From bb8519225811c81c0cf2b31a96f3b039b8aa2654 Mon Sep 17 00:00:00 2001
From: shotor <shotor@shotor.com>
Date: Thu, 28 Mar 2024 17:55:08 +0100
Subject: [PATCH] fix(security): explicitly add keys required in security
 config

---
 .../authentication-backends/basic-authc.md    |  28 ++--
 .../authentication-backends/openid-connect.md |  84 +++++++-----
 _security/authentication-backends/saml.md     | 126 ++++++++++--------
 3 files changed, 138 insertions(+), 100 deletions(-)

diff --git a/_security/authentication-backends/basic-authc.md b/_security/authentication-backends/basic-authc.md
index 5e5d12597c..46a498d0ab 100644
--- a/_security/authentication-backends/basic-authc.md
+++ b/_security/authentication-backends/basic-authc.md
@@ -12,17 +12,23 @@ redirect_from:
 HTTP basic authentication provides a simple challenge-and-response process for gaining access to OpenSearch and its resources that prompts you to sign in with a username and password. You enable HTTP basic authentication in the `http_authenticator` section of the configuration by specifying `type` as `basic`, as shown in the following example:
 
 ```yml
-authc:
-  basic_internal_auth_domain:
-    description: "Authenticate using HTTP basic against the internal users database"
-    http_enabled: true
-    transport_enabled: true
-    order: 1
-    http_authenticator:
-      type: basic
-      challenge: true
-    authentication_backend:
-      type: internal
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        description: "Authenticate using HTTP basic against the internal users database"
+        http_enabled: true
+        transport_enabled: true
+        order: 1
+        http_authenticator:
+          type: basic
+          challenge: true
+        authentication_backend:
+          type: internal
 ```
 
 Additionally, you can specify the internal user database as the authentication backend by specifying `internal` as the type for `authentication_backend`. See [The internal user database](#the-internal-user-database) for information about this backend.
diff --git a/_security/authentication-backends/openid-connect.md b/_security/authentication-backends/openid-connect.md
index 4d24f2eff7..14046bedf0 100755
--- a/_security/authentication-backends/openid-connect.md
+++ b/_security/authentication-backends/openid-connect.md
@@ -33,19 +33,26 @@ To integrate with an OpenID IdP, set up an authentication domain and choose `ope
 This is the minimal configuration:
 
 ```yml
-openid_auth_domain:
-  http_enabled: true
-  transport_enabled: true
-  order: 0
-  http_authenticator:
-    type: openid
-    challenge: false
-    config:
-      subject_key: preferred_username
-      roles_key: roles
-      openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
-  authentication_backend:
-    type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      openid_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: openid
+          challenge: false
+          config:
+            subject_key: preferred_username
+            roles_key: roles
+            openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
+        authentication_backend:
+          type: noop
 ```
 
 The following table shows the configuration parameters.
@@ -370,26 +377,33 @@ Because OpenSearch Dashboards requires that the internal OpenSearch Dashboards s
 Modify and apply the following example settings in `config.yml`:
 
 ```yml
-basic_internal_auth_domain:
-  http_enabled: true
-  transport_enabled: true
-  order: 0
-  http_authenticator:
-    type: basic
-    challenge: false
-  authentication_backend:
-    type: internal
-openid_auth_domain:
-  http_enabled: true
-  transport_enabled: true
-  order: 1
-  http_authenticator:
-    type: openid
-    challenge: false
-    config:
-      subject_key: preferred_username
-      roles_key: roles
-      openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
-  authentication_backend:
-    type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          type: internal
+      openid_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 1
+        http_authenticator:
+          type: openid
+          challenge: false
+          config:
+            subject_key: preferred_username
+            roles_key: roles
+            openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
+        authentication_backend:
+          type: noop
 ```
diff --git a/_security/authentication-backends/saml.md b/_security/authentication-backends/saml.md
index ee6e2184dd..5313ffe950 100755
--- a/_security/authentication-backends/saml.md
+++ b/_security/authentication-backends/saml.md
@@ -59,20 +59,26 @@ We provide a fully functional example that can help you understand how to use SA
 To use SAML for authentication, you need to configure a respective authentication domain in the `authc` section of `config/opensearch-security/config.yml`. Because SAML works solely on the HTTP layer, you do not need any `authentication_backend` and can set it to `noop`. Place all SAML-specific configuration options in this chapter in the `config` section of the SAML HTTP authenticator:
 
 ```yml
-authc:
-  saml_auth_domain:
-    http_enabled: true
-    transport_enabled: false
-    order: 1
-    http_authenticator:
-      type: saml
-      challenge: true
-      config:
-        idp:
-          metadata_file: okta.xml
-          ...
-    authentication_backend:
-      type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      saml_auth_domain:
+        http_enabled: true
+        transport_enabled: false
+        order: 1
+        http_authenticator:
+          type: saml
+          challenge: true
+          config:
+            idp:
+              metadata_file: okta.xml
+              ...
+        authentication_backend:
+          type: noop
 ```
 
 After you have configured SAML in `config.yml`, you must also [activate it in OpenSearch Dashboards](#opensearch-dashboards-configuration).
@@ -83,27 +89,33 @@ After you have configured SAML in `config.yml`, you must also [activate it in Op
 We recommend adding at least one other authentication domain, such as LDAP or the internal user database, to support API access to OpenSearch without SAML. For OpenSearch Dashboards and the internal OpenSearch Dashboards server user, you also must add another authentication domain that supports basic authentication. This authentication domain should be placed first in the chain, and the `challenge` flag must be set to `false`:
 
 ```yml
-authc:
-  basic_internal_auth_domain:
-    http_enabled: true
-    transport_enabled: true
-    order: 0
-    http_authenticator:
-      type: basic
-      challenge: false
-    authentication_backend:
-      type: internal
-  saml_auth_domain:
-    http_enabled: true
-    transport_enabled: false
-    order: 1
-    http_authenticator:
-      type: saml
-      challenge: true
-      config:
-        ...
-    authentication_backend:
-      type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          type: internal
+      saml_auth_domain:
+        http_enabled: true
+        transport_enabled: false
+        order: 1
+        http_authenticator:
+          type: saml
+          challenge: true
+          config:
+            ...
+        authentication_backend:
+          type: noop
 ```
 
 
@@ -310,25 +322,31 @@ Name | Description
 The following example shows the minimal configuration:
 
 ```yml
-authc:
-  saml_auth_domain:
-    http_enabled: true
-    transport_enabled: false
-    order: 1
-    http_authenticator:
-      type: saml
-      challenge: true
-      config:
-        idp:
-          metadata_file: metadata.xml
-          entity_id: http://idp.example.com/
-        sp:
-          entity_id: https://opensearch-dashboards.example.com
-        kibana_url: https://opensearch-dashboards.example.com:5601/
-        roles_key: Role
-        exchange_key: 'peuvgOLrjzuhXf ...'
-    authentication_backend:
-      type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      saml_auth_domain:
+        http_enabled: true
+        transport_enabled: false
+        order: 1
+        http_authenticator:
+          type: saml
+          challenge: true
+          config:
+            idp:
+              metadata_file: metadata.xml
+              entity_id: http://idp.example.com/
+            sp:
+              entity_id: https://opensearch-dashboards.example.com
+            kibana_url: https://opensearch-dashboards.example.com:5601/
+            roles_key: Role
+            exchange_key: 'peuvgOLrjzuhXf ...'
+        authentication_backend:
+          type: noop
 ```
 
 ## OpenSearch Dashboards configuration