Added ability to disable OpenSearch audit logs (#3215)

* Added ability to disable OpenSearch audit logs
hitachienergy · Jul 14, 2022 · 0340be3 · 0340be3
1 parent 0830d9a
commit 0340be3
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 6 deletions.
diff --git a/ansible/playbooks/roles/opensearch/templates/opensearch.yml.j2 b/ansible/playbooks/roles/opensearch/templates/opensearch.yml.j2
@@ -126,7 +126,9 @@ plugins.security.nodes_dn:
   {% endfor %}
 {% endif %}
 
-plugins.security.audit.type: internal_opensearch
+{% if specification.opensearch_security.audit.type is defined and specification.opensearch_security.audit.type|length %}
+plugins.security.audit.type: {{ specification.opensearch_security.audit.type }}
+{% endif %}
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

diff --git a/docs/changelogs/CHANGELOG-2.0.md b/docs/changelogs/CHANGELOG-2.0.md
@@ -11,6 +11,7 @@
 - [#3131](https://github.com/epiphany-platform/epiphany/issues/3131) - Optimize Grafana dashboards downloading
 - [#3116](https://github.com/epiphany-platform/epiphany/issues/3116) - Optimize files downloading
 - [#3106](https://github.com/epiphany-platform/epiphany/issues/3106) - Add image-registry configuration reading
+- [#3140](https://github.com/epiphany-platform/epiphany/issues/3140) - Allow to disable OpenSearch audit logs
 
 ### Fixed
 

diff --git a/docs/home/HOWTO.md b/docs/home/HOWTO.md
@@ -115,6 +115,7 @@
   - [Centralized logging setup](./howto/LOGGING.md#centralized-logging-setup)
   - [How to add multiline support for Filebeat logs](./howto/LOGGING.md#how-to-add-multiline-support-for-filebeat-logs)
   - [How to deploy Filebeat as Daemonset in K8s](./howto/LOGGING.md#how-to-deploy-filebeat-as-daemonset-in-k8s)
+  - [Audit logs](./howto/LOGGING.md#audit-logs)
 
 - [Maintenance](./howto/MAINTENANCE.md)
   - [Verification of service state](./howto/MAINTENANCE.md#verification-of-service-state)

diff --git a/docs/home/howto/LOGGING.md b/docs/home/howto/LOGGING.md
@@ -274,3 +274,18 @@ Notice: Setting `specification.kibana.dashboards.enabled` to `true` not providin
 
 ---
 <sup>[1] More information about migrating from Elasticsearch & Kibana to OpenSearch & OpenSearch Dashboards can be found [here](./UPGRADE.md#migration-from-open-distro-for-elasticsearch--kibana-to-opensearch-and-opensearch-dashboards).</sup>
+
+## Audit logs
+
+There is an [option](https://opensearch.org/docs/latest/security-plugin/audit-logs/) to enable
+OpenSearch audit logs which is switched on in Epiphany by default using the following configuration part:
+
+```yaml
+kind: configuration/logging
+specification:
+  opensearch_security:
+    audit:
+      type: internal_opensearch
+```
+
+Use the empty string value to switch audit logging off.
diff --git a/schema/common/defaults/configuration/logging.yml b/schema/common/defaults/configuration/logging.yml
@@ -16,7 +16,7 @@ specification:
     - readall
     - snapshotrestore
     # - logstash
-    # - kibanaservers
+    # - kibanaserver
   paths:
     opensearch_home: /usr/share/opensearch
     opensearch_conf_dir: /usr/share/opensearch/config
@@ -27,6 +27,8 @@ specification:
   jvm_options:
     Xmx: 1g
   opensearch_security:
+    audit:
+      type: internal_opensearch # https://opensearch.org/docs/latest/security-plugin/audit-logs
     ssl:
       transport:
         enforce_hostname_verification: true
diff --git a/schema/common/defaults/configuration/opensearch.yml b/schema/common/defaults/configuration/opensearch.yml
@@ -27,6 +27,8 @@ specification:
   jvm_options:
     Xmx: 1g
   opensearch_security:
+    audit:
+      type: internal_opensearch # https://opensearch.org/docs/latest/security-plugin/audit-logs
     ssl:
       transport:
         enforce_hostname_verification: true
diff --git a/schema/common/validation/configuration/logging.yml b/schema/common/validation/configuration/logging.yml
@@ -6,6 +6,10 @@ type: object
 properties:
   cluster_name:
     type: string
+  opensearch_os_user:
+    type: string
+  opensearch_os_group:
+    type: string
   admin_password:
     type: string
   kibanaserver_password:
@@ -18,15 +22,22 @@ properties:
     type: boolean
   demo_users_to_remove:
     type: array
-    items: {}
+    items:
+      type: string
   paths:
     type: object
     properties:
-      data:
+      opensearch_home:
+        type: string
+      opensearch_conf_dir:
+        type: string
+      opensearch_log_dir:
         type: string
-      repo:
+      opensearch_snapshots_dir:
         type: string
-      logs:
+      opensearch_data_dir:
+        type: string
+      opensearch_perftop_dir:
         type: string
   jvm_options:
     type: object
@@ -36,6 +47,11 @@ properties:
   opensearch_security:
     type: object
     properties:
+      audit:
+        type: object
+        properties:
+          type:
+            type: string
       ssl:
         type: object
         properties:

diff --git a/schema/common/validation/configuration/opensearch.yml b/schema/common/validation/configuration/opensearch.yml
@@ -1,3 +1,4 @@
+---
 "$id": "#/specification"
 title: "opensearch schema"
 description: "OpenSearch specification schema"
@@ -46,6 +47,11 @@ properties:
   opensearch_security:
     type: object
     properties:
+      audit:
+        type: object
+        properties:
+          type:
+            type: string
       ssl:
         type: object
         properties: