iSharkFly-Docs
/
opensearch-docs-cn
mirror of https://github.com/iSharkFly-Docs/opensearch-docs-cn
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add allowlist for more inclusive nomenclature 

Signed-off-by: Naarcha-AWS <naarcha@amazon.com>
This commit is contained in:
Naarcha-AWS 2022-04-14 12:27:27 -05:00
parent 02a913f988
commit e5ed103a1a
9 changed files with 24 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_dashboards/branding.md
View File

@ -100,7 +100,7 @@ opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch.requestHeadersallowlist: [ authorization,securitytenant ]
#server.ssl.enabled: true
#server.ssl.certificate: /path/to/your/server/certificate
#server.ssl.key: /path/to/your/server/key

2
_dashboards/install/tls.md
View File

@ -25,7 +25,7 @@ opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch.requestHeadersallowlist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem

4
_security-plugin/access-control/multi-tenancy.md
View File

@ -46,7 +46,7 @@ Setting | Description
```yml
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch.requestHeadersallowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
@ -56,7 +56,7 @@ opensearch_security.multitenancy.enable_filter: false
Setting | Description
:--- | :---
`opensearch.requestHeadersWhitelist` | OpenSearch Dashboards requires that you whitelist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not whitelisted, OpenSearch Dashboards starts with a red status.
`opensearch.requestHeadersallowlist` | OpenSearch Dashboards requires that you allowlist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not allowlisted, OpenSearch Dashboards starts with a red status.
`opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true.
`opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true.
`opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true.

6
_security-plugin/configuration/ldap.md
View File

@ -433,7 +433,7 @@ By default, the security plugin reads all LDAP user attributes and makes them av
Name | Description
:--- | :---
`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36.
Example:
@ -446,7 +446,7 @@ authz:
authorization_backend:
type: ldap
config:
custom_attr_whitelist:
custom_attr_allowlist:
- attribute1
- attribute2
custom_attr_maxval_len: 36
@ -501,7 +501,7 @@ Name | Description
`skip_users` | Array of users that should be skipped when retrieving roles. Wildcards and regular expressions are supported.
`nested_role_filter` | Array of role DNs that should be filtered before resolving nested roles. Wildcards and regular expressions are supported.
`rolesearch_enabled` | Boolean. Enable or disable the role search. Default is `true`.
`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36.

4
_security-plugin/configuration/openid-connect.md
View File

@ -308,8 +308,8 @@ opensearch.password: "kibanaserver"
# Disable SSL verification when using self-signed demo certificates
opensearch.ssl.verificationMode: none
# Whitelist basic headers and multi-tenancy header
opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]
# allowlist basic headers and multi-tenancy header
opensearch.requestHeadersallowlist: ["Authorization", "security_tenant"]
```

4
_security-plugin/configuration/proxy.md
View File

@ -192,10 +192,10 @@ config:
internalProxies: '<opensearch-dashboards-ip-address>'
```
To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header whitelist in `opensearch_dashboards.yml`:
To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allowlist in `opensearch_dashboards.yml`:
```yml
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"]
opensearch.requestHeadersallowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"]
```
You must also enable the authentication type in `opensearch_dashboards.yml`:

12
_security-plugin/configuration/saml.md
View File

@ -302,16 +302,16 @@ Because most of the SAML-specific configuration is done in the security plugin,
opensearch_security.auth.type: "saml"
```
In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be whitelisted:
In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be allowlisted:
```yml
server.xsrf.whitelist: ["/_plugins/_security/saml/acs"]
server.xsrf.allowlist: ["/_plugins/_security/saml/acs"]
```
If you use the logout POST binding, you also need to whitelist the logout endpoint:
If you use the logout POST binding, you also need to allowlist the logout endpoint:
```yml
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
server.xsrf.allowlist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
```
### IdP-initiated SSO
@ -322,8 +322,8 @@ To use IdP-initiated SSO, set the Assertion Consumer Service endpoint of your Id
/_plugins/_security/saml/acs/idpinitiated
```
Then add this endpoint to `server.xsrf.whitelist` in `opensearch_dashboards.yml`:
Then add this endpoint to `server.xsrf.allowlist` in `opensearch_dashboards.yml`:
```yml
server.xsrf.whitelist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
server.xsrf.allowlist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
```

8
_security-plugin/configuration/yaml.md
View File

@ -124,16 +124,16 @@ plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d]
plugins.security.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character."
```
## whitelist.yml
## allowlist.yml
You can use `whitelist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
You can use `allowlist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.
Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings.
```yml
---
_meta:
type: "whitelist"
type: "allowlist"
config_version: 2
# Description:
@ -165,7 +165,7 @@ requests:
- PUT
```
You can also add custom indices to the allow list. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add.
You can also add custom indices to the allow list. `allowlist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add.
```yml
requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1

6
_troubleshoot/saml.md
View File

@ -45,12 +45,12 @@ The endpoint the OpenSearch Dashboards security plugin provides is:
/_plugins/_security/saml/acs
```
Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to whitelist all endpoints that they send requests to. Ensure that the ACS endpoint is listed.
Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to allowlist all endpoints that they send requests to. Ensure that the ACS endpoint is listed.
OpenSearch Dashboards also requires you to whitelist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`:
OpenSearch Dashboards also requires you to allowlist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`:
```
server.xsrf.whitelist: [/_plugins/_security/saml/acs]
server.xsrf.allowlist: [/_plugins/_security/saml/acs]
```