Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancing Security configuration steps #8058

Merged
merged 39 commits into from
Sep 19, 2024
Merged

Enhancing Security configuration steps #8058

Changes from 25 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
00124e0
wip building out the security configuration steps
leanneeliatra Aug 20, 2024
a4c2155
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Aug 20, 2024
61d250e
adding relevant links to docs.
leanneeliatra Aug 22, 2024
5a6c4e7
adding further info to security settings
leanneeliatra Aug 22, 2024
9de91b0
reviewdog issues fixed
leanneeliatra Aug 23, 2024
0540b08
paths given for 1.0 securityadmin
leanneeliatra Aug 23, 2024
0f05d1a
Reconfiguring layout
leanneeliatra Aug 23, 2024
bb48d63
updating security configuraton
leanneeliatra Aug 23, 2024
f673774
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Aug 23, 2024
8fae201
Update _security/configuration/index.md
leanneeliatra Aug 26, 2024
51e88e8
Merge branch 'main' into adding-further-security-configuration-steps-…
vagimeli Aug 26, 2024
368fa29
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Aug 27, 2024
a06d5ca
Updates for examples given in config doc.
leanneeliatra Aug 27, 2024
9a49426
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Aug 28, 2024
5f0404e
Add doc review
Naarcha-AWS Aug 28, 2024
4e08aa2
Update index.md
Naarcha-AWS Aug 28, 2024
1d89252
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Aug 29, 2024
3b998af
Delete _security/configuration/test
Naarcha-AWS Aug 29, 2024
1d04037
Apply suggestions from code review
Naarcha-AWS Aug 29, 2024
7343e8b
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Aug 30, 2024
662f729
Made the securityadmin.sh backup tool instructions clearer
leanneeliatra Aug 30, 2024
4a94dc4
Apply suggestions from code review
Naarcha-AWS Aug 30, 2024
fd0e82b
Update _security/configuration/index.md
Naarcha-AWS Aug 30, 2024
3ca5fd9
Apply suggestions from code review
Naarcha-AWS Aug 30, 2024
64f2092
Apply suggestions from code review
Naarcha-AWS Aug 30, 2024
7f3ab59
updating the command for the securityadmin tool
leanneeliatra Aug 30, 2024
b2d7b86
Merge branch 'main' into adding-further-security-configuration-steps-…
Naarcha-AWS Sep 5, 2024
ddf194f
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Sep 10, 2024
3f9cbc2
Merge branch 'main' into adding-further-security-configuration-steps-…
Naarcha-AWS Sep 11, 2024
fd1e181
reviewdog updates
leanneeliatra Sep 17, 2024
521712b
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Sep 17, 2024
46a3134
Apply suggestions from code review
Naarcha-AWS Sep 17, 2024
74bbc7b
Apply suggestions from code review
leanneeliatra Sep 18, 2024
cfaceac
removing headings as links
leanneeliatra Sep 18, 2024
bb29ae0
Updating headings to be headings and adding extra links at the end of…
leanneeliatra Sep 19, 2024
7a7426f
Merge branch 'main' into adding-further-security-configuration-steps-…
leanneeliatra Sep 19, 2024
039ddda
Apply suggestions from code review
Naarcha-AWS Sep 19, 2024
86d09ab
Update index.md
Naarcha-AWS Sep 19, 2024
e296118
Apply suggestions from code review
Naarcha-AWS Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 98 additions & 11 deletions _security/configuration/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,106 @@

The plugin includes demo certificates so that you can get up and running quickly. To use OpenSearch in a production environment, you must configure it manually:
leanneeliatra marked this conversation as resolved.
Show resolved Hide resolved

1. [Replace the demo certificates]({{site.url}}{{site.baseurl}}/install-and-configure/install-opensearch/docker/#configuring-basic-security-settings).
1. [Reconfigure `opensearch.yml` to use your certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls).
1. [Reconfigure `config.yml` to use your authentication backend]({{site.url}}{{site.baseurl}}/security/configuration/configuration/) (if you don't plan to use the internal user database).
1. [Modify the configuration YAML files]({{site.url}}{{site.baseurl}}/security/configuration/yaml).
1. If you plan to use the internal user database, [set a password policy in `opensearch.yml`]({{site.url}}{{site.baseurl}}/security/configuration/yaml/#opensearchyml).
1. [Apply changes using the `securityadmin` script]({{site.url}}{{site.baseurl}}/security/configuration/security-admin).
1. Start OpenSearch.
1. [Add users, roles, role mappings, and tenants]({{site.url}}{{site.baseurl}}/security/access-control/index/).
### [Replace the demo certificates]({{site.url}}{{site.baseurl}}/install-and-configure/install-opensearch/docker/#configuring-basic-security-settings).

If you don't want to use the plugin, see [Disable security]({{site.url}}{{site.baseurl}}/security/configuration/disable-enable-security/).
OpenSearch ships with demo certificates intended for quick setup and demonstration purposes. For a production environment, it's critical to replace these with your own trusted certificates to ensure secure communication by using the following steps:

1. **Generate your own certificates:** Use tools like OpenSSL or a certificate authority (CA) to generate your own certificates. For more information about generating certificates with OpenSSL, see [Generating self-signed certificates]({{site.url}}{{site.baseurl}}/security/configuration/generate-certificates/).

Check failure on line 20 in _security/configuration/index.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.HeadingPunctuation] Don't use punctuation at the end of a heading.

Raw Output:
{"message": "[OpenSearch.HeadingPunctuation] Don't use punctuation at the end of a heading.", "location": {"path": "_security/configuration/index.md", "range": {"start": {"line": 20, "column": 243}}}, "severity": "ERROR"}
natebower marked this conversation as resolved.
Show resolved Hide resolved
2. **Place the generated certificates and private key in the appropriate directory:** Generated certificates are typically placed in `<OPENSEARCH_HOME>/config/`. For more information, see [Add certificate files to opensearch.yml]({{site.url}}{{site.baseurl}}/security/configuration/generate-certificates/#add-certificate-files-to-opensearchyml).
leanneeliatra marked this conversation as resolved.
Show resolved Hide resolved
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
3. **Set following proper file permissions:**
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
- Private Key (.key files): Set the file mode to `600`. This restricts access so that only the file owner (the OpenSearch user) can read and write to the file, ensuring that the private key remains secure and inaccessible to unauthorized users.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
- Public Certificates (.crt, .pem files): Set the file mode to `644`. This allows the file owner to read and write the file, while other users can only read it.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
- Ownership: Make the files are owned by the OpenSearch user (OpenSearch or similar).
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

natebower marked this conversation as resolved.
Show resolved Hide resolved
For additional guidance on file modes, see the following table:
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

| Item | Sample | Numeric | Bitwise |
|-------------|---------------------|---------|--------------|
| Public Key | `~/.ssh/id_rsa.pub` | `644` | `-rw-r--r--` |
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
| Private Key | `~/.ssh/id_rsa` | `600` | `-rw-------` |
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
| SSH Folder | `~/.ssh` | `700` | `drwx------` |
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

### [Reconfigure `opensearch.yml` to use your certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/)

The `opensearch.yml` file is the main configuration file for OpenSearch. Use the following steps to update this file to point to your custom certificates for secure communication.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

1. Open `opensearch.yml`: Locate and open the `opensearch.yml` file in your preferred text editor.
2. Set the correct paths for your certificates and keys in the `opensearch.yml` file, as shown in the following example:

```
plugins.security.ssl.transport.pemcert_filepath: /path/to/your/cert.pem
plugins.security.ssl.transport.pemkey_filepath: /path/to/your/key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /path/to/your/ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /path/to/your/cert.pem
plugins.security.ssl.http.pemkey_filepath: /path/to/your/key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /path/to/your/ca.pem
```

Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
### [Reconfigure `config.yml` to use your authentication backend]({{site.url}}{{site.baseurl}}/security/configuration/configuration/)

