 @@ PATCH _plugins/_security/api/securityconfig
 Introduced 1.0
 {: .label .label-purple }

-Retrieves the current security plugin configuration in JSON format.
+Retrieves the cluster's security certificates.

 #### Request

 ```
-GET _plugins/_security/api/securityconfig
-```
-
-
-### Update configuration
-Introduced 1.0
-{: .label .label-purple }
-
-Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
-
-#### Request
-
-```json
-PUT _plugins/_security/api/securityconfig/config
-{
-  "dynamic": {
-    "filtered_alias_mode": "warn",
-    "disable_rest_auth": false,
-    "disable_intertransport_auth": false,
-    "respect_request_indices_options": false,
-    "opensearch-dashboards": {
-      "multitenancy_enabled": true,
-      "server_username": "kibanaserver",
-      "index": ".opensearch-dashboards"
-    },
-    "http": {
-      "anonymous_auth_enabled": false
-    },
-    "authc": {
-      "basic_internal_auth_domain": {
-        "http_enabled": true,
-        "transport_enabled": true,
-        "order": 0,
-        "http_authenticator": {
-          "challenge": true,
-          "type": "basic",
-          "config": {}
-        },
-        "authentication_backend": {
-          "type": "intern",
-          "config": {}
-        },
-        "description": "Authenticate via HTTP Basic against internal users database"
-      }
-    },
-    "auth_failure_listeners": {},
-    "do_not_fail_on_forbidden": false,
-    "multi_rolespan_enabled": true,
-    "hosts_resolver_mode": "ip-only",
-    "do_not_fail_on_forbidden_empty": false
-  }
-}
+GET _opendistro/_security/api/ssl/certs
 ```

 #### Sample response

 ```json
 {
-  "status": "OK",
-  "message": "'config' updated."
+  "http_certificates_list": [
+    {
+      "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
+      "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
+      "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
+      "not_before": "2018-04-22T03:43:47Z",
+      "not_after": "2028-04-19T03:43:47Z"
+    }
+  ],
+  "transport_certificates_list": [
+    {
+      "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
+      "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
+      "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
+      "not_before": "2018-04-22T03:43:47Z",
+      "not_after": "2028-04-19T03:43:47Z"
+    }
+  ]
 }
 ```
-
-
-### Patch configuration
-Introduced 1.0
-{: .label .label-purple }
-
-Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
-
-#### Request
-
-```json
-PATCH _plugins/_security/api/securityconfig
-[
-  {
-    "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
-  }
-]
-```
-
-#### Sample response
-
-```json
-{
-  "status": "OK",
-  "message": "Resource updated."
-}
-```
-
 ---

 ## Cache
--- a/_security-plugin/configuration/yaml.md
+++ b/_security-plugin/configuration/yaml.md
@ -126,7 +126,7 @@ plugins.security.restapi.password_validation_error_message: "Password must be mi

 ## whitelist.yml

-You can use `whitelist.yml` to allow list any endpoints and HTTP requests. If enabled, all users except the SuperAdmin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is allow listed, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
+You can use `whitelist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.

 Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings.

@ -165,7 +165,7 @@ requests:
    - PUT
 ```

-You can also allow list custom indices. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to allow list.
+You can also add custom indices to the allow list. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add.

 ```yml
 requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1
@ -315,6 +315,10 @@ _meta:

 ## tenants.yml

+You can use this file to specify and add any number of OpenSearch Dashboards tenants to your OpenSearch cluster. For more information about tenants, see [OpenSearch Dashboards multi-tenancy]({{site.url}}{{site.baseurl}}/security-plugin/access-control/multi-tenancy).
+
+Like all of the other YAML files, we recommend you use `tenants.yml` to add any tenants you must have in your cluster, and then use OpenSearch Dashboards or the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#tenants) if you need to further configure or create any other tenants.
+
 ```yml
 ---
 _meta:
@ -325,9 +329,12 @@ admin_tenant:
  description: "Demo tenant for admin user"
 ```

-
 ## nodes_dn.yml

+`nodes_dn.yml` lets you add certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) an allow list to enable communication between any number of nodes and/or clusters. For example, a node that has the DN `CN=node1.example.com` in its allow list accepts communication from any other node or certificate that uses that DN.
+
+The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically add DNs to your allow lists, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names).
+
 ```yml
 ---
 _meta: