documentation-website icon indicating copy to clipboard operation
documentation-website copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[DOC] Missing documentation for security features

Open hardik-k-shah opened this issue 3 years ago • 12 comments

Add documentation for below security features.

  1. Audit logging configuration is hot reloadable and there are APIs and UI both available.
  2. SSL certificates (for rest endpoint and N2N communication) are also hot reloadable and there are APIs available for same.
  3. CRUD APIs for default configurations. (Default roles, users and role-mapping can be updated by super admin now).
  4. Hot reloadable certificate domain names. (Now super admin can hot update certificate domain names for cross cluster use-case)
  5. Separate certificate for a client and server for inter node communication. (Initiative and PR from twitter)

hardik-k-shah avatar Mar 08 '22 02:03 hardik-k-shah

@hardik-k-shah: Do you have more information on the following:

  • Any internal notes about how to perform each tasks.
  • A way to list or a list of API endpoints for audit logging, and CRUD configurations.
  • Example certificates for domains and inter-node communication.

Naarcha-AWS avatar Mar 08 '22 23:03 Naarcha-AWS

Below PRs has a description about how to use these APIs.

  1. Hot reloading SSL certificates: https://github.com/opensearch-project/security/pull/238
  2. Hot re-loadable Audit logging: https://github.com/opensearch-project/security/pull/710 , https://github.com/opensearch-project/security/pull/409
  3. Hot re-loadable nodes_dn/ certificate domain name: https://github.com/opensearch-project/security/pull/362
  4. CRUD for default/reserved configuration: https://github.com/opensearch-project/security/pull/242
  5. Separate Client and Server Cert configuration: https://github.com/opensearch-project/security/pull/493 https://github.com/opensearch-project/security/issues/474

Let me know if these helps.

hardik-k-shah avatar Mar 09 '22 00:03 hardik-k-shah

Hi Chris, with all of the progress we've mad with security, can you check to see if we've covered any of these points? Thanks.

hdhalter avatar Mar 01 '23 01:03 hdhalter

Hi @hardik-k-shah, Do you now if these items have been documented?

hdhalter avatar Feb 10 '24 00:02 hdhalter

Security has been moved to a new team. I'll follow up with them and get this prioritized.

hdhalter avatar Mar 05 '24 22:03 hdhalter

I can pick this one up with @leanneeliatra

AntonEliatra avatar Mar 27 '24 16:03 AntonEliatra

Two PRs submitted: Hot reloading TLS certs: https://github.com/opensearch-project/documentation-website/pull/6875 Separate client and server certificates: https://github.com/opensearch-project/documentation-website/pull/6881

AntonEliatra avatar Apr 04 '24 16:04 AntonEliatra

I'm taking care of 3) Hot re-loadable Audit logging 4) CRUD for default/reserved configuration - PR in Draft

leanneeliatra avatar Apr 09 '24 14:04 leanneeliatra

Thanks, @AntonEliatra! Here are the doc PRs:

  • [x] 1) Hot reloading SSL certificates: https://github.com/opensearch-project/documentation-website/pull/6875
  • [x] 2) Hot re-loadable Audit logging: Nothing to do; already complete
  • [x] 3) Hot re-loadable nodes_dn/ certificate domain name: done: https://github.com/opensearch-project/documentation-website/blob/main/_security/access-control/api.md
  • [ ] 4) CRUD for default/reserved configuration: https://github.com/opensearch-project/documentation-website/pull/6927
  • [x] 5) Separate Client and Server Cert configuration: https://github.com/opensearch-project/documentation-website/pull/6881

Please let me know if something is missing.

hdhalter avatar Apr 15 '24 17:04 hdhalter

"Hot re-loadable nodes_dn/ certificate domain name" is already documented here

I spoke with @natebower and we don't think there is anything further needed here, but we can discuss further if you feel additional details are necessary

AntonEliatra avatar Apr 15 '24 17:04 AntonEliatra

For this part of this ticket: Audit logging configuration is hot reloadable and there are APIs and UI both available. The original work that was done is contained in these two PRs:

  1. Provide default audit.yml to enable hot reloading of audit configuration #710
  2. Hot reloading audit configuration #409

This comment is to log that the supporting updates to the documentation, to support the above 2 PR code changes, has already been completed. The information below points to the locations in the security docs where these updates have been added.

leanneeliatra avatar Apr 17 '24 13:04 leanneeliatra

Hi Heather,

I have some updates for this issue and the final 2 remaining items in my name.

    1. Hot re-loadable Audit logging. After investigation, I have found this is already documented in the docs with new additions to the documentation 8 months and 11 months ago. I have added a comment https://github.com/opensearch-project/documentation-website/issues/433#issuecomment-2061236538 on the ticket showing where the updates to the docs can be found.
    1. CRUD for default/reserved configuration: #6927 https://github.com/opensearch-project/documentation-website/pull/6927 The changes related to this PR were quite heavy, I have an idea of what was carried out but I had been hoping to speak to an original reviewer of the work to discuss and ensure I had the right picture. I will proceed with what I understand of the changes and we can hopefully get the opinion of Hardik Shaw or another original contributor once my updates to the documentation is ready.

leanneeliatra avatar Apr 17 '24 13:04 leanneeliatra

Everything has been addressed except admin/superadmin roles which is being addressed in https://github.com/opensearch-project/documentation-website/pull/7069 and has a separate issue assigned https://github.com/opensearch-project/documentation-website/issues/4646. Thanks, @leanneeliatra !

hdhalter avatar May 08 '24 15:05 hdhalter