The `config.yml` file allows you to configure the authentication and authorization mechanisms for OpenSearch. Update the authentication backend settings in `config/opensearch-security/config.yml` according to your requirements. For example, to use LDAP as your authentication backend, add the following settings:

```
authc:
basic_internal_auth:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
```

### [Modify the configuration YAML files]({{site.url}}{{site.baseurl}}/security/configuration/yaml/)

Determine if any additional YAML files need modification, for example the `roles.yml`, `roles_mapping.yml`, `internal_users.yml`. Edit the files with any additional configuration needed.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

### [Set a password policy]({{site.url}}{{site.baseurl}}/security/configuration/yaml/#password-settings)

When using the internal user database, we recommend enforcing a password policy to make sure that strong passwords are used. For information strong password policies, see [Password settings]({{site.url}}{{site.baseurl}}/security/configuration/yaml/#password-settings).
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

### [Apply changes using the `securityadmin` script]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/)

The following steps are not required for first-time user because the security index is automatically initialized from the YAML configuration files when OpenSearch starts.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
{: .note}

After initial setup, if you make changes to your security configuration or if you disable automatic initialization by setting `plugins.security.allow_default_init_securityindex` to `false` (setting to prevent security index initializing from `yaml` files), you need to manually apply changes using the `securityadmin` script.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

1. Find the `securityadmin` script. The script is typically found in the OpenSearch plugins directory, `plugins/opensearch-security/tools/securityadmin.sh`. If you're using OpenSearch 1.x, the `securityadmin` script was located in the `plugins/opendistro_security/tools/` directory. For additional information refer to [Applying changes to configuration files](https://opensearch.org/docs/latest/security/configuration/security-admin/), or if in need of further assistance visit [securityadmin.sh Troubleshooting](https://opensearch.org/docs/latest/troubleshoot/security-admin/).
2. Run the script with the appropriate parameters by using the following command:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cwperks: How would I know what the appropriate parameters are?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The appropriate parameters are given in the example that immediately follows. I have made this clearer by making the example clearer (by giving it in the same format as is on the other documentation page: Applying changes to configuration files).

And also by providing links to other relevant pages with more information: Applying changes to configuration files & securityadmin.sh Troubleshooting

Thanks Nate!

Copy link
Member

@cwperks cwperks Aug 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leanneeliatra @Naarcha-AWS The example below shows params for how to take a backup of the security index, but the text above is about applying changes. Please make sure that the correct command is shown in the docs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Naarcha-AWS You can find the commands in the Basic Usage section here: https://opensearch.org/docs/latest/security/configuration/security-admin/#basic-usage


```
./securityadmin[.sh|.bat] -backup my-backup-directory \
-icl \
-nhnv \
-cacert ../../../config/root-ca.pem \
-cert ../../../config/kirk.pem \
-key ../../../config/kirk-key.pem
```

3. Check the OpenSearch logs and configuration to ensure that the changes have been successfully applied.

For further information about using the `securityadmin.sh` script, see [Backup restore and migrate]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/#backup-restore-and-migrate)
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved



### [Add users, roles, role mappings, and tenants]({{site.url}}{{site.baseurl}}/security/access-control/index/)

If you don't want to use the Security plugin, you can disable it by adding the following setting to the `opensearch.yml` file:

```
plugins.security.disabled: true
```

You can then enable the plugin by removing the `plugins.security.disabled` setting.

For further information on disabling the Security plugin check the documentation, see [Disable security]({{site.url}}{{site.baseurl}}/security/configuration/disable-enable-security/).
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

The Security plugin has several default users, roles, action groups, permissions, and settings for OpenSearch Dashboards that use kibana in their names. We will change these names in a future release.
leanneeliatra marked this conversation as resolved.
Show resolved Hide resolved
{: .note }
leanneeliatra marked this conversation as resolved.
Show resolved Hide resolved

For a full list of `opensearch.yml` Security plugin settings, Security plugin settings, see [Security settings]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/security-settings/).
{: .note}
For a full list of `opensearch.yml` Security plugin settings, see [Security settings]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/security-settings/).
{: .note}
Loading