From e8c31ad5bcad0f9dc7adcd57df6389c3163bf58a Mon Sep 17 00:00:00 2001 From: GitHub Date: Tue, 10 Oct 2023 06:02:16 +0000 Subject: [PATCH 1/2] OpenSearch - Update Advanced parameters --- includes/config-opensearch.rst | 132 +++++++++++++++++++++++++++++++-- 1 file changed, 127 insertions(+), 5 deletions(-) diff --git a/includes/config-opensearch.rst b/includes/config-opensearch.rst index 603ba808a3..1d2475a0f7 100644 --- a/includes/config-opensearch.rst +++ b/includes/config-opensearch.rst @@ -1,9 +1,9 @@ -.. - ``additional_backup_regions`` - ----------------------------- - *array* - **Additional Cloud Regions for Backup Replication** +``additional_backup_regions`` +----------------------------- +*array* + +**Additional Cloud Regions for Backup Replication** @@ -97,6 +97,86 @@ +``openid`` +---------- +*object* + +**OpenSearch OpenID Connect Configuration** + +``enabled`` +~~~~~~~~~~~ +*boolean* + +**Enable or disable OpenSearch OpenID Connect authentication** Enables or disables OpenID Connect authentication for OpenSearch. When enabled, users can authenticate using OpenID Connect with an Identity Provider. + +``connect_url`` +~~~~~~~~~~~~~~~ +*string* + +**OpenID Connect metadata/configuration URL** The URL of your IdP where the Security plugin can find the OpenID Connect metadata/configuration settings. + +``roles_key`` +~~~~~~~~~~~~~ +*['string', 'null']* + +**The key in the JSON payload that stores the user’s roles** The key in the JSON payload that stores the user’s roles. The value of this key must be a comma-separated list of roles. Required only if you want to use roles in the JWT + +``subject_key`` +~~~~~~~~~~~~~~~ +*['string', 'null']* + +**The key in the JSON payload that stores the user’s name** The key in the JSON payload that stores the user’s name. If not defined, the subject registered claim is used. Most IdP providers use the preferred_username claim. Optional. + +``jwt_header`` +~~~~~~~~~~~~~~ +*['string', 'null']* + +**The HTTP header that stores the token** The HTTP header that stores the token. Typically the Authorization header with the Bearer schema: Authorization: Bearer . Optional. Default is Authorization. + +``jwt_url_parameter`` +~~~~~~~~~~~~~~~~~~~~~ +*['string', 'null']* + +**URL JWT token.** If the token is not transmitted in the HTTP header, but as an URL parameter, define the name of the parameter here. Optional. + +``refresh_rate_limit_count`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*['integer', 'null']* + +**The maximum number of unknown key IDs in the time frame** The maximum number of unknown key IDs in the time frame. Default is 10. Optional. + +``refresh_rate_limit_time_window_ms`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*['integer', 'null']* + +**The time frame to use when checking the maximum number of unknown key IDs, in milliseconds** The time frame to use when checking the maximum number of unknown key IDs, in milliseconds. Optional.Default is 10000 (10 seconds). + +``client_id`` +~~~~~~~~~~~~~ +*string* + +**The ID of the OpenID Connect client** The ID of the OpenID Connect client configured in your IdP. Required. + +``client_secret`` +~~~~~~~~~~~~~~~~~ +*string* + +**The client secret of the OpenID Connect** The client secret of the OpenID Connect client configured in your IdP. Required. + +``scope`` +~~~~~~~~~ +*string* + +**The scope of the identity token issued by the IdP** The scope of the identity token issued by the IdP. Optional. Default is openid profile email address phone. + +``header`` +~~~~~~~~~~ +*string* + +**HTTP header name of the JWT token** HTTP header name of the JWT token. Optional. Default is Authorization. + + + ``index_patterns`` ------------------ *array* @@ -225,6 +305,12 @@ **action.auto_create_index** Explicitly allow or block automatic creation of indices. Defaults to true +``auth_failure_listeners`` +~~~~~~~~~~~~~~~~~~~~~~~~~~ +*object* + +**Opensearch Security Plugin Settings** + ``thread_pool_search_size`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ *integer* @@ -339,6 +425,42 @@ **Sender password for Opensearch alerts to authenticate with SMTP server** Sender password for Opensearch alerts to authenticate with SMTP server +``ism_enabled`` +~~~~~~~~~~~~~~~ +*['boolean', 'null']* + +**Specifies whether ISM is enabled or not** + +``ism_history_enabled`` +~~~~~~~~~~~~~~~~~~~~~~~ +*['boolean', 'null']* + +**Specifies whether audit history is enabled or not. The logs from ISM are automatically indexed to a logs document.** + +``ism_history_max_age`` +~~~~~~~~~~~~~~~~~~~~~~~ +*['integer', 'null']* + +**The maximum age before rolling over the audit history index in hours** + +``ism_history_max_docs`` +~~~~~~~~~~~~~~~~~~~~~~~~ +*['integer', 'null']* + +**The maximum number of documents before rolling over the audit history index.** + +``ism_history_rollover_check_period`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*['integer', 'null']* + +**The time between rollover checks for the audit history index in hours.** + +``ism_history_rollover_retention_period`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*['integer', 'null']* + +**How long audit history indices are kept in days.** + ``index_template`` From f8623bb43a3aad18fb801c3df3c9224cb8733132 Mon Sep 17 00:00:00 2001 From: Harshini Rangaswamy <108724024+harshini-rangaswamy@users.noreply.github.com> Date: Fri, 13 Oct 2023 16:22:24 +0200 Subject: [PATCH 2/2] Update config-opensearch.rst Removed backup to another region as this is not yet available for all services. --- includes/config-opensearch.rst | 9 --------- 1 file changed, 9 deletions(-) diff --git a/includes/config-opensearch.rst b/includes/config-opensearch.rst index 1d2475a0f7..d008cc1d72 100644 --- a/includes/config-opensearch.rst +++ b/includes/config-opensearch.rst @@ -1,12 +1,3 @@ - -``additional_backup_regions`` ------------------------------ -*array* - -**Additional Cloud Regions for Backup Replication** - - - ``opensearch_version`` ---------------------- *['string', 'null']*