Admin and Super Admin (security admin) Documentation Update #7069
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
leanneeliatra
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
AMoo-Miki,
natebower,
dlvenable,
stephen-crawford and
epugh
as code owners
hdhalter
added
security
2 - In progress
1 task
|
@leanneeliatra - Is this ready for review? |
Hi @hdhalter it is still in progress at the moment, I will be adding some updates to this section of the docs today. Thanks a million. |
leanneeliatra
changed the title
|
This ticket is now ready for review. cc @hdhalter |
Signed-off-by: [email protected] <[email protected]>
Signed-off-by: [email protected] <[email protected]>
hdhalter
added
3 - Tech review
|
Apologies if I missed that last capitalisation link @hdhalter. All changes now integrated! Thanks. |
|
@Naarcha-AWS - Can you please take a final look at this? An editorial request has been submitted. Thanks! |
Naarcha-AWS
reviewed
May 29, 2024
Naarcha-AWS
reviewed
May 29, 2024
Signed-off-by: Naarcha-AWS <[email protected]>
Naarcha-AWS
reviewed
Jun 4, 2024
Naarcha-AWS
reviewed
Jun 4, 2024
Signed-off-by: Naarcha-AWS <[email protected]>
Naarcha-AWS
added
5 - Editorial review
natebower
requested changes
Jun 5, 2024
There was a problem hiding this comment.
@leanneeliatra @Naarcha-AWS Please see my comments and changes and tag me for approval on lines 265 and 274 in users-roles.md and 131 and 138 in security-admin.md. Thanks!
|
|
||
| #### Authentication of super admin role | ||
|
|
||
| Super admins are authenticated through certificates, not passwords. The necessary certificates are defined in the `admin_dn` section of the `opensearch.yml` file and must be signed with the same root CA to verify and connect it to the cluster. |
There was a problem hiding this comment.
Should this end in a colon? What is being shown in the following example?
_security/configuration/tls.md
Outdated
| @@ -128,14 +128,16 @@ If your node certificates have an Object ID (OID) identifier in the SAN section, | |||
|
|
|||
| ## Configuring admin certificates | |||
|
|
|||
| Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s): | |||
| Super admin certificates are regular client certificates that have elevated rights to perform administrative security and OpenSearch related tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Super admin certificates are configured in `opensearch.yml` by stating their DN(s): | |||
There was a problem hiding this comment.
"security and OpenSearch related tasks" is too vague and doesn't work here. Please revise for clarity.
_security/configuration/tls.md
Outdated
|
|
||
| ```yml | ||
| plugins.security.authcz.admin_dn: | ||
| - CN=admin,OU=SSL,O=Test,L=Test,C=DE | ||
| ``` | ||
|
|
||
| For security reasons, you can't use wildcards or regular expressions here. | ||
| For security reasons, you cannot use wildcards or regular expressions here. |
There was a problem hiding this comment.
Please replace "here" with a more precise expression.
Naarcha-AWS
reviewed
Jun 5, 2024
Naarcha-AWS
reviewed
Jun 5, 2024
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]>
Naarcha-AWS
reviewed
Jun 5, 2024
Signed-off-by: Naarcha-AWS <[email protected]>
natebower
approved these changes
Jun 5, 2024
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]>
Naarcha-AWS
approved these changes
Jun 5, 2024
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Jun 5, 2024
* adding information about the admin and security admin roles Signed-off-by: [email protected] <[email protected]> * reviewdog fixes Signed-off-by: [email protected] <[email protected]> * updating admin priveleges documentation Signed-off-by: [email protected] <[email protected]> * admin and super admin documentation added and made clearer Signed-off-by: [email protected] <[email protected]> * review dog signoff Signed-off-by: [email protected] <[email protected]> * removing extra space Signed-off-by: [email protected] <[email protected]> * added further clarification for superAdmin certs Signed-off-by: [email protected] <[email protected]> * Apply suggestions from code review Co-authored-by: Heather Halter <[email protected]> Signed-off-by: leanneeliatra <[email protected]> * reviewdog address Signed-off-by: [email protected] <[email protected]> * Apply suggestions from code review Co-authored-by: Heather Halter <[email protected]> Signed-off-by: leanneeliatra <[email protected]> * calling out super admin where appropriate Signed-off-by: [email protected] <[email protected]> * capitalise linked reference Signed-off-by: [email protected] <[email protected]> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <[email protected]> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <[email protected]> * Apply suggestions from code review Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <[email protected]> * Apply suggestions from code review Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]> --------- Signed-off-by: [email protected] <[email protected]> Signed-off-by: leanneeliatra <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]> Co-authored-by: Heather Halter <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> Co-authored-by: Nathan Bower <[email protected]> (cherry picked from commit 7dd0961) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The addition of supporting documentation to describe the Administration roles and their purposes in OpenSearch. This documentation update will cover the Admin and Super admin role in OpenSearch.
Issues Resolved
Closes [DOC]Add documentation to clarify differences between admin and super admin roles #4646
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.