Add descriptions to config yaml files and added some security APIs
This commit is contained in:
parent
07b0650128
commit
b12dab6705
|
@ -1179,6 +1179,117 @@ PATCH _plugins/_security/api/securityconfig
|
|||
}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Distinguished names
|
||||
|
||||
These REST APIs let a super admin allow list distinguished names to enable communication between clusters and/or nodes.
|
||||
|
||||
Before you can use the REST API to add, retrieve, update, or delete any distinguished names, you must first add the following line to `opensearch.yml`:
|
||||
|
||||
```yml
|
||||
plugins.security.nodes_dn_dynamic_config_enabled: true
|
||||
```
|
||||
|
||||
|
||||
### Get distinguished names
|
||||
|
||||
Retrieves all allow listed distinguished names.
|
||||
|
||||
#### Request
|
||||
|
||||
```
|
||||
GET _plugins/_security/api/nodesdn
|
||||
```
|
||||
|
||||
#### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"cluster1": {
|
||||
"nodes_dn": [
|
||||
"CN=cluster1.example.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
To get the distinguished names from a specific cluster or node, include its name in the request's URL.
|
||||
|
||||
#### Request
|
||||
|
||||
```
|
||||
GET _plugins/_security/api/nodesdn/<cluster-name>
|
||||
```
|
||||
|
||||
#### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"cluster3": {
|
||||
"nodes_dn": [
|
||||
"CN=cluster3.example.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
### Add distinguished names
|
||||
|
||||
Adds the specified distinguished names to the cluster's or node's allow list.
|
||||
|
||||
#### Request
|
||||
|
||||
```json
|
||||
PUT _plugins/_security/api/nodesdn/<cluster-name>
|
||||
{
|
||||
"nodes_dn": [
|
||||
"CN=cluster3.example.com"
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
#### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"status": "CREATED",
|
||||
"message": "'cluster3' created."
|
||||
}
|
||||
```
|
||||
|
||||
If the specified cluster or node already has an allow list of distinguished names, the PUT request updates the list instead.
|
||||
|
||||
#### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"status": "OK",
|
||||
"message": "'cluster7' updated."
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
### Delete distinguished names
|
||||
|
||||
Deletes the cluster's allow listed distinguished names.
|
||||
|
||||
#### Request
|
||||
|
||||
```
|
||||
DELETE _plugins/_security/api/nodesdn/<cluster-name>
|
||||
```
|
||||
|
||||
#### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"status": "OK",
|
||||
"message": "'cluster3' deleted."
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
---
|
||||
|
||||
|
@ -1188,101 +1299,38 @@ PATCH _plugins/_security/api/securityconfig
|
|||
Introduced 1.0
|
||||
{: .label .label-purple }
|
||||
|
||||
Retrieves the current security plugin configuration in JSON format.
|
||||
Retrieves the cluster's certificates.
|
||||
|
||||
#### Request
|
||||
|
||||
```
|
||||
GET _plugins/_security/api/securityconfig
|
||||
```
|
||||
|
||||
|
||||
### Update configuration
|
||||
Introduced 1.0
|
||||
{: .label .label-purple }
|
||||
|
||||
Creates or updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
|
||||
|
||||
#### Request
|
||||
|
||||
```json
|
||||
PUT _plugins/_security/api/securityconfig/config
|
||||
{
|
||||
"dynamic": {
|
||||
"filtered_alias_mode": "warn",
|
||||
"disable_rest_auth": false,
|
||||
"disable_intertransport_auth": false,
|
||||
"respect_request_indices_options": false,
|
||||
"opensearch-dashboards": {
|
||||
"multitenancy_enabled": true,
|
||||
"server_username": "kibanaserver",
|
||||
"index": ".opensearch-dashboards"
|
||||
},
|
||||
"http": {
|
||||
"anonymous_auth_enabled": false
|
||||
},
|
||||
"authc": {
|
||||
"basic_internal_auth_domain": {
|
||||
"http_enabled": true,
|
||||
"transport_enabled": true,
|
||||
"order": 0,
|
||||
"http_authenticator": {
|
||||
"challenge": true,
|
||||
"type": "basic",
|
||||
"config": {}
|
||||
},
|
||||
"authentication_backend": {
|
||||
"type": "intern",
|
||||
"config": {}
|
||||
},
|
||||
"description": "Authenticate via HTTP Basic against internal users database"
|
||||
}
|
||||
},
|
||||
"auth_failure_listeners": {},
|
||||
"do_not_fail_on_forbidden": false,
|
||||
"multi_rolespan_enabled": true,
|
||||
"hosts_resolver_mode": "ip-only",
|
||||
"do_not_fail_on_forbidden_empty": false
|
||||
}
|
||||
}
|
||||
GET _opendistro/_security/api/ssl/certs
|
||||
```
|
||||
|
||||
#### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"status": "OK",
|
||||
"message": "'config' updated."
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
### Patch configuration
|
||||
Introduced 1.0
|
||||
{: .label .label-purple }
|
||||
|
||||
Updates the existing configuration using the REST API rather than `securityadmin.sh`. This operation can easily break your existing configuration, so we recommend using `securityadmin.sh` instead. See [Access control for the API](#access-control-for-the-api) for how to enable this operation.
|
||||
|
||||
#### Request
|
||||
|
||||
```json
|
||||
PATCH _plugins/_security/api/securityconfig
|
||||
[
|
||||
"http_certificates_list": [
|
||||
{
|
||||
"op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
|
||||
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
|
||||
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
|
||||
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
|
||||
"not_before": "2018-04-22T03:43:47Z",
|
||||
"not_after": "2028-04-19T03:43:47Z"
|
||||
}
|
||||
],
|
||||
"transport_certificates_list": [
|
||||
{
|
||||
"issuer_dn": "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
|
||||
"subject_dn": "CN=node-0.example.com,OU=node,O=node,L=test,DC=de",
|
||||
"san": "[[8, 1.2.3.4.5.5], [2, node-0.example.com]",
|
||||
"not_before": "2018-04-22T03:43:47Z",
|
||||
"not_after": "2028-04-19T03:43:47Z"
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
#### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"status": "OK",
|
||||
"message": "Resource updated."
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Cache
|
||||
|
|
|
@ -315,6 +315,10 @@ _meta:
|
|||
|
||||
## tenants.yml
|
||||
|
||||
You can use this file to specify and add any number of OpenSearch Dashboards tenants to your OpenSearch cluster. For more information about tenants, see [OpenSearch Dashboards multi-tenancy]({{site.url}}{{site.baseurl}}/security-plugin/access-control/multi-tenancy).
|
||||
|
||||
Like all of the other YAML files, we recommend you use `tenants.yml` to add any tenants you must have in your cluster, and then use OpenSearch Dashboards or the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#tenants) if you need to further configure or create any other tenants.
|
||||
|
||||
```yml
|
||||
---
|
||||
_meta:
|
||||
|
@ -325,9 +329,12 @@ admin_tenant:
|
|||
description: "Demo tenant for admin user"
|
||||
```
|
||||
|
||||
|
||||
## nodes_dn.yml
|
||||
|
||||
`nodes_dn.yml` lets you allow list certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) to enable communication between any number of nodes and/or clusters. For example, a node that allow lists the DN `CN=node1.example.com` accepts communication from any other node or certificate that uses that DN.
|
||||
|
||||
The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically allow list DNs, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names).
|
||||
|
||||
```yml
|
||||
---
|
||||
_meta:
|
||||
|
|
Loading…
Reference in New Issue