[DRAFT] Security feature SuperAdmin documentation updates #6927
Conversation
Signed-off-by: [email protected] <[email protected]>
leanneeliatra
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
AMoo-Miki,
natebower,
dlvenable,
stephen-crawford and
epugh
as code owners
|
Hi @Naarcha-AWS & @hdhalter. I opened this ticket as a draft to get some input from you please. I'm not sure if the file I have included these changes in, is the right place for this addition to the documentation. Could you take a look and let me know please. I am adding a section to the documentation to convey the addition of the SuperAdmin role. The SuperAdmin can add, update and delete the reserved configuration such as roles, roles_mapping, internal_users, action_groups and tenants. I have included these changes in the |
leanneeliatra
changed the title
Signed-off-by: [email protected] <[email protected]>
leanneeliatra
changed the title
Naarcha-AWS
added
2 - In progress
|
We reviewed these changes internally and I am currently in the process of understanding the original PR fully, so I can update the documentation appropriately. |
|
I reached out to Hardik Shah via slack to discuss the original PR in more depth. |
|
|
||
| The `superAdmin` role enables adding, updating, and deleting reserved configurations like roles, roles_mapping, internal_users, action_groups, and tenants. Previously, these configurations were loaded from default YAML files. Now, the `superAdmin` role now has the privilege to add, update, and delete by using API calls. | ||
|
|
||
| ### Example API calls: |
There was a problem hiding this comment.
can we add more examples for roles_mapping, internal_users, action_groups, and tenants as well?
|
|
||
| Adding a Reserved Configuration: | ||
| ``` | ||
| curl -X PUT https://localhost:9200/_opendistro/_security/api/roles/new_role -k -H 'Content-Type: application/json' -d '{ |
There was a problem hiding this comment.
also don't user need to pass Admin certificate for invoking this API, other than invoking locally from the node?
without identity to this API, system won't know the caller is super admin. And identity for super admin was being passed as client certificate with dn name which is allowlisted in config.yml
Can you verify working of these?
|
Thank you @hardik-k-shah for your comments much appreciated. Still testing these changes locally to ensure correct documentation of the SuperAdmin. |
|
@leanneeliatra - Do you want to close this PR in favor of #7069? |
Hi @hdhalter yes please. I can ensure all aspects are covered in 7069. |
|
Closing in favor of #7069 |
hdhalter
added
Closed - Duplicate or Cancelled
Description
The SuperAdmin role was added and this will be added to the documentation.
Issues Resolved
One part of: [DOC] Missing documentation for security features #433. The part this PR addresses is: CRUD APIs for default configurations. (Default roles, users and role-mapping can be updated by super admin now).
The original PR for the work of this ticket can be found here: Added SuperAdmin check to allow update/delete/add of reserved config, this PR is concerned with adding the documentation to support the SuperAdmin addition.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.