Skip to content

Commit

Permalink
Add documentation for configuring the password hashing algorithm and …
Browse files Browse the repository at this point in the history
…its properties (opensearch-project#7697)

* Add documentation for configuring the password hashing algorithms and their properties

Signed-off-by: Dan Cecoi <[email protected]>

* Small change to the warning message

Signed-off-by: Dan Cecoi <[email protected]>

* Modified the warning message and its placement

Signed-off-by: Dan Cecoi <[email protected]>

* modified the bcrypt.rounds explanation

Signed-off-by: Dan Cecoi <[email protected]>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <[email protected]>

* Apply suggestions from code review

Co-authored-by: Nathan Bower <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>

---------

Signed-off-by: Dan Cecoi <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Co-authored-by: Dan Cecoi <[email protected]>
Co-authored-by: Naarcha-AWS <[email protected]>
Co-authored-by: Nathan Bower <[email protected]>
Signed-off-by: Sander van de Geijn <[email protected]>
  • Loading branch information
4 people authored and sandervandegeijn committed Jul 30, 2024
1 parent 87b7791 commit 44f07cb
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions _install-and-configure/configuring-opensearch/security-settings.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,41 @@ The Security plugin supports the following expert-level settings:

- `plugins.security.check_snapshot_restore_write_privileges` (Static): Enforces write privilege evaluation when creating snapshots. Default is `true`.

If you change any of the following password hashing properties, you must rehash all internal passwords to ensure compatibility and security.
{: .warning}

- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use.

Valid values are:

- `BCrypt` (Default)
- `PBKDF2`

- `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are between `4` and `31`, inclusive. Default is `12`.

- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing.

Valid values are:

- `A`
- `B`
- `Y` (Default)

- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password.

Valid values are:

- `SHA1`
- `SHA224`
- `SHA256` (Default)
- `SHA384`
- `SHA512`

- `plugins.security.password.hashing.pbkdf2.iterations` (Static): Specifies the number of times that the pseudo-random function is applied to the password. Default is `600,000`.

- `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`.


## Audit log settings

The Security plugin supports the following audit log settings:
Expand Down

0 comments on commit 44f07cb

Please sign in to comment.