From a874534f0cf6835cd5420eb31c84a3b9c6663c59 Mon Sep 17 00:00:00 2001 From: "leanne.laceybyrne@eliatra.com" Date: Tue, 9 Apr 2024 14:41:43 +0100 Subject: [PATCH 1/4] starting doucmentation for superadmin Signed-off-by: leanne.laceybyrne@eliatra.com --- _security/access-control/users-roles.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/_security/access-control/users-roles.md b/_security/access-control/users-roles.md index 687796d0c4..483489f1c9 100644 --- a/_security/access-control/users-roles.md +++ b/_security/access-control/users-roles.md @@ -215,3 +215,8 @@ Map the role to your user: 1. Choose the **Mapped users** tab and **Manage mapping**. 1. For **Internal users**, add your bulk access user. 1. Choose **Map**. + +### SuperAdmin role + +The superAdmin role can add, update and delete the reserved configuration such as roles, roles_mapping, internal_users, action_groups and tenants. +Till now, the reserved were loaded from the default configuration present in yml files and now superAdmin has the privileges to do the same. From f7bb2a1eccad4374a733df0297372f6bb8716844 Mon Sep 17 00:00:00 2001 From: "leanne.laceybyrne@eliatra.com" Date: Wed, 10 Apr 2024 12:06:16 +0100 Subject: [PATCH 2/4] adding settings from 'yaml.md' Signed-off-by: leanne.laceybyrne@eliatra.com --- _security/access-control/users-roles.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/_security/access-control/users-roles.md b/_security/access-control/users-roles.md index 483489f1c9..99cc2f64e9 100644 --- a/_security/access-control/users-roles.md +++ b/_security/access-control/users-roles.md @@ -220,3 +220,17 @@ Map the role to your user: The superAdmin role can add, update and delete the reserved configuration such as roles, roles_mapping, internal_users, action_groups and tenants. Till now, the reserved were loaded from the default configuration present in yml files and now superAdmin has the privileges to do the same. + +In the `yaml.md` the super admin role may be activated or via CRUD operations. The section of the `yaml.md` related to the super admin is listed as follows. + +``` +# Description: +# enabled - feature flag. +# if enabled is false, all endpoints are accessible. +# if enabled is true, all users except the SuperAdmin can only submit the allowed requests to the specified endpoints. +# SuperAdmin can access all APIs. +# SuperAdmin is defined by the SuperAdmin certificate, which is configured with the opensearch.yml setting plugins.security.authcz.admin_dn: +# Refer to the example setting in opensearch.yml to learn more about configuring SuperAdmin. +# +# requests - map of allow listed endpoints and HTTP requests +``` \ No newline at end of file From 012d1978f7dbe8acfcea504e25fb3958382c9348 Mon Sep 17 00:00:00 2001 From: "leanne.laceybyrne@eliatra.com" Date: Wed, 10 Apr 2024 14:40:12 +0100 Subject: [PATCH 3/4] adding instructions for the superAdmin role Signed-off-by: leanne.laceybyrne@eliatra.com --- _security/access-control/users-roles.md | 46 +++++++++++++++++-------- 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/_security/access-control/users-roles.md b/_security/access-control/users-roles.md index 99cc2f64e9..cff677f37f 100644 --- a/_security/access-control/users-roles.md +++ b/_security/access-control/users-roles.md @@ -216,21 +216,39 @@ Map the role to your user: 1. For **Internal users**, add your bulk access user. 1. Choose **Map**. -### SuperAdmin role +## SuperAdmin role -The superAdmin role can add, update and delete the reserved configuration such as roles, roles_mapping, internal_users, action_groups and tenants. -Till now, the reserved were loaded from the default configuration present in yml files and now superAdmin has the privileges to do the same. +The SuperAdmin role enables adding, updating, and deleting reserved configurations like roles, roles_mapping, internal_users, action_groups, and tenants. Previously, these configurations were loaded from default YAML files. Now, the superAdmin role now has the privilege to add, update, and delete via API calls. -In the `yaml.md` the super admin role may be activated or via CRUD operations. The section of the `yaml.md` related to the super admin is listed as follows. +### Example API Calls: +Below are examples of API calls for SuperAdmin actions: +Adding a Reserved Configuration: ``` -# Description: -# enabled - feature flag. -# if enabled is false, all endpoints are accessible. -# if enabled is true, all users except the SuperAdmin can only submit the allowed requests to the specified endpoints. -# SuperAdmin can access all APIs. -# SuperAdmin is defined by the SuperAdmin certificate, which is configured with the opensearch.yml setting plugins.security.authcz.admin_dn: -# Refer to the example setting in opensearch.yml to learn more about configuring SuperAdmin. -# -# requests - map of allow listed endpoints and HTTP requests -``` \ No newline at end of file +curl -X PUT https://localhost:9200/_opendistro/_security/api/roles/new_role -k -H 'Content-Type: application/json' -d '{ + "reserved": true, + "description": "Description of the role", + "cluster_permissions": [], + "index_permissions": [], + "tenant_permissions": [] +}' +``` +{% include copy.html %} + +Updating a Reserved Configuration: +``` +curl -X PUT https://localhost:9200/_opendistro/_security/api/roles/new_role -k -H 'Content-Type: application/json' -d '{ + "reserved": true, + "description": "Updated description", + "cluster_permissions": [], + "index_permissions": [], + "tenant_permissions": [] +}' +``` +{% include copy.html %} + +Deleting a Reserved Configuration: +``` +curl -X DELETE https://localhost:9200/_opendistro/_security/api/roles/new_role -k +``` +{% include copy.html %} \ No newline at end of file From 2707a74d3c3ed1204f1d192df072a223ce5e083c Mon Sep 17 00:00:00 2001 From: "leanne.laceybyrne@eliatra.com" Date: Wed, 10 Apr 2024 14:46:07 +0100 Subject: [PATCH 4/4] datadog issues addressed Signed-off-by: leanne.laceybyrne@eliatra.com --- _security/access-control/users-roles.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_security/access-control/users-roles.md b/_security/access-control/users-roles.md index cff677f37f..6b954fc8a4 100644 --- a/_security/access-control/users-roles.md +++ b/_security/access-control/users-roles.md @@ -218,10 +218,10 @@ Map the role to your user: ## SuperAdmin role -The SuperAdmin role enables adding, updating, and deleting reserved configurations like roles, roles_mapping, internal_users, action_groups, and tenants. Previously, these configurations were loaded from default YAML files. Now, the superAdmin role now has the privilege to add, update, and delete via API calls. +The `superAdmin` role enables adding, updating, and deleting reserved configurations like roles, roles_mapping, internal_users, action_groups, and tenants. Previously, these configurations were loaded from default YAML files. Now, the `superAdmin` role now has the privilege to add, update, and delete by using API calls. -### Example API Calls: -Below are examples of API calls for SuperAdmin actions: +### Example API calls: +Following are examples of API calls for `superAdmin` actions: Adding a Reserved Configuration: ```