-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Document behavior of live TLS certificate refresh #1877
Comments
Also, Just noticed this which gets in the way of me having an internal user run the refresh command. This could be it's own permissions group, potentially. |
Thanks for filing @patcable, documentation is managed in another repository and there is an issue tracking the missing documentation for the
Thanks for drawing attention to this, being unable to delegate actions to other accounts is a gap in the current design. |
Filed a separate bug on that permissions design issue, so it can be tracked after this one is closed out. |
hmm. So, there's a documentation issue for sure that's captured well in opensearch-project/documentation-website#530. With that, @peternied do you think it'd be worth opening a feature ticket to allow other roles the ability to reload certs? |
oh, just saw you captured that in #1878. Thanks! |
Is your feature request related to a problem?
Sort of. There is functionality in opensearch-security to reload TLS certificates in opensearch-security. It's not really documented, though.
What solution would you like?
Let folks know about the
plugins.security.ssl_cert_reload_enabled
flag, and that certificate reloads can be triggered with aPUT
to/_opendistro/_security/api/ssl/{http,transport}/reloadcerts
. Also let folks know what API access is required to make that happen.What alternatives have you considered?
I could restart Opensearch i suppose, but, would like to avoid that if I can.
Do you have any additional context?
We issue short-ish (weeks) lived PKI certificates using Hashicorp Vault. They work well, but I'd like to avoid having to restart OS if possible. Code for the SSLReloadCertsAction is available here.
The text was updated successfully, but these errors were encountered: