forked from opensearch-project/security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Craig Perkins <[email protected]>
- Loading branch information
Showing
12 changed files
with
1,235 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| _meta: | ||
| type: "actiongroups" | ||
| config_version: 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| --- | ||
| _meta: | ||
| type: "allowlist" | ||
| config_version: 2 | ||
|
|
||
| # Description: | ||
| # enabled - feature flag. | ||
| # if enabled is false, the allowlisting feature is removed. | ||
| # This is like removing the check that checks if an API is allowlisted. | ||
| # This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting. | ||
| # if enabled is true, then all users except SuperAdmin can access only the APIs in requests | ||
| # SuperAdmin can access all APIs. | ||
| # SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn: | ||
| # Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. | ||
| # | ||
| # requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints | ||
|
|
||
| # Examples showing how to configure this yml file (make sure the _meta data from above is also there): | ||
| # Example 1: | ||
| # To enable allowlisting and allowlist GET /_cluster/settings | ||
| # | ||
| #config: | ||
| # enabled: true | ||
| # requests: | ||
| # /_cluster/settings: | ||
| # - GET | ||
| # | ||
| # Example 2: | ||
| # If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT): | ||
| # | ||
| #config: | ||
| # enabled: true | ||
| # requests: | ||
| # /_cluster/settings: | ||
| # - GET | ||
| # - PUT | ||
| # | ||
| # Example 3: | ||
| # If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: | ||
| # | ||
| #config: | ||
| # enabled: true | ||
| # requests: | ||
| # /_cluster/settings: | ||
| # - GET | ||
| # - PUT | ||
| # /_cat/nodes: | ||
| # - GET | ||
| # /_cat/shards: | ||
| # - GET | ||
| # | ||
| # Example 4: | ||
| # If you want to disable the allowlisting feature, set enabled to false. | ||
| # enabled: false | ||
| # requests: | ||
| # /_cluster/settings: | ||
| # - GET | ||
| # | ||
| #At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant. | ||
|
|
||
|
|
||
| #this name must be config | ||
| config: | ||
| enabled: false | ||
| requests: | ||
| /_cluster/settings: | ||
| - GET | ||
| /_cat/nodes: | ||
| - GET |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| _meta: | ||
| type: "audit" | ||
| config_version: 2 | ||
|
|
||
| config: | ||
| # enable/disable audit logging | ||
| enabled: true | ||
|
|
||
| audit: | ||
| # Enable/disable REST API auditing | ||
| enable_rest: true | ||
|
|
||
| # Categories to exclude from REST API auditing | ||
| disabled_rest_categories: | ||
| - AUTHENTICATED | ||
| - GRANTED_PRIVILEGES | ||
|
|
||
| # Enable/disable Transport API auditing | ||
| enable_transport: true | ||
|
|
||
| # Categories to exclude from Transport API auditing | ||
| disabled_transport_categories: | ||
| - AUTHENTICATED | ||
| - GRANTED_PRIVILEGES | ||
|
|
||
| # Users to be excluded from auditing. Wildcard patterns are supported. Eg: | ||
| # ignore_users: ["test-user", "employee-*"] | ||
| ignore_users: | ||
| - kibanaserver | ||
|
|
||
| # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: | ||
| # ignore_requests: ["indices:data/read/*", "SearchRequest"] | ||
| ignore_requests: [] | ||
|
|
||
| # Log individual operations in a bulk request | ||
| resolve_bulk_requests: false | ||
|
|
||
| # Include the body of the request (if available) for both REST and the transport layer | ||
| log_request_body: true | ||
|
|
||
| # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns | ||
| resolve_indices: true | ||
|
|
||
| # Exclude sensitive headers from being included in the logs. Eg: Authorization | ||
| exclude_sensitive_headers: true | ||
|
|
||
| compliance: | ||
| # enable/disable compliance | ||
| enabled: true | ||
|
|
||
| # Log updates to internal security changes | ||
| internal_config: true | ||
|
|
||
| # Log external config files for the node | ||
| external_config: false | ||
|
|
||
| # Log only metadata of the document for read events | ||
| read_metadata_only: true | ||
|
|
||
| # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: | ||
| # read_watched_fields: { | ||
| # "twitter": ["message"] | ||
| # "logs-*": ["id", "attr*"] | ||
| # } | ||
| read_watched_fields: {} | ||
|
|
||
| # List of users to ignore for read events. Wildcard patterns are supported. Eg: | ||
| # read_ignore_users: ["test-user", "employee-*"] | ||
| read_ignore_users: | ||
| - kibanaserver | ||
|
|
||
| # Log only metadata of the document for write events | ||
| write_metadata_only: true | ||
|
|
||
| # Log only diffs for document updates | ||
| write_log_diffs: false | ||
|
|
||
| # List of indices to watch for write events. Wildcard patterns are supported | ||
| # write_watched_indices: ["twitter", "logs-*"] | ||
| write_watched_indices: [] | ||
|
|
||
| # List of users to ignore for write events. Wildcard patterns are supported. Eg: | ||
| # write_ignore_users: ["test-user", "employee-*"] | ||
| write_ignore_users: | ||
| - kibanaserver |
Oops, something went wrong.