Skip to content

Commit

Permalink
adding a get started with security page #6668 (#7128)
Browse files Browse the repository at this point in the history
* adding a get started with security page #6668

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* fixing vale errors #6668

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* fixing vale errors #6668

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* adding role configurations for users without kibanauser mapping #2359

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* updating the page layout for getting started with security #6668

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Apply suggestions from code review

Co-authored-by: Darshit Chanpura <dchanp@amazon.com>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* adding additional details to getting started with security

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* adding additional details to getting started with security

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Update security.md

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Update security.md

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* adding link for existing docs for demo config

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Doc review

Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nathan Bower <nbower@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

---------

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Darshit Chanpura <dchanp@amazon.com>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Nathan Bower <nbower@amazon.com>
  • Loading branch information
5 people authored Jun 4, 2024
1 parent f07e1ae commit f912f9d
Showing 1 changed file with 192 additions and 0 deletions.
192 changes: 192 additions & 0 deletions _getting-started/security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
---
layout: default
title: Getting started with OpenSearch security
nav_order: 60
---

# Getting started with OpenSearch security

The demo configuration is the most straightforward way to get started with OpenSearch security. OpenSearch comes bundled with a number of useful scripts, including `install_demo_configuration.sh` (or `install_demo_configuration.bat` for Windows).

This script is located in `plugins/opensearch-security/tools` and performs the following actions:

- Creates demo certificates for TLS encryption on both the transport and REST layers.
- Configures demo users, roles, and role mappings.
- Configures the Security plugin to use an internal database for authentication and authorization.
- Updates the `opensearch.yml` file with the basic configuration needed to start the cluster.

You can find more information about the demo configuration and how to quickly get started at [Setting up a demo configuration]({{site.url}}{{site.baseurl}}/security/configuration/demo-configuration/).
{: .note}

Certain aspects of this configuration, such as demo certificates and default passwords, should never be used in production. These parts of the demo configuration should be replaced with your custom information before proceeding to production.
{: .warning}

## Setting up the demo configuration

Prior to running the `install_demo_configuration.sh` script, you must create an environment variable named `OPENSEARCH_INITIAL_ADMIN_PASSWORD` with a strong password. This will be used as the password for the admin user to authenticate with OpenSearch. Use the online tool [_Zxcvbn_](https://lowe.github.io/tryzxcvbn/) to test the strength of any password. After this, you can execute `install_demo_configuration.sh` and follow the terminal prompt to enter necessary details.

After the script is executed, you can start OpenSearch and test the configuration by running the following command:

```
curl -k -XGET -u admin:<password> https://<opensearch-ip>:9200
```
{% include copy.html %}

You should see output similar to the following:

```
{
"name" : "smoketestnode",
"cluster_name" : "opensearch",
"cluster_uuid" : "0a5DYAk0Rbi14wqT3TqMiQ",
"version" : {
"distribution" : "opensearch",
"number" : "2.13.0",
"build_type" : "tar",
"build_hash" : "7ec678d1b7c87d6e779fdef94e33623e1f1e2647",
"build_date" : "2024-03-26T00:04:51.025238748Z",
"build_snapshot" : false,
"lucene_version" : "9.10.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
```

## Setting up OpenSearch Dashboards

In order to quickly get started with OpenSearch Dashboards, you can add the following configuration to `opensearch_dashboards.yml`:

```
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
```
{% include copy.html %}

You can start the binary or service, depending on which method was used to install OpenSearch and OpenSearch Dashboards.

When using binary, you need to supply `--no-base-path` to `yarn start` command to set a URL without a base path. If this is not set, a random three-letter base path will be added.
{: .note}

After starting OpenSearch Dashboards, you should see the following two log lines:

```
[info][listening] Server running at http://localhost:5601
[info][server][OpenSearchDashboards][http] http server running at http://localhost:5601
```
{% include copy.html %}

You can now access OpenSearch Dashboards using http://localhost:5601 in your browser. Use the username `admin` and the password that was configured in the `OPENSEARCH_INITIAL_ADMIN_PASSWORD` environment variable.

# Adding users

There are three ways to add users, roles, and other security-related configurations:

- Updating appropriate configuration files (`internal_users.yml` for adding/updating/removing users)
- Using the API
- Using the OpenSearch Dashboards UI

Security configuration files are located in the `config/opensearch-security` directory.
{: .note}

You can add an OpenSearch Dashboards user by updating the `internal_users.yml` file with the following settings:

```
test-user:
hash: "$2y$12$CkxFoTAJKsZaWv/m8VoZ6ePG3DBeBTAvoo4xA2P21VCS9w2RYumsG"
backend_roles:
- "test-backend-role"
- "kibanauser"
description: "test user user"
```
{% include copy.html %}

The `hash` string is generated using the `hash.sh` script located in the `plugins/opensearch-security/tools/` directory. In this case, the hash of the string `secretpassword` was used.

Note the use of the built-in backend role `kibanauser`, which provides the user permissions needed to navigate OpenSearch Dashboards.

## Creating roles

Roles contained in `roles.yml` use the following structure:

```
<rolename>:
cluster_permissions:
- <cluster permission>
index_permissions:
- index_patterns:
- <index pattern>
allowed_actions:
- <index permissions>
```
{% include copy.html %}

Using this structure, you can configure a new role to provide access to specific indexes, such as the role configured in the following example:

```
human_resources:
index_permissions:
- index_patterns:
- "humanresources"
allowed_actions:
- "READ"
```
{% include copy.html %}

Note that the cluster permissions are not listed in this example because these are provided by the built-in role `kibana_user`, which is already mapped using the `kibanauser` backend role.


## Mapping users to roles

When a user logs in to OpenSearch, they need to be mapped to the appropriate role in order to obtain the correct permissions. This mapping is performed using the `roles_mapping.yml` file with the following structure:

```
<role_name>:
users:
- <username>
- ...
backend_roles:
- <rolename>
```
{% include copy.html %}

In order to map the newly created user `test-user` to the role `human_resources`, you can use the following configuration in the `roles_mapping.yml` file:

```
human_resources:
backend_roles:
- test-backend-role
```
{% include copy.html %}

As an additional example, the `roles_mappings.yml` file includes the backend role `kibanauser` that has been mapped to the `kibana_user` role:

```
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
```
{% include copy.html %}

## Uploading the configuration to a security index

The final step in configuring a user, role, or any other security configuration is uploading it to a OpenSearch security index. Only updating the files, without uploading them, will not change the configuration of an already running OpenSearch cluster.

To upload a configuration, the following command can be used with the admin certificate that was generated during `install_demo_configuration.sh` execution:

```
./plugins/opensearch-security/tools/securityadmin.sh -cd "config/opensearch-security" -icl -key "../kirk-key.pem" -cert "../kirk.pem" -cacert "../root-ca.pem" -nhnv
```
{% include copy.html %}

0 comments on commit f912f9d

Please sign in to comment.