Add descriptions to config yaml files and added some security APIs

2021-09-24 14:13:26 -07:00 · 2021-09-24 14:13:26 -07:00 · b12dab6705
parent 07b0650128
commit b12dab6705
2 changed files with 139 additions and 84 deletions
--- a/_security-plugin/access-control/api.md
+++ b/_security-plugin/access-control/api.md
@ -1179,6 +1179,117 @@ PATCH _plugins/_security/api/securityconfig
 }
 ```

+---
+
+## Distinguished names
+
+These REST APIs let a super admin allow list distinguished names to enable communication between clusters and/or nodes.
+
+Before you can use the REST API to add, retrieve, update, or delete any distinguished names, you must first add the following line to `opensearch.yml`:
+
+```yml
+plugins.security.nodes_dn_dynamic_config_enabled: true
+```
+
+
+### Get distinguished names
+
+Retrieves all allow listed distinguished names.
+
+#### Request
+
+```
+GET _plugins/_security/api/nodesdn
+```
+
+#### Sample response
+
+```json
+{
+  "cluster1": {
+    "nodes_dn": [
+      "CN=cluster1.example.com"
+    ]
+  }
+}
+```
+
+To get the distinguished names from a specific cluster or node, include its name in the request's URL.
+
+#### Request
+
+```
+GET _plugins/_security/api/nodesdn/<cluster-name>
+```
+
+#### Sample response
+
+```json
+{
+  "cluster3": {
+    "nodes_dn": [
+      "CN=cluster3.example.com"
+    ]
+  }
+}
+```
+
+
+### Add distinguished names
+
+Adds the specified distinguished names to the cluster's or node's allow list.
+
+#### Request
+
+```json
+PUT _plugins/_security/api/nodesdn/<cluster-name>
+{
+  "nodes_dn": [
+    "CN=cluster3.example.com"
+  ]
+}
+```
+
+#### Sample response
+
+```json
+{
+  "status": "CREATED",
+  "message": "'cluster3' created."
+}
+```
+
+If the specified cluster or node already has an allow list of distinguished names, the PUT request updates the list instead.
+
+#### Sample response
+
+```json
+{
+  "status": "OK",
+  "message": "'cluster7' updated."
+}
+```
+
+
+### Delete distinguished names
+
+Deletes the cluster's allow listed distinguished names.
+
+#### Request
+
+```
+DELETE _plugins/_security/api/nodesdn/<cluster-name>
+```
+
+#### Sample response
+
+```json
+{
+  "status": "OK",
+  "message": "'cluster3' deleted."
+}
+```
+

 ---

@ -1188,101 +1299,38 @@ PATCH _plugins/_security/api/securityconfig
 Introduced 1.0
 {: .label .label-purple }

-Retrieves the current security plugin configuration in JSON format.
+Retrieves the cluster's certificates.

 #### Request

 ```
-GET _plugins/_security/api/securityconfig
-```
-
-
-### Update configuration
-Introduced 1.0
-{: .label .label-purple }
-
-Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
-
-#### Request
-
-```json
-PUT _plugins/_security/api/securityconfig/config
-{
-  "dynamic": {
-    "filtered_alias_mode": "warn",
-    "disable_rest_auth": false,
-    "disable_intertransport_auth": false,
-    "respect_request_indices_options": false,
-    "opensearch-dashboards": {
-      "multitenancy_enabled": true,
-      "server_username": "kibanaserver",
-      "index": ".opensearch-dashboards"
-    },
-    "http": {
-      "anonymous_auth_enabled": false
-    },
-    "authc": {
-      "basic_internal_auth_domain": {
-        "http_enabled": true,
-        "transport_enabled": true,
-        "order": 0,
-        "http_authenticator": {
-          "challenge": true,
-          "type": "basic",
-          "config": {}
-        },
-        "authentication_backend": {
-          "type": "intern",
-          "config": {}
-        },
-        "description": "Authenticate via HTTP Basic against internal users database"
-      }
-    },
-    "auth_failure_listeners": {},
-    "do_not_fail_on_forbidden": false,
-    "multi_rolespan_enabled": true,
-    "hosts_resolver_mode": "ip-only",
-    "do_not_fail_on_forbidden_empty": false
-  }
-}
+GET _opendistro/_security/api/ssl/certs
 ```

 #### Sample response

 ```json
 {
-  "status": "OK",
-  "message": "'config' updated."
+  "http_certificates_list": [
+    {
+      "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
+      "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
+      "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
+      "not_before": "2018-04-22T03:43:47Z",
+      "not_after": "2028-04-19T03:43:47Z"
+    }
+  ],
+  "transport_certificates_list": [
+    {
+      "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
+      "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
+      "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
+      "not_before": "2018-04-22T03:43:47Z",
+      "not_after": "2028-04-19T03:43:47Z"
+    }
+  ]
 }
 ```
-
-
-### Patch configuration
-Introduced 1.0
-{: .label .label-purple }
-
-Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
-
-#### Request
-
-```json
-PATCH _plugins/_security/api/securityconfig
-[
-  {
-    "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
-  }
-]
-```
-
-#### Sample response
-
-```json
-{
-  "status": "OK",
-  "message": "Resource updated."
-}
-```
-
 ---

 ## Cache
--- a/_security-plugin/configuration/yaml.md
+++ b/_security-plugin/configuration/yaml.md
@ -315,6 +315,10 @@ _meta:

 ## tenants.yml

+You can use this file to specify and add any number of OpenSearch Dashboards tenants to your OpenSearch cluster. For more information about tenants, see [OpenSearch Dashboards multi-tenancy]({{site.url}}{{site.baseurl}}/security-plugin/access-control/multi-tenancy).
+
+Like all of the other YAML files, we recommend you use `tenants.yml` to add any tenants you must have in your cluster, and then use OpenSearch Dashboards or the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#tenants) if you need to further configure or create any other tenants.
+
 ```yml
 ---
 _meta:
@ -325,9 +329,12 @@ admin_tenant:
  description: "Demo tenant for admin user"
 ```

-
 ## nodes_dn.yml

+`nodes_dn.yml` lets you allow list certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) to enable communication between any number of nodes and/or clusters. For example, a node that allow lists the DN `CN=node1.example.com` accepts communication from any other node or certificate that uses that DN.
+
+The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically allow list DNs, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names).
+
 ```yml
 ---
 _meta: