Skip to content

Commit

Permalink
fix(security): explicitly add keys required in security config (#6805)
Browse files Browse the repository at this point in the history
Signed-off-by: shotor <[email protected]>
Co-authored-by: Naarcha-AWS <[email protected]>
  • Loading branch information
shotor and Naarcha-AWS authored Apr 1, 2024
1 parent 13eca4f commit 301ca68
Show file tree
Hide file tree
Showing 3 changed files with 138 additions and 100 deletions.
28 changes: 17 additions & 11 deletions _security/authentication-backends/basic-authc.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,23 @@ redirect_from:
HTTP basic authentication provides a simple challenge-and-response process for gaining access to OpenSearch and its resources that prompts you to sign in with a username and password. You enable HTTP basic authentication in the `http_authenticator` section of the configuration by specifying `type` as `basic`, as shown in the following example:

```yml
authc:
basic_internal_auth_domain:
description: "Authenticate using HTTP basic against the internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
_meta:
type: "config"
config_version: 2

config:
dynamic:
authc:
basic_internal_auth_domain:
description: "Authenticate using HTTP basic against the internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
```
Additionally, you can specify the internal user database as the authentication backend by specifying `internal` as the type for `authentication_backend`. See [The internal user database](#the-internal-user-database) for information about this backend.
Expand Down
84 changes: 49 additions & 35 deletions _security/authentication-backends/openid-connect.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,19 +33,26 @@ To integrate with an OpenID IdP, set up an authentication domain and choose `ope
This is the minimal configuration:

```yml
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
authentication_backend:
type: noop
_meta:
type: "config"
config_version: 2

config:
dynamic:
authc:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
authentication_backend:
type: noop
```
The following table shows the configuration parameters.
Expand Down Expand Up @@ -370,26 +377,33 @@ Because OpenSearch Dashboards requires that the internal OpenSearch Dashboards s
Modify and apply the following example settings in `config.yml`:

```yml
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
authentication_backend:
type: noop
_meta:
type: "config"
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
authentication_backend:
type: noop
```
126 changes: 72 additions & 54 deletions _security/authentication-backends/saml.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,20 +59,26 @@ We provide a fully functional example that can help you understand how to use SA
To use SAML for authentication, you need to configure a respective authentication domain in the `authc` section of `config/opensearch-security/config.yml`. Because SAML works solely on the HTTP layer, you do not need any `authentication_backend` and can set it to `noop`. Place all SAML-specific configuration options in this chapter in the `config` section of the SAML HTTP authenticator:

```yml
authc:
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: okta.xml
...
authentication_backend:
type: noop
_meta:
type: "config"
config_version: 2

config:
dynamic:
authc:
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: okta.xml
...
authentication_backend:
type: noop
```
After you have configured SAML in `config.yml`, you must also [activate it in OpenSearch Dashboards](#opensearch-dashboards-configuration).
Expand All @@ -83,27 +89,33 @@ After you have configured SAML in `config.yml`, you must also [activate it in Op
We recommend adding at least one other authentication domain, such as LDAP or the internal user database, to support API access to OpenSearch without SAML. For OpenSearch Dashboards and the internal OpenSearch Dashboards server user, you also must add another authentication domain that supports basic authentication. This authentication domain should be placed first in the chain, and the `challenge` flag must be set to `false`:

```yml
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
...
authentication_backend:
type: noop
_meta:
type: "config"
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
...
authentication_backend:
type: noop
```


Expand Down Expand Up @@ -310,25 +322,31 @@ Name | Description
The following example shows the minimal configuration:

```yml
authc:
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: metadata.xml
entity_id: http://idp.example.com/
sp:
entity_id: https://opensearch-dashboards.example.com
kibana_url: https://opensearch-dashboards.example.com:5601/
roles_key: Role
exchange_key: 'peuvgOLrjzuhXf ...'
authentication_backend:
type: noop
_meta:
type: "config"
config_version: 2
config:
dynamic:
authc:
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: metadata.xml
entity_id: http://idp.example.com/
sp:
entity_id: https://opensearch-dashboards.example.com
kibana_url: https://opensearch-dashboards.example.com:5601/
roles_key: Role
exchange_key: 'peuvgOLrjzuhXf ...'
authentication_backend:
type: noop
```

## OpenSearch Dashboards configuration
Expand Down

0 comments on commit 301ca68

Please sign in to comment.