Add documentation for the plugins.security.cache.ttl_minutes property (#1039)
* auth cache timeout prop Signed-off-by: cwillum <cwmmoore@amazon.com> * auth cache timeout prop Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: cwillum <cwmmoore@amazon.com>
This commit is contained in:
parent
c3f2b7bdf1
commit
aa5823d61c
|
@ -275,9 +275,6 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI
|
||||||
|
|
||||||
### Configure JSON web tokens
|
### Configure JSON web tokens
|
||||||
|
|
||||||
If JSON web tokens are the only authentication method that you use, disable the user cache by setting `plugins.security.cache.ttl_minutes: 0`.
|
|
||||||
{: .warning }
|
|
||||||
|
|
||||||
Set up an authentication domain and choose `jwt` as the HTTP authentication type. Because the tokens already contain all required information to verify the request, `challenge` must be set to `false` and `authentication_backend` to `noop`.
|
Set up an authentication domain and choose `jwt` as the HTTP authentication type. Because the tokens already contain all required information to verify the request, `challenge` must be set to `false` and `authentication_backend` to `noop`.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
|
@ -109,6 +109,7 @@ plugins.security.authcz.admin_dn:
|
||||||
plugins.security.audit.type: internal_opensearch
|
plugins.security.audit.type: internal_opensearch
|
||||||
plugins.security.enable_snapshot_restore_privilege: true
|
plugins.security.enable_snapshot_restore_privilege: true
|
||||||
plugins.security.check_snapshot_restore_write_privileges: true
|
plugins.security.check_snapshot_restore_write_privileges: true
|
||||||
|
plugins.security.cache.ttl_minutes: 60
|
||||||
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
|
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
|
||||||
plugins.security.system_indices.enabled: true
|
plugins.security.system_indices.enabled: true
|
||||||
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
|
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
|
||||||
|
@ -130,6 +131,12 @@ The opensearch.yml file also contains the `plugins.security.allow_default_init_s
|
||||||
plugins.security.allow_default_init_securityindex: true
|
plugins.security.allow_default_init_securityindex: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Authentication cache for the security plugin exists to help speed up authentication by temporarily storing user objects returned from the backend so that the security plugin is not required to make repeated requests for them. To determine how long it takes for caching to time out, you can use the `plugins.security.cache.ttl_minutes` property to set a value in minutes. The default is `60`. You can disable caching by setting the value to `0`.
|
||||||
|
|
||||||
|
```yml
|
||||||
|
plugins.security.cache.ttl_minutes: 60
|
||||||
|
```
|
||||||
|
|
||||||
## allowlist.yml
|
## allowlist.yml
|
||||||
|
|
||||||
You can use `allowlist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
|
You can use `allowlist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
|
||||||
|
|
Loading…
Reference in New Issue