Add descriptions to config yaml files and added some security APIs

2021-09-24 14:13:26 -07:00 · 2021-09-24 14:13:26 -07:00 · b12dab6705
parent 07b0650128
commit b12dab6705
2 changed files with 139 additions and 84 deletions
--- a/_security-plugin/access-control/api.md
+++ b/_security-plugin/access-control/api.md
@ -1179,6 +1179,117 @@ PATCH _plugins/_security/api/securityconfig
 }
 ```
 ---
 ## Distinguished names
 These REST APIs let a super admin allow list distinguished names to enable communication between clusters and/or nodes.
 Before you can use the REST API to add, retrieve, update, or delete any distinguished names, you must first add the following line to `opensearch.yml`:
 ```yml
 plugins.security.nodes_dn_dynamic_config_enabled: true
 ```
 ### Get distinguished names
 Retrieves all allow listed distinguished names.
 #### Request
 ```
 GET _plugins/_security/api/nodesdn
 ```
 #### Sample response
 ```json
 {
  "cluster1": {
    "nodes_dn": [
      "CN=cluster1.example.com"
    ]
  }
 }
 ```
 To get the distinguished names from a specific cluster or node, include its name in the request's URL.
 #### Request
 ```
 GET _plugins/_security/api/nodesdn/<cluster-name>
 ```
 #### Sample response
 ```json
 {
  "cluster3": {
    "nodes_dn": [
      "CN=cluster3.example.com"
    ]
  }
 }
 ```
 ### Add distinguished names
 Adds the specified distinguished names to the cluster's or node's allow list.
 #### Request
 ```json
 PUT _plugins/_security/api/nodesdn/<cluster-name>
 {
  "nodes_dn": [
    "CN=cluster3.example.com"
  ]
 }
 ```
 #### Sample response
 ```json
 {
  "status": "CREATED",
  "message": "'cluster3' created."
 }
 ```
 If the specified cluster or node already has an allow list of distinguished names, the PUT request updates the list instead.
 #### Sample response
 ```json
 {
  "status": "OK",
  "message": "'cluster7' updated."
 }
 ```
 ### Delete distinguished names
 Deletes the cluster's allow listed distinguished names.
 #### Request
 ```
 DELETE _plugins/_security/api/nodesdn/<cluster-name>
 ```
 #### Sample response
 ```json
 {
  "status": "OK",
  "message": "'cluster3' deleted."
 }
 ```
 ---
@ -1188,101 +1299,38 @@ PATCH _plugins/_security/api/securityconfig
 Introduced 1.0
 {: .label .label-purple }
-Retrieves the current security plugin configuration in JSON format.
+Retrieves the cluster's certificates.
 #### Request
 ```
-GET _plugins/_security/api/securityconfig
+GET _opendistro/_security/api/ssl/certs
 ```
 ### Update configuration
 Introduced 1.0
 {: .label .label-purple }
 Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
 #### Request
 ```json
 PUT _plugins/_security/api/securityconfig/config
 {
  "dynamic": {
    "filtered_alias_mode": "warn",
    "disable_rest_auth": false,
    "disable_intertransport_auth": false,
    "respect_request_indices_options": false,
    "opensearch-dashboards": {
      "multitenancy_enabled": true,
      "server_username": "kibanaserver",
      "index": ".opensearch-dashboards"
    },
    "http": {
      "anonymous_auth_enabled": false
    },
    "authc": {
      "basic_internal_auth_domain": {
        "http_enabled": true,
        "transport_enabled": true,
        "order": 0,
        "http_authenticator": {
          "challenge": true,
          "type": "basic",
          "config": {}
        },
        "authentication_backend": {
          "type": "intern",
          "config": {}
        },
        "description": "Authenticate via HTTP Basic against internal users database"
      }
    },
    "auth_failure_listeners": {},
    "do_not_fail_on_forbidden": false,
    "multi_rolespan_enabled": true,
    "hosts_resolver_mode": "ip-only",
    "do_not_fail_on_forbidden_empty": false
  }
 }
 ```
 #### Sample response
 ```json
 {
-  "status": "OK",
+  "http_certificates_list": [
  "message": "'config' updated."
 }
 ```
 ### Patch configuration
 Introduced 1.0
 {: .label .label-purple }
 Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
 #### Request
 ```json
 PATCH _plugins/_security/api/securityconfig
 [
    {
-    "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
+      "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
      "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
      "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
      "not_before": "2018-04-22T03:43:47Z",
      "not_after": "2028-04-19T03:43:47Z"
    }
  ],
  "transport_certificates_list": [
    {
      "issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
      "subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
      "san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
      "not_before": "2018-04-22T03:43:47Z",
      "not_after": "2028-04-19T03:43:47Z"
    }
  ]
 ```
 #### Sample response
 ```json
 {
  "status": "OK",
  "message": "Resource updated."
 }
 ```
 ---
 ## Cache
--- a/_security-plugin/configuration/yaml.md
+++ b/_security-plugin/configuration/yaml.md
@ -315,6 +315,10 @@ _meta:
 ## tenants.yml
 You can use this file to specify and add any number of OpenSearch Dashboards tenants to your OpenSearch cluster. For more information about tenants, see [OpenSearch Dashboards multi-tenancy]({{site.url}}{{site.baseurl}}/security-plugin/access-control/multi-tenancy).
 Like all of the other YAML files, we recommend you use `tenants.yml` to add any tenants you must have in your cluster, and then use OpenSearch Dashboards or the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#tenants) if you need to further configure or create any other tenants.
 ```yml
 ---
 _meta:
@ -325,9 +329,12 @@ admin_tenant:
  description: "Demo tenant for admin user"
 ```
 ## nodes_dn.yml
 `nodes_dn.yml` lets you allow list certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) to enable communication between any number of nodes and/or clusters. For example, a node that allow lists the DN `CN=node1.example.com` accepts communication from any other node or certificate that uses that DN.
 The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically allow list DNs, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names).
 ```yml
 ---
 _meta: