Add descriptions to config yaml files and added some security APIs

This commit is contained in:
keithhc2 2021-09-24 14:13:26 -07:00
parent 07b0650128
commit b12dab6705
2 changed files with 139 additions and 84 deletions

View File

@ -1179,6 +1179,117 @@ PATCH _plugins/_security/api/securityconfig
}
```
---
## Distinguished names
These REST APIs let a super admin allow list distinguished names to enable communication between clusters and/or nodes.
Before you can use the REST API to add, retrieve, update, or delete any distinguished names, you must first add the following line to `opensearch.yml`:
```yml
plugins.security.nodes_dn_dynamic_config_enabled: true
```
### Get distinguished names
Retrieves all allow listed distinguished names.
#### Request
```
GET _plugins/_security/api/nodesdn
```
#### Sample response
```json
{
"cluster1": {
"nodes_dn": [
"CN=cluster1.example.com"
]
}
}
```
To get the distinguished names from a specific cluster or node, include its name in the request's URL.
#### Request
```
GET _plugins/_security/api/nodesdn/<cluster-name>
```
#### Sample response
```json
{
"cluster3": {
"nodes_dn": [
"CN=cluster3.example.com"
]
}
}
```
### Add distinguished names
Adds the specified distinguished names to the cluster's or node's allow list.
#### Request
```json
PUT _plugins/_security/api/nodesdn/<cluster-name>
{
"nodes_dn": [
"CN=cluster3.example.com"
]
}
```
#### Sample response
```json
{
"status": "CREATED",
"message": "'cluster3' created."
}
```
If the specified cluster or node already has an allow list of distinguished names, the PUT request updates the list instead.
#### Sample response
```json
{
"status": "OK",
"message": "'cluster7' updated."
}
```
### Delete distinguished names
Deletes the cluster's allow listed distinguished names.
#### Request
```
DELETE _plugins/_security/api/nodesdn/<cluster-name>
```
#### Sample response
```json
{
"status": "OK",
"message": "'cluster3' deleted."
}
```
---
@ -1188,101 +1299,38 @@ PATCH _plugins/_security/api/securityconfig
Introduced 1.0
{: .label .label-purple }
Retrieves the current security plugin configuration in JSON format.
Retrieves the cluster's certificates.
#### Request
```
GET _plugins/_security/api/securityconfig
```
### Update configuration
Introduced 1.0
{: .label .label-purple }
Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
#### Request
```json
PUT _plugins/_security/api/securityconfig/config
{
"dynamic": {
"filtered_alias_mode": "warn",
"disable_rest_auth": false,
"disable_intertransport_auth": false,
"respect_request_indices_options": false,
"opensearch-dashboards": {
"multitenancy_enabled": true,
"server_username": "kibanaserver",
"index": ".opensearch-dashboards"
},
"http": {
"anonymous_auth_enabled": false
},
"authc": {
"basic_internal_auth_domain": {
"http_enabled": true,
"transport_enabled": true,
"order": 0,
"http_authenticator": {
"challenge": true,
"type": "basic",
"config": {}
},
"authentication_backend": {
"type": "intern",
"config": {}
},
"description": "Authenticate via HTTP Basic against internal users database"
}
},
"auth_failure_listeners": {},
"do_not_fail_on_forbidden": false,
"multi_rolespan_enabled": true,
"hosts_resolver_mode": "ip-only",
"do_not_fail_on_forbidden_empty": false
}
}
GET _opendistro/_security/api/ssl/certs
```
#### Sample response
```json
{
"status": "OK",
"message": "'config' updated."
}
```
### Patch configuration
Introduced 1.0
{: .label .label-purple }
Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
#### Request
```json
PATCH _plugins/_security/api/securityconfig
[
"http_certificates_list": [
{
"op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
"not_before": "2018-04-22T03:43:47Z",
"not_after": "2028-04-19T03:43:47Z"
}
],
"transport_certificates_list": [
{
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
"not_before": "2018-04-22T03:43:47Z",
"not_after": "2028-04-19T03:43:47Z"
}
]
```
#### Sample response
```json
{
"status": "OK",
"message": "Resource updated."
}
```
---
## Cache

View File

@ -315,6 +315,10 @@ _meta:
## tenants.yml
You can use this file to specify and add any number of OpenSearch Dashboards tenants to your OpenSearch cluster. For more information about tenants, see [OpenSearch Dashboards multi-tenancy]({{site.url}}{{site.baseurl}}/security-plugin/access-control/multi-tenancy).
Like all of the other YAML files, we recommend you use `tenants.yml` to add any tenants you must have in your cluster, and then use OpenSearch Dashboards or the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#tenants) if you need to further configure or create any other tenants.
```yml
---
_meta:
@ -325,9 +329,12 @@ admin_tenant:
description: "Demo tenant for admin user"
```
## nodes_dn.yml
`nodes_dn.yml` lets you allow list certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) to enable communication between any number of nodes and/or clusters. For example, a node that allow lists the DN `CN=node1.example.com` accepts communication from any other node or certificate that uses that DN.
The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically allow list DNs, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names).
```yml
---
_meta: