From de082465fabe845c1ee06a9060b87927ad051804 Mon Sep 17 00:00:00 2001 From: Rob W Date: Mon, 4 Dec 2023 12:56:05 -0600 Subject: [PATCH] Delete data/opensearch/dashboards/config/opensearch.yml --- .../dashboards/config/opensearch.yml | 228 ------------------ 1 file changed, 228 deletions(-) delete mode 100644 data/opensearch/dashboards/config/opensearch.yml diff --git a/data/opensearch/dashboards/config/opensearch.yml b/data/opensearch/dashboards/config/opensearch.yml deleted file mode 100644 index 3b4df645..00000000 --- a/data/opensearch/dashboards/config/opensearch.yml +++ /dev/null @@ -1,228 +0,0 @@ -############## OpenSearch Security configuration ############### - -########################################################### -# Add the following settings to your standard opensearch.yml -# alongside with the OpenSearch Security TLS settings. -# Settings must always be the same on all nodes in the cluster. - -############## Common configuration settings ############## - -# Specify a list of DNs which denote the other nodes in the cluster. -# This settings support wildcards and regular expressions -# The list of DNs are also read from security index **in addition** to the yml configuration if -# plugins.security.nodes_dn_dynamic_config_enabled is true. -# NOTE: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. -plugins.security.nodes_dn: - - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE" - - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE" - -# The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to -# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured -# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs -# which provide means to update/retrieve nodesdn dynamically. -# -# NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored -# in security index. -# (default: false) -# NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. -plugins.security.nodes_dn_dynamic_config_enabled: false - -# Defines the DNs (distinguished names) of certificates -# to which admin privileges should be assigned (mandatory) -plugins.security.authcz.admin_dn: - - "CN=kirk,OU=client,O=client,l=tEst, C=De" - -# Define how backend roles should be mapped to Security roles -# MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default) -# BACKENDROLES_ONLY - backend roles are mapped to Security roles directly. Settings in roles_mapping.yml have no effect. -# BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition -plugins.security.roles_mapping_resolution: MAPPING_ONLY - -############## REST Management API configuration settings ############## -# Enable or disable role based access to the REST management API -# Default is that no role is allowed to access the REST management API. -#plugins.security.restapi.roles_enabled: ["all_access","xyz_role"] - -# Disable particular endpoints and their HTTP methods for roles. -# By default all endpoints/methods are allowed. -#plugins.security.restapi.endpoints_disabled..: -# Example: -#plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"] -#plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"] - -# The following endpoints exist: -# ACTIONGROUPS -# CACHE -# CONFIG -# ROLES -# ROLESMAPPING -# INTERNALUSERS -# SYSTEMINFO -# PERMISSIONSINFO - -############## Auditlog configuration settings ############## -# General settings - -# Enable/disable rest request logging (default: true) -#plugins.security.audit.enable_rest: true -# Enable/disable transport request logging (default: false) -#plugins.security.audit.enable_transport: false -# Enable/disable bulk request logging (default: false) -# If enabled all subrequests in bulk requests will be logged too -#plugins.security.audit.resolve_bulk_requests: false -# Disable some categories -#plugins.security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"] -# Disable some requests (wildcard or regex of actions or rest request paths) -#plugins.security.audit.ignore_requests: ["indices:data/read/*","*_bulk"] -# Tune threadpool size, default is 10 -#plugins.security.audit.threadpool.size: 10 -# Tune threadpool max size queue length, default is 100000 -#plugins.security.audit.threadpool.max_queue_len: 100000 - -# Ignore users, e.g. do not log audit requests from that users (default: no ignored users) -#plugins.security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']" - -# Destination of the auditlog events -plugins.security.audit.type: internal_opensearch -#plugins.security.audit.type: external_opensearch -#plugins.security.audit.type: debug -#plugins.security.audit.type: webhook - -# external_opensearch settings -#plugins.security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']" -# Auditlog index can be a static one or one with a date pattern (default is 'auditlog6') -#plugins.security.audit.config.index: auditlog6 # make sure you secure this index properly -#plugins.security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly -#plugins.security.audit.config.type: auditlog -#plugins.security.audit.config.username: auditloguser -#plugins.security.audit.config.password: auditlogpassword -#plugins.security.audit.config.enable_ssl: false -#plugins.security.audit.config.verify_hostnames: false -#plugins.security.audit.config.enable_ssl_client_auth: false -#plugins.security.audit.config.cert_alias: mycert -#plugins.security.audit.config.pemkey_filepath: key.pem -#plugins.security.audit.config.pemkey_content: <...pem base 64 content> -#plugins.security.audit.config.pemkey_password: secret -#plugins.security.audit.config.pemcert_filepath: cert.pem -#plugins.security.audit.config.pemcert_content: <...pem base 64 content> -#plugins.security.audit.config.pemtrustedcas_filepath: ca.pem -#plugins.security.audit.config.pemtrustedcas_content: <...pem base 64 content> - -# webhook settings -#plugins.security.audit.config.webhook.url: "http://mywebhook/endpoint" -# One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK -#plugins.security.audit.config.webhook.format: JSON -#plugins.security.audit.config.webhook.ssl.verify: false -#plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem -#plugins.security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content> - -# log4j settings -#plugins.security.audit.config.log4j.logger_name: auditlogger -#plugins.security.audit.config.log4j.level: INFO - -############## Kerberos configuration settings ############## -# If Kerberos authentication should be used you have to configure: - -# The Path to the krb5.conf file -# Can be absolute or relative to the OpenSearch config directory -#plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf' - -# The Path to the keytab where the acceptor_principal credentials are stored. -# Must be relative to the OpenSearch config directory -#plugins.security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab' - -# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file -#plugins.security.kerberos.acceptor_principal: 'HTTP/localhost' - -############## Advanced configuration settings ############## -# Enable transport layer impersonation -# Allow DNs (distinguished names) to impersonate as other users -#plugins.security.authcz.impersonation_dn: -# "CN=spock,OU=client,O=client,L=Test,C=DE": -# - worf -# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com": -# - user2 -# - user1 - -# Enable rest layer impersonation -# Allow users to impersonate as other users -#plugins.security.authcz.rest_impersonation_user: -# "picard": -# - worf -# "john": -# - steve -# - martin - -# If this is set to true OpenSearch Security will automatically initialize the configuration index -# with the files in the config directory if the index does not exist. -# WARNING: This will use well-known default passwords. -# Use only in a private network/environment. -#plugins.security.allow_default_init_securityindex: false - -# If this is set to true then allow to startup with demo certificates. -# These are certificates issued by floragunn GmbH for demo purposes. -# WARNING: This certificates are well known and therefore unsafe -# Use only in a private network/environment. -#plugins.security.allow_unsafe_democertificates: false - - - -# Password strength rules for password complexity. -# If you want to set up password strength rules for internal users, you can use the below settings for it. -# Password validation rules can be configured through regex. In the below regex example, a user must need -# a password with minimum 8 characters length and must include minimum one uppercase, one lower case, one digit, and one special character.  -# And a custom error message can be configured, in case if a password is not created according to the password strength rule.    -# plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' -# plugins.security.restapi.password_validation_error_message: "A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character." - - -############## Expert settings ############## -# WARNING: Expert settings, do only use if you know what you are doing -# If you set wrong values here this this could be a security risk -# or make OpenSearch Security stop working - -# Name of the index where .opendistro_security stores its configuration. - -#plugins.security.config_index_name: .opendistro_security - -# This defines the OID of server node certificates -#plugins.security.cert.oid: '1.2.3.4.5.5' - -# This specifies the implementation of org.opensearch.security.transport.InterClusterRequestEvaluator -# that is used to determine inter-cluster request. -# Instances of org.opensearch.security.transport.InterClusterRequestEvaluator must implement a single argument -# constructor that takes an org.opensearch.common.settings.Settings -#plugins.security.cert.intercluster_request_evaluator_class: org.opensearch.security.transport.DefaultInterClusterRequestEvaluator - -# By default, normal users can restore snapshots if they have the priviliges 'cluster:admin/snapshot/restore', -# 'indices:admin/create', and 'indices:data/write/index' for the indices to be restored. -# To disable snapshot restore for normal users set 'plugins.security.enable_snapshot_restore_privilege: false'. -# This makes it so that only snapshot restore requests signed by an admin TLS certificate are accepted. -# A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index -# If 'plugins.security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted. -#plugins.security.enable_snapshot_restore_privilege: true -#plugins.security.check_snapshot_restore_write_privileges: true - -# Authentication cache timeout in minutes (A value of 0 disables caching, default is 60) -#plugins.security.cache.ttl_minutes: 60 - -# Disable OpenSearch Security -# WARNING: This can expose your configuration (including passwords) to the public. -#plugins.security.disabled: false - - -# Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role -# to be visible, listed in the plugins.security.protected_indices.roles setting. -# Enable protected indices -# plugins.security.protected_indices.enabled: true -# Specify a list of roles a user must be member of to touch any protected index. -# plugins.security.protected_indices.roles: ['all_access'] -# Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. -# plugins.security.protected_indices.indices: [] - -# System indices are similar to security index, except the contents are not encrypted. -# Indices configured as system indices can be accessed by only super-admin and no role will provide access to these indices. -# Enable system indices -# plugins.security.system_indices.enabled: true -# Specify a list of indices to mark as system. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. -# plugins.security.system_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*', '.opendistro-reports-*', '.opensearch-notifications-*', '.opensearch-notebooks', '.opensearch-observability', '.opendistro-asynchronous-search-response*', '.replication-metadata-store']