From 9901b611b37fb9de9d44ad6663538844efe371b4 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 17:49:20 +0000 Subject: [PATCH] Admin and Super Admin (security admin) Documentation Update (#7069) (#7300) --- _security/access-control/users-roles.md | 39 +++++++++++++++++++++++++ _security/configuration/tls.md | 7 +++-- _troubleshoot/security-admin.md | 2 +- 3 files changed, 44 insertions(+), 4 deletions(-) diff --git a/_security/access-control/users-roles.md b/_security/access-control/users-roles.md index 9faafcc008..0491877c03 100644 --- a/_security/access-control/users-roles.md +++ b/_security/access-control/users-roles.md @@ -242,3 +242,42 @@ Map the role to your user: 1. Choose the **Mapped users** tab and **Manage mapping**. 1. For **Internal users**, add your bulk access user. 1. Choose **Map**. + +## Admin and super admin roles + +OpenSearch user roles are essential for controlling access to cluster resources. Users can be categorized as regular users, admin users, or super admin users based on their access rights and responsibilities. + +For more information about defining users, see [Defining users](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-users). For more information about defining roles, see [Defining roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-roles). + + +### Regular users +Regular users have basic access permissions that allow them to interact with the OpenSearch cluster, such as querying data and using dashboards, but they do not have administrative privileges. + +### Admin users +Admin users have elevated permissions that allow them to perform various administrative tasks within the cluster. They have broader access compared to regular users, including permissions to: +- Manage users and roles. +- Configure permissions. +- Adjust backend settings. + +Admin users can perform these tasks by configuring settings in the `opensearch.yml` file, using OpenSearch Dashboards, or interacting with the REST API. For more information about configuring users and roles, see [predefined roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#predefined-roles). + +### Super admin users +Super admin users have the highest level of administrative authority within the OpenSearch environment. This role is typically reserved for select users and should be managed carefully. + +Super admin users have unrestricted access to all settings and data within the cluster, including permissions to: +- Modify Security plugin configurations. +- Access and manage the security index `.opendistro_security`. +- Override any security limitations. + +#### Authentication of the super admin role + +Super admin users are authenticated through certificates, not passwords. The necessary certificates are defined in the `admin_dn` section of the `opensearch.yml` file and must be signed with the same root certificate authority (CA), as shown in the following example: +``` +YAML +plugins.security.authcz.admin_dn: +- CN=kirk,OU=client,O=client,L=test, C=de +``` + +If the super admin certificate is signed by a different CA, then the admin CA must be concatenated with the node's CA in the file defined in `plugins.security.ssl.http.pemtrustedcas_filepath` in `opensearch.yml`. + +For more information, see [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates). diff --git a/_security/configuration/tls.md b/_security/configuration/tls.md index 3d8c23a391..d06b16a47e 100755 --- a/_security/configuration/tls.md +++ b/_security/configuration/tls.md @@ -128,14 +128,16 @@ If your node certificates have an Object ID (OID) identifier in the SAN section, ## Configuring admin certificates -Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s): +Super admin certificates are regular client certificates that have elevated rights to perform administrative security tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Super admin certificates are configured in `opensearch.yml` by stating their DN(s): ```yml plugins.security.authcz.admin_dn: - CN=admin,OU=SSL,O=Test,L=Test,C=DE ``` -For security reasons, you can't use wildcards or regular expressions here. +For security reasons, you cannot use wildcards or regular expressions as values for the `admin_dn` setting. + +For more information about admin and super admin user roles, see [Admin and super admin roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#admin-and-super-admin-roles) and [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates). ## (Advanced) OpenSSL @@ -237,7 +239,6 @@ plugins.security.ssl.http.enabled_protocols: - "TLSv1.2" ``` - ## (Advanced) Disabling client initiated renegotiation for Java 8 Set `-Djdk.tls.rejectClientInitiatedRenegotiation=true` to disable secure client initiated renegotiation, which is enabled by default. This can be set via `OPENSEARCH_JAVA_OPTS` in `config/jvm.options`. diff --git a/_troubleshoot/security-admin.md b/_troubleshoot/security-admin.md index 5f9b5709ca..f36f1e3b0b 100644 --- a/_troubleshoot/security-admin.md +++ b/_troubleshoot/security-admin.md @@ -92,7 +92,7 @@ Connected as CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE ERR: CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user ``` -You must use an admin certificate when executing the script. To learn more, see [Configuring admin certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates). +You must use an admin certificate when executing the script. To learn more, see [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates). ## Use the diagnose option