From d74507e3c47db0394a1306533aa2b665d5ad29b2 Mon Sep 17 00:00:00 2001 From: aetter Date: Thu, 10 Jun 2021 11:15:44 -0700 Subject: [PATCH] Security REST API --- _search-plugins/async/security.md | 6 +- _security-plugin/access-control/api.md | 82 +++++++++---------- .../access-control/cross-cluster-search.md | 8 +- .../access-control/document-level-security.md | 8 +- .../access-control/impersonation.md | 4 +- _security-plugin/configuration/client-auth.md | 2 +- _security-plugin/configuration/saml.md | 8 +- _troubleshoot/saml.md | 6 +- 8 files changed, 62 insertions(+), 62 deletions(-) diff --git a/_search-plugins/async/security.md b/_search-plugins/async/security.md index 277b9d5c..1992d279 100644 --- a/_search-plugins/async/security.md +++ b/_search-plugins/async/security.md @@ -33,7 +33,7 @@ For example, consider two users: `judy` and `elon`. `judy` has an IT backend role: ```json -PUT _opensearch/_security/api/internalusers/judy +PUT _plugins/_security/api/internalusers/judy { "password": "judy", "backend_roles": [ @@ -46,7 +46,7 @@ PUT _opensearch/_security/api/internalusers/judy `elon` has an admin backend role: ```json -PUT _opensearch/_security/api/internalusers/elon +PUT _plugins/_security/api/internalusers/elon { "password": "elon", "backend_roles": [ @@ -59,7 +59,7 @@ PUT _opensearch/_security/api/internalusers/elon Both `judy` and `elon` have full access to asynchronous search: ```json -PUT _opensearch/_security/api/rolesmapping/async_full_access +PUT _plugins/_security/api/rolesmapping/async_full_access { "backend_roles": [], "hosts": [], diff --git a/_security-plugin/access-control/api.md b/_security-plugin/access-control/api.md index d2a8fc6b..fbfe2be7 100644 --- a/_security-plugin/access-control/api.md +++ b/_security-plugin/access-control/api.md @@ -52,7 +52,7 @@ Possible values for `method` are: - DELETE - PATCH -For example, the following configuration grants three roles access to the REST API, but then prevents `test-role` from making PUT, POST, DELETE, or PATCH requests to `_opensearch/_security/api/roles` or `_opensearch/_security/api/internalusers`: +For example, the following configuration grants three roles access to the REST API, but then prevents `test-role` from making PUT, POST, DELETE, or PATCH requests to `_plugins/_security/api/roles` or `_plugins/_security/api/internalusers`: ```yml plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "test-role"] @@ -102,7 +102,7 @@ Returns account details for the current user. For example, if you sign the reque #### Request ``` -GET _opensearch/_security/api/account +GET _plugins/_security/api/account ``` #### Sample response @@ -139,7 +139,7 @@ Changes the password for the current user. #### Request ```json -PUT _opensearch/_security/api/account +PUT _plugins/_security/api/account { "current_password" : "old-password", "password" : "new-password" @@ -169,7 +169,7 @@ Retrieves one action group. #### Request ``` -GET _opensearch/_security/api/actiongroups/ +GET _plugins/_security/api/actiongroups/ ``` #### Sample response @@ -199,7 +199,7 @@ Retrieves all action groups. #### Request ``` -GET _opensearch/_security/api/actiongroups/ +GET _plugins/_security/api/actiongroups/ ``` @@ -228,7 +228,7 @@ GET _opensearch/_security/api/actiongroups/ #### Request ``` -DELETE _opensearch/_security/api/actiongroups/ +DELETE _plugins/_security/api/actiongroups/ ``` #### Sample response @@ -248,7 +248,7 @@ Creates or replaces the specified action group. #### Request ```json -PUT _opensearch/_security/api/actiongroups/ +PUT _plugins/_security/api/actiongroups/ { "allowed_actions": [ "indices:data/write/index*", @@ -278,7 +278,7 @@ Updates individual attributes of an action group. #### Request ```json -PATCH _opensearch/_security/api/actiongroups/ +PATCH _plugins/_security/api/actiongroups/ [ { "op": "replace", "path": "/allowed_actions", "value": ["indices:admin/create", "indices:admin/mapping/put"] @@ -303,7 +303,7 @@ Creates, updates, or deletes multiple action groups in a single call. #### Request ```json -PATCH _opensearch/_security/api/actiongroups +PATCH _plugins/_security/api/actiongroups [ { "op": "add", "path": "/CREATE_INDEX", "value": { "allowed_actions": ["indices:admin/create", "indices:admin/mapping/put"] } @@ -336,7 +336,7 @@ These calls let you create, update, and delete internal users. If you use an ext #### Request ``` -GET _opensearch/_security/api/internalusers/ +GET _plugins/_security/api/internalusers/ ``` @@ -361,7 +361,7 @@ GET _opensearch/_security/api/internalusers/ #### Request ``` -GET _opensearch/_security/api/internalusers/ +GET _plugins/_security/api/internalusers/ ``` #### Sample response @@ -385,7 +385,7 @@ GET _opensearch/_security/api/internalusers/ #### Request ``` -DELETE _opensearch/_security/api/internalusers/ +DELETE _plugins/_security/api/internalusers/ ``` #### Sample response @@ -407,7 +407,7 @@ Note that any role you supply in the `opensearch_security_roles` array must alre #### Request ```json -PUT _opensearch/_security/api/internalusers/ +PUT _plugins/_security/api/internalusers/ { "password": "kirkpass", "opensearch_security_roles": ["maintenance_staff", "weapons"], @@ -436,7 +436,7 @@ Updates individual attributes of an internal user. #### Request ```json -PATCH _opensearch/_security/api/internalusers/ +PATCH _plugins/_security/api/internalusers/ [ { "op": "replace", "path": "/backend_roles", "value": ["klingons"] @@ -466,7 +466,7 @@ Creates, updates, or deletes multiple internal users in a single call. #### Request ```json -PATCH _opensearch/_security/api/internalusers +PATCH _plugins/_security/api/internalusers [ { "op": "add", "path": "/spock", "value": { "password": "testpassword1", "backend_roles": ["testrole1"] } @@ -502,7 +502,7 @@ Retrieves one role. #### Request ``` -GET _opensearch/_security/api/roles/ +GET _plugins/_security/api/roles/ ``` #### Sample response @@ -548,7 +548,7 @@ Retrieves all roles. #### Request ``` -GET _opensearch/_security/api/roles/ +GET _plugins/_security/api/roles/ ``` #### Sample response @@ -586,7 +586,7 @@ GET _opensearch/_security/api/roles/ #### Request ``` -DELETE _opensearch/_security/api/roles/ +DELETE _plugins/_security/api/roles/ ``` #### Sample response @@ -606,7 +606,7 @@ Creates or replaces the specified role. #### Request ```json -PUT _opensearch/_security/api/roles/ +PUT _plugins/_security/api/roles/ { "cluster_permissions": [ "cluster_composite_ops", @@ -651,7 +651,7 @@ Updates individual attributes of a role. #### Request ```json -PATCH _opensearch/_security/api/roles/ +PATCH _plugins/_security/api/roles/ [ { "op": "replace", "path": "/index_permissions/0/fls", "value": ["myfield1", "myfield2"] @@ -679,7 +679,7 @@ Creates, updates, or deletes multiple roles in a single call. #### Request ```json -PATCH _opensearch/_security/api/roles +PATCH _plugins/_security/api/roles [ { "op": "replace", "path": "/role1/index_permissions/0/fls", "value": ["test1", "test2"] @@ -714,7 +714,7 @@ Retrieves one role mapping. #### Request ``` -GET _opensearch/_security/api/rolesmapping/ +GET _plugins/_security/api/rolesmapping/ ``` #### Sample response @@ -737,7 +737,7 @@ Retrieves all role mappings. #### Request ``` -GET _opensearch/_security/api/rolesmapping +GET _plugins/_security/api/rolesmapping ``` #### Sample response @@ -760,7 +760,7 @@ Deletes the specified role mapping. #### Request ``` -DELETE _opensearch/_security/api/rolesmapping/ +DELETE _plugins/_security/api/rolesmapping/ ``` #### Sample response @@ -780,7 +780,7 @@ Creates or replaces the specified role mapping. #### Request ```json -PUT _opensearch/_security/api/rolesmapping/ +PUT _plugins/_security/api/rolesmapping/ { "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ], "hosts" : [ "*.starfleetintranet.com" ], @@ -805,7 +805,7 @@ Updates individual attributes of a role