From c6f73419938d8e7c53b467b0bcbb34eeb4cecfd6 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS Date: Tue, 3 May 2022 14:49:55 -0500 Subject: [PATCH] Break up allowlist Signed-off-by: Naarcha-AWS --- _security-plugin/configuration/proxy.md | 2 +- _security-plugin/configuration/saml.md | 4 ++-- _troubleshoot/saml.md | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/_security-plugin/configuration/proxy.md b/_security-plugin/configuration/proxy.md index cdcfb4f9..8e7b88b9 100644 --- a/_security-plugin/configuration/proxy.md +++ b/_security-plugin/configuration/proxy.md @@ -192,7 +192,7 @@ config: internalProxies: '' ``` -To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allowlist in `opensearch_dashboards.yml`: +To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allow list in `opensearch_dashboards.yml`: ```yml opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] diff --git a/_security-plugin/configuration/saml.md b/_security-plugin/configuration/saml.md index 289c8ae4..bd7a1594 100755 --- a/_security-plugin/configuration/saml.md +++ b/_security-plugin/configuration/saml.md @@ -302,13 +302,13 @@ Because most of the SAML-specific configuration is done in the security plugin, opensearch_security.auth.type: "saml" ``` -In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be allowlisted: +In addition, you must add the OpenSearch Dashboards endpoint for validating the SAML assertions to your allow list: ```yml server.xsrf.allowlist: ["/_plugins/_security/saml/acs"] ``` -If you use the logout POST binding, you also need to allowlist the logout endpoint: +If you use the logout POST binding, you also need to ad the logout endpoint to your allow list: ```yml server.xsrf.allowlist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] diff --git a/_troubleshoot/saml.md b/_troubleshoot/saml.md index 2ef748a1..103604a8 100644 --- a/_troubleshoot/saml.md +++ b/_troubleshoot/saml.md @@ -45,9 +45,9 @@ The endpoint the OpenSearch Dashboards security plugin provides is: /_plugins/_security/saml/acs ``` -Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to allowlist all endpoints that they send requests to. Ensure that the ACS endpoint is listed. +Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to add all endpoints to the allow list that they send requests to. Ensure that the ACS endpoint is listed. -OpenSearch Dashboards also requires you to allowlist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`: +OpenSearch Dashboards also requires you to add this endpoint to the allow list. Make sure you have the following entry in `opensearch_dashboards.yml`: ``` server.xsrf.allowlist: [/_plugins/_security/saml/acs]