Addressed comments

This commit is contained in:
keithhc2 2021-09-27 10:07:37 -07:00
parent 430b9fed50
commit c85fd21b4f
2 changed files with 9 additions and 9 deletions

View File

@ -1183,9 +1183,9 @@ PATCH _plugins/_security/api/securityconfig
## Distinguished names ## Distinguished names
These REST APIs let a super admin allow list distinguished names to enable communication between clusters and/or nodes. These REST APIs let a super admin add, retrieve, update, or delete any distinguished names from an allow list to enable communication between clusters and/or nodes.
Before you can use the REST API to add, retrieve, update, or delete any distinguished names, you must first add the following line to `opensearch.yml`: Before you can use the REST API to configure the allow list, you must first add the following line to `opensearch.yml`:
```yml ```yml
plugins.security.nodes_dn_dynamic_config_enabled: true plugins.security.nodes_dn_dynamic_config_enabled: true
@ -1194,7 +1194,7 @@ plugins.security.nodes_dn_dynamic_config_enabled: true
### Get distinguished names ### Get distinguished names
Retrieves all allow listed distinguished names. Retrieves all distinguished names in the allow list.
#### Request #### Request
@ -1214,7 +1214,7 @@ GET _plugins/_security/api/nodesdn
} }
``` ```
To get the distinguished names from a specific cluster or node, include its name in the request's URL. To get the distinguished names from a specific cluster's or node's allow list, include the cluster's name in the request path.
#### Request #### Request
@ -1262,7 +1262,7 @@ PUT _plugins/_security/api/nodesdn/<cluster-name>
### Delete distinguished names ### Delete distinguished names
Deletes the cluster's allow listed distinguished names. Deletes all distinguished names in the specified cluster's or node's allow list.
#### Request #### Request

View File

@ -126,7 +126,7 @@ plugins.security.restapi.password_validation_error_message: "Password must be mi
## whitelist.yml ## whitelist.yml
You can use `whitelist.yml` to allow list any endpoints and HTTP requests. If enabled, all users except the SuperAdmin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is allow listed, users cannot submit PUT requests to `_cluster/settings` to update cluster settings. You can use `whitelist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings. Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings.
@ -165,7 +165,7 @@ requests:
- PUT - PUT
``` ```
You can also allow list custom indices. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to allow list. You can also add custom indices to the allow list. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add.
```yml ```yml
requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1 requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1
@ -331,9 +331,9 @@ admin_tenant:
## nodes_dn.yml ## nodes_dn.yml
`nodes_dn.yml` lets you allow list certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) to enable communication between any number of nodes and/or clusters. For example, a node that allow lists the DN `CN=node1.example.com` accepts communication from any other node or certificate that uses that DN. `nodes_dn.yml` lets you add certificates' [distinguished names (DNs)]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/#add-distinguished-names-to-opensearchyml) an allow list to enable communication between any number of nodes and/or clusters. For example, a node that has the DN `CN=node1.example.com` in its allow list accepts communication from any other node or certificate that uses that DN.
The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically allow list DNs, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names). The DNs get indexed into a [system index]({{site.url}}{{site.baseurl}}/security-plugin/configuration/system-indices) that only a super admin or an admin with a Transport Layer Security (TLS) certificate can access. If you want to programmatically add DNs to your allow lists, use the [REST API]({{site.url}}{{site.baseurl}}/security-plugin/access-control/api/#distinguished-names).
```yml ```yml
--- ---