diff --git a/_dashboards/branding.md b/_dashboards/branding.md index 62763cfd08..7460abcc4e 100644 --- a/_dashboards/branding.md +++ b/_dashboards/branding.md @@ -100,7 +100,7 @@ opensearch.hosts: ["https://localhost:9200"] opensearch.ssl.verificationMode: none opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" -opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] +opensearch.requestHeadersAllowlist: [ authorization,securitytenant ] #server.ssl.enabled: true #server.ssl.certificate: /path/to/your/server/certificate #server.ssl.key: /path/to/your/server/key diff --git a/_dashboards/install/tls.md b/_dashboards/install/tls.md index 546dd36b6f..22f123bce0 100644 --- a/_dashboards/install/tls.md +++ b/_dashboards/install/tls.md @@ -25,7 +25,7 @@ opensearch.hosts: ["https://localhost:9200"] opensearch.ssl.verificationMode: full opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" -opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] +opensearch.requestHeadersAllowlist: [ authorization,securitytenant ] server.ssl.enabled: true server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem diff --git a/_security-plugin/access-control/multi-tenancy.md b/_security-plugin/access-control/multi-tenancy.md index fdde01dffc..dfbee95041 100644 --- a/_security-plugin/access-control/multi-tenancy.md +++ b/_security-plugin/access-control/multi-tenancy.md @@ -46,7 +46,7 @@ Setting | Description ```yml opensearch.username: kibanaserver opensearch.password: kibanaserver -opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: true opensearch_security.multitenancy.tenants.enable_global: true opensearch_security.multitenancy.tenants.enable_private: true @@ -56,7 +56,7 @@ opensearch_security.multitenancy.enable_filter: false Setting | Description :--- | :--- -`opensearch.requestHeadersWhitelist` | OpenSearch Dashboards requires that you whitelist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not whitelisted, OpenSearch Dashboards starts with a red status. +`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status. `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. diff --git a/_security-plugin/configuration/ldap.md b/_security-plugin/configuration/ldap.md index b2d71134e0..7d427a6819 100755 --- a/_security-plugin/configuration/ldap.md +++ b/_security-plugin/configuration/ldap.md @@ -433,7 +433,7 @@ By default, the security plugin reads all LDAP user attributes and makes them av Name | Description :--- | :--- -`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. +`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. `custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36. Example: @@ -446,7 +446,7 @@ authz: authorization_backend: type: ldap config: - custom_attr_whitelist: + custom_attr_allowlist: - attribute1 - attribute2 custom_attr_maxval_len: 36 @@ -501,7 +501,7 @@ Name | Description `skip_users` | Array of users that should be skipped when retrieving roles. Wildcards and regular expressions are supported. `nested_role_filter` | Array of role DNs that should be filtered before resolving nested roles. Wildcards and regular expressions are supported. `rolesearch_enabled` | Boolean. Enable or disable the role search. Default is `true`. -`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. +`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. `custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36. diff --git a/_security-plugin/configuration/openid-connect.md b/_security-plugin/configuration/openid-connect.md index cdb8c3f97c..959193a593 100755 --- a/_security-plugin/configuration/openid-connect.md +++ b/_security-plugin/configuration/openid-connect.md @@ -308,8 +308,8 @@ opensearch.password: "kibanaserver" # Disable SSL verification when using self-signed demo certificates opensearch.ssl.verificationMode: none -# Whitelist basic headers and multi-tenancy header -opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"] +# allowlist basic headers and multi-tenancy header +opensearch.requestHeadersAllowlist: ["Authorization", "security_tenant"] ``` diff --git a/_security-plugin/configuration/proxy.md b/_security-plugin/configuration/proxy.md index bbbe23c2f6..8e7b88b9dd 100644 --- a/_security-plugin/configuration/proxy.md +++ b/_security-plugin/configuration/proxy.md @@ -192,10 +192,10 @@ config: internalProxies: '' ``` -To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header whitelist in `opensearch_dashboards.yml`: +To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allow list in `opensearch_dashboards.yml`: ```yml -opensearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] +opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] ``` You must also enable the authentication type in `opensearch_dashboards.yml`: diff --git a/_security-plugin/configuration/saml.md b/_security-plugin/configuration/saml.md index a2a789e772..bd7a159447 100755 --- a/_security-plugin/configuration/saml.md +++ b/_security-plugin/configuration/saml.md @@ -302,16 +302,16 @@ Because most of the SAML-specific configuration is done in the security plugin, opensearch_security.auth.type: "saml" ``` -In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be whitelisted: +In addition, you must add the OpenSearch Dashboards endpoint for validating the SAML assertions to your allow list: ```yml -server.xsrf.whitelist: ["/_plugins/_security/saml/acs"] +server.xsrf.allowlist: ["/_plugins/_security/saml/acs"] ``` -If you use the logout POST binding, you also need to whitelist the logout endpoint: +If you use the logout POST binding, you also need to ad the logout endpoint to your allow list: ```yml -server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] +server.xsrf.allowlist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] ``` ### IdP-initiated SSO @@ -322,8 +322,8 @@ To use IdP-initiated SSO, set the Assertion Consumer Service endpoint of your Id /_plugins/_security/saml/acs/idpinitiated ``` -Then add this endpoint to `server.xsrf.whitelist` in `opensearch_dashboards.yml`: +Then add this endpoint to `server.xsrf.allowlist` in `opensearch_dashboards.yml`: ```yml -server.xsrf.whitelist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] +server.xsrf.allowlist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] ``` diff --git a/_security-plugin/configuration/yaml.md b/_security-plugin/configuration/yaml.md index 114f080dac..6f75ee363d 100644 --- a/_security-plugin/configuration/yaml.md +++ b/_security-plugin/configuration/yaml.md @@ -124,16 +124,16 @@ plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d] plugins.security.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character." ``` -## whitelist.yml +## allowlist.yml -You can use `whitelist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings. +You can use `allowlist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings. Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings. ```yml --- _meta: - type: "whitelist" + type: "allowlist" config_version: 2 # Description: @@ -165,7 +165,7 @@ requests: - PUT ``` -You can also add custom indices to the allow list. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add. +You can also add custom indices to the allow list. `allowlist.yml` doesn't support wildcards, so you must manually specify all of the indexes you want to add. ```yml requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1 diff --git a/_troubleshoot/saml.md b/_troubleshoot/saml.md index 7191a82afc..103604a86c 100644 --- a/_troubleshoot/saml.md +++ b/_troubleshoot/saml.md @@ -45,12 +45,12 @@ The endpoint the OpenSearch Dashboards security plugin provides is: /_plugins/_security/saml/acs ``` -Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to whitelist all endpoints that they send requests to. Ensure that the ACS endpoint is listed. +Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to add all endpoints to the allow list that they send requests to. Ensure that the ACS endpoint is listed. -OpenSearch Dashboards also requires you to whitelist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`: +OpenSearch Dashboards also requires you to add this endpoint to the allow list. Make sure you have the following entry in `opensearch_dashboards.yml`: ``` -server.xsrf.whitelist: [/_plugins/_security/saml/acs] +server.xsrf.allowlist: [/_plugins/_security/saml/acs] ```