An OpenSearch Dashboards plugin
This plugin introduces support for multiple data sources into OpenSearch Dashboards and provides related functions to connect to OpenSearch data sources.
Update the following configuration in the opensearch_dashboards.yml file to apply changes. Refer to the schema here for supported configurations.
-
The dataSource plugin is disabled by default; to enable it:
data_source.enabled: true -
The audit trail is disabled by default for logging the access to data source; to disable it:
data_source.audit.enabled: true
- Default auditor configuration:
data_source.audit.appender.kind: 'file'
data_source.audit.appender.layout.kind: 'pattern'
data_source.audit.appender.path: '<Operating System's Temp Folder>/opensearch-dashboards-data-source-audit.log'- The default encryption-related configuration parameters are:
data_source.encryption.wrappingKeyName: 'changeme'
data_source.encryption.wrappingKeyNamespace: 'changeme'
data_source.encryption.wrappingKey:
[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]Note that if any of the encryption keyring configuration values change (wrappingKeyName/wrappingKeyNamespace/wrappingKey), none of the previously-encrypted credentials can be decrypted; therefore, credentials of previously created data sources must be updated to continue use.
What are the best practices for generating a secure wrapping key?
WrappingKey is an array of 32 random numbers. Read more about best practices for generating a secure wrapping key.
The public plugin is used to enable and disable the features related to multi data source available in other plugins. e.g. data_source_management, index_pattern_management
- Add as a required dependency for whole plugin on/off switch
- Add as opitional dependency for partial flow changes control
The provided data source client is integrated with default search strategy in data plugin. When data source id presented in IOpenSearchSearchRequest, data source client will be used.
The data source service will provide a data source client given a data source id and optional client configurations.
Currently supported client config is:
data_source.clientPool.size
Data source service uses LRU cache to cache the root client to improve client pool usage.
In the RequestHandler, get an instance of the client using:
client: OpenSearchClient = await context.dataSource.opensearch.getClient(dataSourceId);
//Support for legacy client
apiCaller: LegacyAPICaller = context.dataSource.opensearch.legacy.getClient(dataSourceId).callAPI;The data source saved object client wrapper overrides the write related action for data source object in order to perform validation and encryption actions of the authentication information inside data source.
The cryptography service encrypts and decrypts data source credentials (support no_auth and username_password credential types). Highlight the best security practices listed below:
a. Envelope encryption - provides strong protection on data keys. Read more details here
b. Key derivation with HMAC - KDF with SHA-384 protects against accidental reuse of a data encryption keys and reduces the risk of overusing data keys.
c. Signature algorithm - ECDSA with P-384 and SHA-384. Under multiple data source case, data source documents stored on OpenSearch can be modified / replaced by attacker. With ECDSA signature, ciphertext decryption will fail if it’s getting polluted. No one will be able to create another signature that verifies with the public key because the private key has been dropped.
Please check opensearch-project#1756 for more details.
See the OpenSearch Dashboards contributing guide for instructions setting up your development environment.
TODO: #2455