[DOC] Using OpenSearch plugins.security.ssl.http.enabled set to false is an unsupported configuration

[peternied]

What do you want to do?

• Request a change to existing documentation
• Add new documentation
• Report a technical problem with the documentation
• Other

Tell us about your request. Provide a summary of the request and all versions that are affected.
When plugins.security.ssl.http.enabled is set to false in the security configuration, it prevents core functions of the security from working. It should be considered an unsupported scenario to run a cluster in this way. We need to make sure this is clear to our users.

Said slightly differently, during the setup of a cluster, this setting is viable during basic configuration/setup but with limited functionality.

What other resources are available? Provide links to related issues, POCs, steps for testing, etc.

• Related to plugins.security.ssl.http.enabled setting cannot be disabled on Rest layer as securityadmin.sh execution fails. security#1952

[peternied]

Background; when the TransportClient was removed in the OpenSearch 2.0.0 there was a 'workaround' that would allow for this scenario. With this feature's removal many scenarios are no longer supported and we missed this during release testing.

[peternied]

FYI @opensearch-project/security

[adrian51gray]

Does this ticket mean the plugins.security.ssl.http.enabled config param will also be removed?
and presumably this page will have references to plugins.security.ssl.http.enabled updated to imply the flag should always be true?
https://opensearch.org/docs/latest/security-plugin/configuration/tls/

[jgough]

Note that the securityadmin documentation at https://opensearch.org/docs/latest/security/configuration/security-admin/ states that the -noopenssl parameter is still a thing but this has been removed it seems.

[defesteban]

Hi!
Could you please confirm that we must use TLS for REST client (plugins.security.ssl.http.enabled=true) if OpenSearch security is enabled?

[cwperks]

@defesteban This is no longer the case since a recent PR was merged into the security repo to allow permissioning to individual security APIs. It was merged into 2.x recently and will be released with version 2.7. There will be a documentation update accompanying the release.

[defesteban]

@cwperks As I understood, you are about this pull request. In the description I can't see anything connected to TLS for REST client, only an ability to provide specific list of permissions for specific users.
Could you please explain how above PR influences TLS for REST client or share PR with changes you described if I found incorrect PR?

[peternied]

Could you please confirm that we must use TLS for REST client (plugins.security.ssl.http.enabled=true) if OpenSearch security is enabled?

While I don't think its correct to say must - I would not recommend running without TLS termination managed by the security plugin. The functionality of the security plugin is limited when set to false - such as the security admin tool does not work as it depends on client certification authentication.

Could you please explain how above PR influences TLS for REST client

Previously we had REST APIs that could only be called through client certification authentication; these changes allow for enabling their access for authenticated users via internal/external IDP. This would allow access to these REST APIs in an environment where TLS termination is managed by other hardware/software.

[hdhalter]

Hi @peternied , @cwperks , Are there any updates needed to the documentation? Thanks.

[jgough]

It's a long time since I looked, but I believe the securityadmin documentation does now say that this is required.

securityadmin.sh requires that SSL/TLS transport is enabled on your opensearch cluster. In other words, make sure that the plugins.security.ssl.http.enabled: true is set in opensearch.yml before proceeding.

As an aside in my comment above. I believe the -noopenssl option has been removed from securityadmin.sh as a result of this. The documentation still lists this as an option. This needs to be removed.

[cwperks]

Thank you @jgough. The securityadmin documentation does highlight the need to setup TLS for HTTP: https://opensearch.org/docs/latest/security/configuration/security-admin/#basic-usage

@jgough Thank you for pointing out that there is a now removed setting on the documentation website. I will open a PR to remove the noopenssl option from the documentation website.

Edit: Opened a PR to remove the -noopenssl option from the documentation website: #5811

[AntonEliatra]

@hdhalter I think this can be closed