Break up allowlist

Signed-off-by: Naarcha-AWS <naarcha@amazon.com>
This commit is contained in:
Naarcha-AWS 2022-05-03 14:49:55 -05:00
parent 73eea241ef
commit c6f7341993
3 changed files with 5 additions and 5 deletions

View File

@ -192,7 +192,7 @@ config:
internalProxies: '<opensearch-dashboards-ip-address>'
```
To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allowlist in `opensearch_dashboards.yml`:
To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allow list in `opensearch_dashboards.yml`:
```yml
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"]

View File

@ -302,13 +302,13 @@ Because most of the SAML-specific configuration is done in the security plugin,
opensearch_security.auth.type: "saml"
```
In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be allowlisted:
In addition, you must add the OpenSearch Dashboards endpoint for validating the SAML assertions to your allow list:
```yml
server.xsrf.allowlist: ["/_plugins/_security/saml/acs"]
```
If you use the logout POST binding, you also need to allowlist the logout endpoint:
If you use the logout POST binding, you also need to ad the logout endpoint to your allow list:
```yml
server.xsrf.allowlist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]

View File

@ -45,9 +45,9 @@ The endpoint the OpenSearch Dashboards security plugin provides is:
/_plugins/_security/saml/acs
```
Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to allowlist all endpoints that they send requests to. Ensure that the ACS endpoint is listed.
Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to add all endpoints to the allow list that they send requests to. Ensure that the ACS endpoint is listed.
OpenSearch Dashboards also requires you to allowlist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`:
OpenSearch Dashboards also requires you to add this endpoint to the allow list. Make sure you have the following entry in `opensearch_dashboards.yml`:
```
server.xsrf.allowlist: [/_plugins/_security/saml/acs]