mapping. #### Request ```json -PATCH _opensearch/_security/api/rolesmapping/ +PATCH _plugins/_security/api/rolesmapping/ [ { "op": "replace", "path": "/users", "value": ["myuser"] @@ -833,7 +833,7 @@ Creates or updates multiple role mappings in a single call. #### Request ```json -PATCH _opensearch/_security/api/rolesmapping +PATCH _plugins/_security/api/rolesmapping [ { "op": "add", "path": "/human_resources", "value": { "users": ["user1"], "backend_roles": ["backendrole2"] } @@ -865,7 +865,7 @@ Retrieves one tenant. #### Request ``` -GET _opensearch/_security/api/tenants/ +GET _plugins/_security/api/tenants/ ``` #### Sample response @@ -889,7 +889,7 @@ Retrieves all tenants. #### Request ``` -GET _opensearch/_security/api/tenants/ +GET _plugins/_security/api/tenants/ ``` #### Sample response @@ -919,7 +919,7 @@ Deletes the specified tenant. #### Request ``` -DELETE _opensearch/_security/api/tenants/ +DELETE _plugins/_security/api/tenants/ ``` #### Sample response @@ -939,7 +939,7 @@ Creates or replaces the specified tenant. #### Request ```json -PUT _opensearch/_security/api/tenants/ +PUT _plugins/_security/api/tenants/ { "description": "A tenant for the human resources team." } @@ -962,7 +962,7 @@ Add, delete, or modify a single tenant. #### Request ```json -PATCH _opensearch/_security/api/tenants/ +PATCH _plugins/_security/api/tenants/ [ { "op": "replace", "path": "/description", "value": "An updated description" @@ -987,7 +987,7 @@ Add, delete, or modify multiple tenants in a single call. #### Request ```json -PATCH _opensearch/_security/api/tenants/ +PATCH _plugins/_security/api/tenants/ [ { "op": "replace", @@ -1024,7 +1024,7 @@ Retrieves the current security plugin configuration in JSON format. #### Request ``` -GET _opensearch/_security/api/securityconfig +GET _plugins/_security/api/securityconfig ``` @@ -1035,7 +1035,7 @@ Creates or updates the existing configuration using the REST API. This operation #### Request ```json -PUT _opensearch/_security/api/securityconfig/config +PUT _plugins/_security/api/securityconfig/config { "dynamic": { "filtered_alias_mode": "warn", @@ -1093,7 +1093,7 @@ Updates the existing configuration using the REST API. This operation can easily #### Request ```json -PATCH _opensearch/_security/api/securityconfig +PATCH _plugins/_security/api/securityconfig [ { "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true" @@ -1122,7 +1122,7 @@ Retrieves the current security plugin configuration in JSON format. #### Request ``` -GET _opensearch/_security/api/securityconfig +GET _plugins/_security/api/securityconfig ``` @@ -1133,7 +1133,7 @@ Creates or updates the existing configuration using the REST API rather than `se #### Request ```json -PUT _opensearch/_security/api/securityconfig/config +PUT _plugins/_security/api/securityconfig/config { "dynamic": { "filtered_alias_mode": "warn", @@ -1191,7 +1191,7 @@ Updates the existing configuration using the REST API rather than `securityadmin #### Request ```json -PATCH _opensearch/_security/api/securityconfig +PATCH _plugins/_security/api/securityconfig [ { "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true" @@ -1220,7 +1220,7 @@ Flushes the security plugin user, authentication, and authorization cache. #### Request ``` -DELETE _opensearch/_security/api/cache +DELETE _plugins/_security/api/cache ``` @@ -1246,7 +1246,7 @@ Checks to see if the security plugin is up and running. If you operate your clus #### Request ``` -GET _opensearch/_security/health +GET _plugins/_security/health ``` diff --git a/_security-plugin/access-control/cross-cluster-search.md b/_security-plugin/access-control/cross-cluster-search.md index 8beb5eab..8a64f3f9 100644 --- a/_security-plugin/access-control/cross-cluster-search.md +++ b/_security-plugin/access-control/cross-cluster-search.md @@ -190,8 +190,8 @@ curl -XGET -k -u 'admin:admin' 'https://localhost:9250/opensearch-cluster1:books To continue testing, create a new user on both clusters: ```bash -curl -XPUT -k -u 'admin:admin' 'https://localhost:9200/_opensearch/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}' -curl -XPUT -k -u 'admin:admin' 'https://localhost:9250/_opensearch/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}' +curl -XPUT -k -u 'admin:admin' 'https://localhost:9200/_plugins/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}' +curl -XPUT -k -u 'admin:admin' 'https://localhost:9250/_plugins/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}' ``` Then run the same search as before with `booksuser`: @@ -216,8 +216,8 @@ curl -XGET -k -u booksuser:password 'https://localhost:9250/opensearch-cluster1: Note the permissions error. On the remote cluster, create a role with the appropriate permissions, and map `booksuser` to that role: ```bash -curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_opensearch/_security/api/roles/booksrole' -d '{"index_permissions":[{"index_patterns":["books"],"allowed_actions":["indices:admin/shards/search_shards","indices:data/read/search"]}]}' -curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_opensearch/_security/api/rolesmapping/booksrole' -d '{"users" : ["booksuser"]}' +curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_plugins/_security/api/roles/booksrole' -d '{"index_permissions":[{"index_patterns":["books"],"allowed_actions":["indices:admin/shards/search_shards","indices:data/read/search"]}]}' +curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_plugins/_security/api/rolesmapping/booksrole' -d '{"users" : ["booksuser"]}' ``` Both clusters must have the user, but only the remote cluster needs the role and mapping; in this case, the coordinating cluster handles authentication (i.e. "Does this request include valid user credentials?"), and the remote cluster handles authorization (i.e. "Can this user access this data?"). diff --git a/_security-plugin/access-control/document-level-security.md b/_security-plugin/access-control/document-level-security.md index bbb13dad..9847bd36 100644 --- a/_security-plugin/access-control/document-level-security.md +++ b/_security-plugin/access-control/document-level-security.md @@ -36,7 +36,7 @@ A typical request to the `_search` API includes `{ "query": { ... } }` around th In the REST API, you provide the query as a string, so you must escape your quotes. This role allows a user to read any document in any index with the field `public` set to `true`: ```json -PUT _opensearch/_security/api/roles/public_data +PUT _plugins/_security/api/roles/public_data { "cluster_permissions": [ "*" @@ -64,7 +64,7 @@ A number of variables exist that you can use to enforce rules based on the prope This rule allows a user to read any document where the username is a value of the `readable_by` field: ```json -PUT _opensearch/_security/api/roles/user_data +PUT _plugins/_security/api/roles/user_data { "cluster_permissions": [ "*" @@ -99,7 +99,7 @@ You can use roles and parameter substitution with the `terms_set` query to enabl #### User definition ```json -PUT _opensearch/_security/api/internalusers/user1 +PUT _plugins/_security/api/internalusers/user1 { "password": "asdf", "backend_roles": ["abac"], @@ -112,7 +112,7 @@ PUT _opensearch/_security/api/internalusers/user1 #### Role definition ```json -PUT _opensearch/_security/api/roles/abac +PUT _plugins/_security/api/roles/abac { "index_permissions": [{ "index_patterns": [ diff --git a/_security-plugin/access-control/impersonation.md b/_security-plugin/access-control/impersonation.md index b7b95ea1..d1dc85ce 100644 --- a/_security-plugin/access-control/impersonation.md +++ b/_security-plugin/access-control/impersonation.md @@ -42,8 +42,8 @@ plugins.security.authcz.impersonation_dn: ## Impersonating Users -To impersonate another user, submit a request to the system with the HTTP header `opensearch_security_impersonate_as` set to the name of the user to be impersonated. A good test is to make a GET request to the `_opensearch/_security/authinfo` URI: +To impersonate another user, submit a request to the system with the HTTP header `opensearch_security_impersonate_as` set to the name of the user to be impersonated. A good test is to make a GET request to the `_plugins/_security/authinfo` URI: ```bash -curl -XGET -u 'admin:admin' -k -H "opensearch_security_impersonate_as: user_1" https://localhost:9200/_opensearch/_security/authinfo?pretty +curl -XGET -u 'admin:admin' -k -H "opensearch_security_impersonate_as: user_1" https://localhost:9200/_plugins/_security/authinfo?pretty ``` diff --git a/_security-plugin/configuration/client-auth.md b/_security-plugin/configuration/client-auth.md index 03369a92..d33f0c98 100644 --- a/_security-plugin/configuration/client-auth.md +++ b/_security-plugin/configuration/client-auth.md @@ -48,7 +48,7 @@ After deciding which role you want to map your certificate's CN to, you can use **Sample request** ```json -PUT _opensearch/_security/api/rolesmapping/readall +PUT _plugins/_security/api/rolesmapping/readall { "backend_roles" : ["sample_role" ], "hosts" : [ "example.host.com" ], diff --git a/_security-plugin/configuration/saml.md b/_security-plugin/configuration/saml.md index ec5fefa1..f843f4f2 100755 --- a/_security-plugin/configuration/saml.md +++ b/_security-plugin/configuration/saml.md @@ -308,13 +308,13 @@ plugins.security.auth.type: "saml" In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be whitelisted: ``` -server.xsrf.whitelist: ["/_opensearch/_security/saml/acs"] +server.xsrf.whitelist: ["/_plugins/_security/saml/acs"] ``` If you use the logout POST binding, you also need to whitelist the logout endpoint: ```yml -server.xsrf.whitelist: ["/_opensearch/_security/saml/acs", "/_opensearch/_security/saml/logout"] +server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] ``` ### IdP-initiated SSO @@ -322,11 +322,11 @@ server.xsrf.whitelist: ["/_opensearch/_security/saml/acs", "/_opensearch/_securi To use IdP-initiated SSO, set the Assertion Consumer Service endpoint of your IdP to this: ``` -/_opensearch/_security/saml/acs/idpinitiated +/_plugins/_security/saml/acs/idpinitiated ``` Then add this endpoint to `server.xsrf.whitelist` in `opensearch_dashboards.yml`: ```yml -server.xsrf.whitelist: ["/_opensearch/_security/saml/acs/idpinitiated", "/_opensearch/_security/saml/acs", "/_opensearch/_security/saml/logout"] +server.xsrf.whitelist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] ``` diff --git a/_troubleshoot/saml.md b/_troubleshoot/saml.md index 36024ba7..7191a82a 100644 --- a/_troubleshoot/saml.md +++ b/_troubleshoot/saml.md @@ -42,7 +42,7 @@ After a successful login, your IdP sends a SAML response using HTTP POST to Open The endpoint the OpenSearch Dashboards security plugin provides is: ``` -/_opensearch/_security/saml/acs +/_plugins/_security/saml/acs ``` Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to whitelist all endpoints that they send requests to. Ensure that the ACS endpoint is listed. @@ -50,7 +50,7 @@ Make sure that you have configured this endpoint correctly in your IdP. Some IdP OpenSearch Dashboards also requires you to whitelist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`: ``` -server.xsrf.whitelist: [/_opensearch/_security/saml/acs] +server.xsrf.whitelist: [/_plugins/_security/saml/acs] ``` @@ -94,7 +94,7 @@ This setting prints the SAML response to the OpenSearch log file so that you can Another way of inspecting the SAML response is to monitor network traffic while logging in to OpenSearch Dashboards. The IdP uses HTTP POST requests to send Base64-encoded SAML responses to: ``` -/_opensearch/_security/saml/acs +/_plugins/_security/saml/acs ``` Inspect the payload of this POST request, and use a tool like [base64decode.org](https://www.base64decode.org/) to decode it.