Add descriptions to config yaml files and added some security APIs
This commit is contained in:
parent
07b0650128
commit
b12dab6705
|
@ -1179,6 +1179,117 @@ PATCH _plugins/_security/api/securityconfig
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Distinguished names
|
||||||
|
|
||||||
|
These REST APIs let a super admin allow list distinguished names to enable communication between clusters and/or nodes.
|
||||||
|
|
||||||
|
Before you can use the REST API to add, retrieve, update, or delete any distinguished names, you must first add the following line to `opensearch.yml`:
|
||||||
|
|
||||||
|
```yml
|
||||||
|
plugins.security.nodes_dn_dynamic_config_enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Get distinguished names
|
||||||
|
|
||||||
|
Retrieves all allow listed distinguished names.
|
||||||
|
|
||||||
|
#### Request
|
||||||
|
|
||||||
|
```
|
||||||
|
GET _plugins/_security/api/nodesdn
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Sample response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"cluster1": {
|
||||||
|
"nodes_dn": [
|
||||||
|
"CN=cluster1.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
To get the distinguished names from a specific cluster or node, include its name in the request's URL.
|
||||||
|
|
||||||
|
#### Request
|
||||||
|
|
||||||
|
```
|
||||||
|
GET _plugins/_security/api/nodesdn/<cluster-name>
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Sample response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"cluster3": {
|
||||||
|
"nodes_dn": [
|
||||||
|
"CN=cluster3.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Add distinguished names
|
||||||
|
|
||||||
|
Adds the specified distinguished names to the cluster's or node's allow list.
|
||||||
|
|
||||||
|
#### Request
|
||||||
|
|
||||||
|
```json
|
||||||
|
PUT _plugins/_security/api/nodesdn/<cluster-name>
|
||||||
|
{
|
||||||
|
"nodes_dn": [
|
||||||
|
"CN=cluster3.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Sample response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"status": "CREATED",
|
||||||
|
"message": "'cluster3' created."
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
If the specified cluster or node already has an allow list of distinguished names, the PUT request updates the list instead.
|
||||||
|
|
||||||
|
#### Sample response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"status": "OK",
|
||||||
|
"message": "'cluster7' updated."
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Delete distinguished names
|
||||||
|
|
||||||
|
Deletes the cluster's allow listed distinguished names.
|
||||||
|
|
||||||
|
#### Request
|
||||||
|
|
||||||
|
```
|
||||||
|
DELETE _plugins/_security/api/nodesdn/<cluster-name>
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Sample response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"status": "OK",
|
||||||
|
"message": "'cluster3' deleted."
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -1188,101 +1299,38 @@ PATCH _plugins/_security/api/securityconfig
|
||||||
Introduced 1.0
|
Introduced 1.0
|
||||||
{: .label .label-purple }
|
{: .label .label-purple }
|
||||||
|
|
||||||
Retrieves the current security plugin configuration in JSON format.
|
Retrieves the cluster's certificates.
|
||||||
|
|
||||||
#### Request
|
#### Request
|
||||||
|
|
||||||
```
|
```
|
||||||
GET _plugins/_security/api/securityconfig
|
GET _opendistro/_security/api/ssl/certs
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
### Update configuration
|
|
||||||
Introduced 1.0
|
|
||||||
{: .label .label-purple }
|
|
||||||
|
|
||||||
Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
|
|
||||||
|
|
||||||
#### Request
|
|
||||||
|
|
||||||
```json
|
|
||||||
PUT _plugins/_security/api/securityconfig/config
|
|
||||||
{
|
|
||||||
"dynamic": {
|
|
||||||
"filtered_alias_mode": "warn",
|
|
||||||
"disable_rest_auth": false,
|
|
||||||
"disable_intertransport_auth": false,
|
|
||||||
"respect_request_indices_options": false,
|
|
||||||
"opensearch-dashboards": {
|
|
||||||
"multitenancy_enabled": true,
|
|
||||||
"server_username": "kibanaserver",
|
|
||||||
"index": ".opensearch-dashboards"
|
|
||||||
},
|
|
||||||
"http": {
|
|
||||||
"anonymous_auth_enabled": false
|
|
||||||
},
|
|
||||||
"authc": {
|
|
||||||
"basic_internal_auth_domain": {
|
|
||||||
"http_enabled": true,
|
|
||||||
"transport_enabled": true,
|
|
||||||
"order": 0,
|
|
||||||
"http_authenticator": {
|
|
||||||
"challenge": true,
|
|
||||||
"type": "basic",
|
|
||||||
"config": {}
|
|
||||||
},
|
|
||||||
"authentication_backend": {
|
|
||||||
"type": "intern",
|
|
||||||
"config": {}
|
|
||||||
},
|
|
||||||
"description": "Authenticate via HTTP Basic against internal users database"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"auth_failure_listeners": {},
|
|
||||||
"do_not_fail_on_forbidden": false,
|
|
||||||
"multi_rolespan_enabled": true,
|
|
||||||
"hosts_resolver_mode": "ip-only",
|
|
||||||
"do_not_fail_on_forbidden_empty": false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Sample response
|
#### Sample response
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"status": "OK",
|
"http_certificates_list": [
|
||||||
"message": "'config' updated."
|
{
|
||||||
|
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
|
||||||
|
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
|
||||||
|
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
|
||||||
|
"not_before": "2018-04-22T03:43:47Z",
|
||||||
|
"not_after": "2028-04-19T03:43:47Z"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"transport_certificates_list": [
|
||||||
|
{
|
||||||
|
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
|
||||||
|
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
|
||||||
|
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
|
||||||
|
"not_before": "2018-04-22T03:43:47Z",
|
||||||
|
"not_after": "2028-04-19T03:43:47Z"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Patch configuration
|
|
||||||
Introduced 1.0
|
|
||||||
{: .label .label-purple }
|
|
||||||
|
|
||||||
Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
|
|
||||||
|
|
||||||
#### Request
|
|
||||||
|
|
||||||
```json
|
|
||||||
PATCH _plugins/_security/api/securityconfig
|
|
||||||
[
|
|
||||||
{
|
|
||||||
"op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Sample response
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"status": "OK",
|
|
||||||
"message": "Resource updated."
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Cache
|
## Cache
|
||||||
|
|
|
@ -315,6 +315,10 @@ _meta:
|
||||||
|
|
||||||
## tenants.yml
|
## tenants.yml
|
||||||
|
|
||||||
|
You can use this file to specify and add any number of OpenSearch Dashboards tenants to your OpenSearch cluster. For more information about tenants, see [OpenSearch Dashboards multi-tenancy]({{site.url}}{{site.baseurl}}/security-plugin/access-control/multi-tenancy).
|
||||||
|
|
||||||
|
Like all of the other YAML files, we recommend you use `tenants.yml` to add any tenants you must have in your cluster, and then use OpenSearch Dashboards or the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#tenants) if you need to further configure or create any other tenants.
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
---
|
---
|
||||||
_meta:
|
_meta:
|
||||||
|
@ -325,9 +329,12 @@ admin_tenant:
|
||||||
description: "Demo tenant for admin user"
|
description: "Demo tenant for admin user"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## nodes_dn.yml
|
## nodes_dn.yml
|
||||||
|
|
||||||
|
`nodes_dn.yml` lets you allow list certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) to enable communication between any number of nodes and/or clusters. For example, a node that allow lists the DN `CN=node1.example.com` accepts communication from any other node or certificate that uses that DN.
|
||||||
|
|
||||||
|
The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically allow list DNs, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names).
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
---
|
---
|
||||||
_meta:
|
_meta:
|
||||||
|
|
Loading…
Reference in New Issue