Skip to content

Commit

Permalink
Addition of full file paths in security documentation (opensearch-pro…
Browse files Browse the repository at this point in the history
…ject#8113)

* added full file paths for security config files
Signed-off-by: [email protected] <[email protected]>

Signed-off-by: [email protected] <[email protected]>

* added full file paths for security config files
Signed-off-by: [email protected] <[email protected]>

Signed-off-by: [email protected] <[email protected]>

# Conflicts:
#	_security/configuration/yaml.md

* small edits to full file paths for security config files
Signed-off-by: [email protected] <[email protected]>

Signed-off-by: [email protected] <[email protected]>

* updates to file paths following tech review
Signed-off-by: [email protected] <[email protected]>

Signed-off-by: [email protected] <[email protected]>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <[email protected]>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <[email protected]>

* Take into account previous changes

Signed-off-by: Naarcha-AWS <[email protected]>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <[email protected]>

---------

Signed-off-by: [email protected] <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Co-authored-by: Naarcha-AWS <[email protected]>
Signed-off-by: Eric Pugh <[email protected]>
  • Loading branch information
2 people authored and epugh committed Sep 12, 2024
1 parent 31c2d0c commit 540420a
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ nav_order: 40

The Security plugin provides a number of YAML configuration files that are used to store the necessary settings that define the way the Security plugin manages users, roles, and activity within the cluster. For a full list of the Security plugin configuration files, see [Modifying the YAML files]({{site.url}}{{site.baseurl}}/security/configuration/yaml/).

The following sections describe security-related settings in `opensearch.yml`. To learn more about static and dynamic settings, see [Configuring OpenSearch]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/index/).
The following sections describe security-related settings in `opensearch.yml`. You can find the `opensearch.yml` in the `<OPENSEARCH_HOME>/config/opensearch.yml`. To learn more about static and dynamic settings, see [Configuring OpenSearch]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/index/).

## Common settings

Expand Down
2 changes: 1 addition & 1 deletion _security/configuration/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,4 @@ The Security plugin has several default users, roles, action groups, permissions
{: .note }

For a full list of `opensearch.yml` Security plugin settings, Security plugin settings, see [Security settings]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/security-settings/).
{: .note}
{: .note}
4 changes: 2 additions & 2 deletions _security/configuration/security-admin.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ The `securityadmin.sh` script requires SSL/TLS HTTP to be enabled for your OpenS

## A word of caution

If you make changes to the configuration files in `config/opensearch-security`, OpenSearch does _not_ automatically apply these changes. Instead, you must run `securityadmin.sh` to load the updated files into the index.
If you make changes to the configuration files in `config/opensearch-security`, OpenSearch does _not_ automatically apply these changes. Instead, you must run `securityadmin.sh` to load the updated files into the index. The `securityadmin.sh` file can be found in `<OPENSEARCH_HOME>/plugins/opensearch-security/tools/securityadmin.[sh|bat]`.

Running `securityadmin.sh` **overwrites** one or more portions of the `.opendistro_security` index. Run it with extreme care to avoid losing your existing resources. Consider the following example:

1. You initialize the `.opendistro_security` index.
1. You create ten users using the REST API.
1. You decide to create a new [reserved user]({{site.url}}{{site.baseurl}}/security/access-control/api/#reserved-and-hidden-resources) using `internal_users.yml`.
1. You decide to create a new [reserved user]({{site.url}}{{site.baseurl}}/security/access-control/api/#reserved-and-hidden-resources) using `internal_users.yml`, found in `<OPENSEARCH_HOME>/config/opensearch-security/` directory.
1. You run `securityadmin.sh` again to load the new reserved user into the index.
1. You lose all ten users that you created using the REST API.

Expand Down
8 changes: 5 additions & 3 deletions _security/configuration/yaml.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ The approach we recommend for using the YAML files is to first configure [reserv

## action_groups.yml

This file contains any initial action groups that you want to add to the Security plugin.
This file contains any role mappings required for your security configuration. You can find the `role_mapping.yml` file in `<OPENSEARCH_HOME>/config/opensearch-security/roles_mapping.yml`.

Aside from some metadata, the default file is empty, because the Security plugin has a number of static action groups that it adds automatically. These static action groups cover a wide variety of use cases and are a great way to get started with the plugin.

Expand All @@ -43,6 +43,8 @@ _meta:
You can use `allowlist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings.

You can find the `allowlist.yml` file in `<OPENSEARCH_HOME>/config/opensearch-security/allowlist.yml`.

Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the Security plugin's users and roles, which have more granular settings.

```yml
Expand Down Expand Up @@ -92,7 +94,7 @@ requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/

## internal_users.yml

This file contains any initial users that you want to add to the Security plugin's internal user database.
This file contains any initial users that you want to add to the Security plugin's internal user database. You can find this file in ``<OPENSEARCH_HOME>/config/opensearch-security/internal_users.yml`.

The file format requires a hashed password. To generate one, run `plugins/opensearch-security/tools/hash.sh -p <new-password>`. If you decide to keep any of the demo users, *change their passwords* and re-run [securityadmin.sh]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) to apply the new passwords.

Expand Down Expand Up @@ -313,7 +315,7 @@ admin_tenant:

## opensearch.yml

In addition to many OpenSearch settings, this file contains paths to TLS certificates and their attributes, such as distinguished names and trusted certificate authorities.
In addition to many OpenSearch settings, the `opensearch.yml` file contains paths to TLS certificates and their attributes, such as distinguished names and trusted certificate authorities. You can find this file in `<OPENSEARCH_HOME>/config/`.

```yml
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
Expand Down

0 comments on commit 540420a

Please sign in to comment.