iSharkFly-Docs
/
opensearch-docs-cn
mirror of https://github.com/iSharkFly-Docs/opensearch-docs-cn
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #509 from opensearch-project/whitelist-replace2.0 

Add allowlist for more inclusive nomenclature
This commit is contained in:
Naarcha-AWS 2022-05-03 14:50:25 -05:00 committed by GitHub
parent a6f9b130d0 c6f7341993
commit aa9f88e37a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 24 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_dashboards/branding.md
View File

@ -100,7 +100,7 @@ opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
#server.ssl.enabled: true
#server.ssl.certificate: /path/to/your/server/certificate
#server.ssl.key: /path/to/your/server/key

2
_dashboards/install/tls.md
View File

@ -25,7 +25,7 @@ opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem

4
_security-plugin/access-control/multi-tenancy.md
View File

@ -53,7 +53,7 @@ Setting | Description
```yml
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
@ -63,7 +63,7 @@ opensearch_security.multitenancy.enable_filter: false
Setting | Description
:--- | :---
`opensearch.requestHeadersWhitelist` | OpenSearch Dashboards requires that you whitelist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not whitelisted, OpenSearch Dashboards starts with a red status.
`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status.
`opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true.
`opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true.
`opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true.

6
_security-plugin/configuration/ldap.md
View File

@ -433,7 +433,7 @@ By default, the security plugin reads all LDAP user attributes and makes them av
Name | Description
:--- | :---
`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36.
Example:
@ -446,7 +446,7 @@ authz:
authorization_backend:
type: ldap
config:
custom_attr_whitelist:
custom_attr_allowlist:
- attribute1
- attribute2
custom_attr_maxval_len: 36
@ -501,7 +501,7 @@ Name | Description
`skip_users` | Array of users that should be skipped when retrieving roles. Wildcards and regular expressions are supported.
`nested_role_filter` | Array of role DNs that should be filtered before resolving nested roles. Wildcards and regular expressions are supported.
`rolesearch_enabled` | Boolean. Enable or disable the role search. Default is `true`.
`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36.

4
_security-plugin/configuration/openid-connect.md
View File

@ -308,8 +308,8 @@ opensearch.password: "kibanaserver"
# Disable SSL verification when using self-signed demo certificates
opensearch.ssl.verificationMode: none
# Whitelist basic headers and multi-tenancy header
opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]
# allowlist basic headers and multi-tenancy header
opensearch.requestHeadersAllowlist: ["Authorization", "security_tenant"]
```

4
_security-plugin/configuration/proxy.md
View File

@ -192,10 +192,10 @@ config:
internalProxies: '<opensearch-dashboards-ip-address>'
```
To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header whitelist in `opensearch_dashboards.yml`:
To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allow list in `opensearch_dashboards.yml`:
```yml
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"]
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"]
```
You must also enable the authentication type in `opensearch_dashboards.yml`:

12
_security-plugin/configuration/saml.md
View File

@ -302,16 +302,16 @@ Because most of the SAML-specific configuration is done in the security plugin,
opensearch_security.auth.type: "saml"
```
In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be whitelisted:
In addition, you must add the OpenSearch Dashboards endpoint for validating the SAML assertions to your allow list:
```yml
server.xsrf.whitelist: ["/_plugins/_security/saml/acs"]
server.xsrf.allowlist: ["/_plugins/_security/saml/acs"]
```
If you use the logout POST binding, you also need to whitelist the logout endpoint:
If you use the logout POST binding, you also need to ad the logout endpoint to your allow list:
```yml
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
server.xsrf.allowlist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
```
### IdP-initiated SSO
@ -322,8 +322,8 @@ To use IdP-initiated SSO, set the Assertion Consumer Service endpoint of your Id
/_plugins/_security/saml/acs/idpinitiated
```
Then add this endpoint to `server.xsrf.whitelist` in `opensearch_dashboards.yml`:
Then add this endpoint to `server.xsrf.allowlist` in `opensearch_dashboards.yml`:
```yml
server.xsrf.whitelist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
server.xsrf.allowlist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
```

8
_security-plugin/configuration/yaml.md
View File

@ -124,16 +124,16 @@ plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d]
plugins.security.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character."
```
## whitelist.yml
## allowlist.yml
You can use `whitelist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
You can use `allowlist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings.
```yml
---
_meta:
type: "whitelist"
type: "allowlist"
config_version: 2
# Description:
@ -165,7 +165,7 @@ requests:
- PUT
```
You can also add custom indices to the allow list. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add.
You can also add custom indices to the allow list. `allowlist.yml` doesn't support wildcards, so you must manually specify all of the indexes you want to add.
```yml
requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1

6
_troubleshoot/saml.md
View File

@ -45,12 +45,12 @@ The endpoint the OpenSearch Dashboards security plugin provides is:
/_plugins/_security/saml/acs
```
Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to whitelist all endpoints that they send requests to. Ensure that the ACS endpoint is listed.
Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to add all endpoints to the allow list that they send requests to. Ensure that the ACS endpoint is listed.
OpenSearch Dashboards also requires you to whitelist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`:
OpenSearch Dashboards also requires you to add this endpoint to the allow list. Make sure you have the following entry in `opensearch_dashboards.yml`:
```
server.xsrf.whitelist: [/_plugins/_security/saml/acs]
server.xsrf.allowlist: [/_plugins/_security/saml/acs]
```