diff --git a/ansible/playbooks/roles/opensearch/templates/opensearch.yml.j2 b/ansible/playbooks/roles/opensearch/templates/opensearch.yml.j2 index 2a99a3bb03..7ad196396b 100644 --- a/ansible/playbooks/roles/opensearch/templates/opensearch.yml.j2 +++ b/ansible/playbooks/roles/opensearch/templates/opensearch.yml.j2 @@ -126,7 +126,9 @@ plugins.security.nodes_dn: {% endfor %} {% endif %} -plugins.security.audit.type: internal_opensearch +{% if specification.opensearch_security.audit.type is defined and specification.opensearch_security.audit.type|length %} +plugins.security.audit.type: {{ specification.opensearch_security.audit.type }} +{% endif %} plugins.security.enable_snapshot_restore_privilege: true plugins.security.check_snapshot_restore_write_privileges: true plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/docs/changelogs/CHANGELOG-2.0.md b/docs/changelogs/CHANGELOG-2.0.md index 772b2a4f22..c246f6caf0 100644 --- a/docs/changelogs/CHANGELOG-2.0.md +++ b/docs/changelogs/CHANGELOG-2.0.md @@ -11,6 +11,7 @@ - [#3131](https://github.com/epiphany-platform/epiphany/issues/3131) - Optimize Grafana dashboards downloading - [#3116](https://github.com/epiphany-platform/epiphany/issues/3116) - Optimize files downloading - [#3106](https://github.com/epiphany-platform/epiphany/issues/3106) - Add image-registry configuration reading +- [#3140](https://github.com/epiphany-platform/epiphany/issues/3140) - Allow to disable OpenSearch audit logs ### Fixed diff --git a/docs/home/HOWTO.md b/docs/home/HOWTO.md index a86efa14d0..ed218e5f19 100644 --- a/docs/home/HOWTO.md +++ b/docs/home/HOWTO.md @@ -115,6 +115,7 @@ - [Centralized logging setup](./howto/LOGGING.md#centralized-logging-setup) - [How to add multiline support for Filebeat logs](./howto/LOGGING.md#how-to-add-multiline-support-for-filebeat-logs) - [How to deploy Filebeat as Daemonset in K8s](./howto/LOGGING.md#how-to-deploy-filebeat-as-daemonset-in-k8s) + - [Audit logs](./howto/LOGGING.md#audit-logs) - [Maintenance](./howto/MAINTENANCE.md) - [Verification of service state](./howto/MAINTENANCE.md#verification-of-service-state) diff --git a/docs/home/howto/LOGGING.md b/docs/home/howto/LOGGING.md index 1f7a711073..983c4613d9 100644 --- a/docs/home/howto/LOGGING.md +++ b/docs/home/howto/LOGGING.md @@ -274,3 +274,18 @@ Notice: Setting `specification.kibana.dashboards.enabled` to `true` not providin --- [1] More information about migrating from Elasticsearch & Kibana to OpenSearch & OpenSearch Dashboards can be found [here](./UPGRADE.md#migration-from-open-distro-for-elasticsearch--kibana-to-opensearch-and-opensearch-dashboards). + +## Audit logs + +There is an [option](https://opensearch.org/docs/latest/security-plugin/audit-logs/) to enable +OpenSearch audit logs which is switched on in Epiphany by default using the following configuration part: + +```yaml +kind: configuration/logging +specification: + opensearch_security: + audit: + type: internal_opensearch +``` + +Use the empty string value to switch audit logging off. diff --git a/schema/common/defaults/configuration/logging.yml b/schema/common/defaults/configuration/logging.yml index 879a674c6e..0842a0883f 100644 --- a/schema/common/defaults/configuration/logging.yml +++ b/schema/common/defaults/configuration/logging.yml @@ -16,7 +16,7 @@ specification: - readall - snapshotrestore # - logstash - # - kibanaservers + # - kibanaserver paths: opensearch_home: /usr/share/opensearch opensearch_conf_dir: /usr/share/opensearch/config @@ -27,6 +27,8 @@ specification: jvm_options: Xmx: 1g opensearch_security: + audit: + type: internal_opensearch # https://opensearch.org/docs/latest/security-plugin/audit-logs ssl: transport: enforce_hostname_verification: true diff --git a/schema/common/defaults/configuration/opensearch.yml b/schema/common/defaults/configuration/opensearch.yml index 09239dcb1d..86daf5a804 100644 --- a/schema/common/defaults/configuration/opensearch.yml +++ b/schema/common/defaults/configuration/opensearch.yml @@ -27,6 +27,8 @@ specification: jvm_options: Xmx: 1g opensearch_security: + audit: + type: internal_opensearch # https://opensearch.org/docs/latest/security-plugin/audit-logs ssl: transport: enforce_hostname_verification: true diff --git a/schema/common/validation/configuration/logging.yml b/schema/common/validation/configuration/logging.yml index bd0f756b4e..cd793a50d2 100644 --- a/schema/common/validation/configuration/logging.yml +++ b/schema/common/validation/configuration/logging.yml @@ -6,6 +6,10 @@ type: object properties: cluster_name: type: string + opensearch_os_user: + type: string + opensearch_os_group: + type: string admin_password: type: string kibanaserver_password: @@ -18,15 +22,22 @@ properties: type: boolean demo_users_to_remove: type: array - items: {} + items: + type: string paths: type: object properties: - data: + opensearch_home: + type: string + opensearch_conf_dir: + type: string + opensearch_log_dir: type: string - repo: + opensearch_snapshots_dir: type: string - logs: + opensearch_data_dir: + type: string + opensearch_perftop_dir: type: string jvm_options: type: object @@ -36,6 +47,11 @@ properties: opensearch_security: type: object properties: + audit: + type: object + properties: + type: + type: string ssl: type: object properties: diff --git a/schema/common/validation/configuration/opensearch.yml b/schema/common/validation/configuration/opensearch.yml index 83e2d77618..dce0ba1036 100644 --- a/schema/common/validation/configuration/opensearch.yml +++ b/schema/common/validation/configuration/opensearch.yml @@ -1,3 +1,4 @@ +--- "$id": "#/specification" title: "opensearch schema" description: "OpenSearch specification schema" @@ -46,6 +47,11 @@ properties: opensearch_security: type: object properties: + audit: + type: object + properties: + type: + type: string ssl: type: object properties: