From bd8ae9b7a4bfde2979c38983cfbb63f22a2b041a Mon Sep 17 00:00:00 2001 From: Dan Cecoi Date: Fri, 12 Jul 2024 14:08:31 +0100 Subject: [PATCH 1/6] Add documentation for configuring the password hashing algorithms and their properties Signed-off-by: Dan Cecoi --- .../security-settings.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 244d601449..42bf2fa570 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -122,6 +122,40 @@ The Security plugin supports the following expert-level settings: - `plugins.security.check_snapshot_restore_write_privileges` (Static): Enforces write privilege evaluation when creating snapshots. Default is `true`. +- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use. + + Valid values are: + + - `BCrypt` (Default) + - `PBKDF2` + +- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with BCrypt. Valid values are from `4` to `31`. Default is `12`. + +- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the BCrypt algorithm to use for password hashing. + + Valid values are: + + - `A` + - `B` + - `Y` (Default) + +- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password. + + Valid values are: + + - `SHA1` + - `SHA224` + - `SHA256` (Default) + - `SHA384` + - `SHA512` + +- `plugins.security.password.hashing.pbkdf2.iterations` (Static): Specifies the number of times the pseudo-random function is applied to the password. Default is `600,000`. + +- `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`. + +If you change any of these hashing properties, you must rehash all internal passwords to ensure compatibility and security. +{:warning} + ## Audit log settings The Security plugin supports the following audit log settings: From 332817a036548b22c0f1b075876720da02fd5c79 Mon Sep 17 00:00:00 2001 From: Dan Cecoi Date: Fri, 12 Jul 2024 14:16:35 +0100 Subject: [PATCH 2/6] Small change to the warning message Signed-off-by: Dan Cecoi --- .../configuring-opensearch/security-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 42bf2fa570..1890a453a5 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -153,7 +153,7 @@ The Security plugin supports the following expert-level settings: - `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`. -If you change any of these hashing properties, you must rehash all internal passwords to ensure compatibility and security. +If you change any of these password hashing properties, you must rehash all internal passwords to ensure compatibility and security. {:warning} ## Audit log settings From 0085e91130e5a1045d2ec83b823d89349796b7a9 Mon Sep 17 00:00:00 2001 From: Dan Cecoi Date: Fri, 12 Jul 2024 14:39:35 +0100 Subject: [PATCH 3/6] Modified the warning message and its placement Signed-off-by: Dan Cecoi --- .../configuring-opensearch/security-settings.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 1890a453a5..3be585e225 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -122,6 +122,9 @@ The Security plugin supports the following expert-level settings: - `plugins.security.check_snapshot_restore_write_privileges` (Static): Enforces write privilege evaluation when creating snapshots. Default is `true`. +If you change any of the following password hashing properties, you must rehash all internal passwords to ensure compatibility and security. +{: .warning} + - `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use. Valid values are: @@ -153,8 +156,6 @@ The Security plugin supports the following expert-level settings: - `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`. -If you change any of these password hashing properties, you must rehash all internal passwords to ensure compatibility and security. -{:warning} ## Audit log settings From 74c4b2a6d4ab6b5ecf3fc592f0973e59bb91446c Mon Sep 17 00:00:00 2001 From: Dan Cecoi Date: Fri, 12 Jul 2024 14:41:35 +0100 Subject: [PATCH 4/6] modified the bcrypt.rounds explanation Signed-off-by: Dan Cecoi --- .../configuring-opensearch/security-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 3be585e225..beb9534313 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -132,7 +132,7 @@ If you change any of the following password hashing properties, you must rehash - `BCrypt` (Default) - `PBKDF2` -- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with BCrypt. Valid values are from `4` to `31`. Default is `12`. +- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with BCrypt. Valid values are from `4` to `31`, inclusive. Default is `12`. - `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the BCrypt algorithm to use for password hashing. From d0d5560813f7f1bd52110043ff7c50eca8eb80a2 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:59:07 -0500 Subject: [PATCH 5/6] Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../configuring-opensearch/security-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index beb9534313..0ba7837ed7 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -132,9 +132,9 @@ If you change any of the following password hashing properties, you must rehash - `BCrypt` (Default) - `PBKDF2` -- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with BCrypt. Valid values are from `4` to `31`, inclusive. Default is `12`. +- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are from`4` to `31`, inclusive. Default is `12`. -- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the BCrypt algorithm to use for password hashing. +- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing. Valid values are: From 65915b8599015b04e1eda374b19f62a2b995a7f3 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Wed, 24 Jul 2024 12:16:13 -0500 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: Nathan Bower Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../configuring-opensearch/security-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 0ba7837ed7..4ecb86e633 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -132,7 +132,7 @@ If you change any of the following password hashing properties, you must rehash - `BCrypt` (Default) - `PBKDF2` -- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are from`4` to `31`, inclusive. Default is `12`. +- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are between `4` and `31`, inclusive. Default is `12`. - `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing. @@ -152,7 +152,7 @@ If you change any of the following password hashing properties, you must rehash - `SHA384` - `SHA512` -- `plugins.security.password.hashing.pbkdf2.iterations` (Static): Specifies the number of times the pseudo-random function is applied to the password. Default is `600,000`. +- `plugins.security.password.hashing.pbkdf2.iterations` (Static): Specifies the number of times that the pseudo-random function is applied to the password. Default is `600,000`. - `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`.