fix(security): explicitly add keys required in security config (#6805)

Signed-off-by: shotor <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> (cherry picked from commit 301ca68) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-project · Apr 1, 2024 · d478da3 · d478da3
1 parent 165ab0a
commit d478da3
Show file tree

Hide file tree

Showing 3 changed files with 138 additions and 100 deletions.
diff --git a/_security/authentication-backends/basic-authc.md b/_security/authentication-backends/basic-authc.md
@@ -12,17 +12,23 @@ redirect_from:
 HTTP basic authentication provides a simple challenge-and-response process for gaining access to OpenSearch and its resources that prompts you to sign in with a username and password. You enable HTTP basic authentication in the `http_authenticator` section of the configuration by specifying `type` as `basic`, as shown in the following example:
 
 ```yml
-authc:
-  basic_internal_auth_domain:
-    description: "Authenticate using HTTP basic against the internal users database"
-    http_enabled: true
-    transport_enabled: true
-    order: 1
-    http_authenticator:
-      type: basic
-      challenge: true
-    authentication_backend:
-      type: internal
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        description: "Authenticate using HTTP basic against the internal users database"
+        http_enabled: true
+        transport_enabled: true
+        order: 1
+        http_authenticator:
+          type: basic
+          challenge: true
+        authentication_backend:
+          type: internal
 ```
 
 Additionally, you can specify the internal user database as the authentication backend by specifying `internal` as the type for `authentication_backend`. See [The internal user database](#the-internal-user-database) for information about this backend.

diff --git a/_security/authentication-backends/openid-connect.md b/_security/authentication-backends/openid-connect.md
@@ -33,19 +33,26 @@ To integrate with an OpenID IdP, set up an authentication domain and choose `ope
 This is the minimal configuration:
 
 ```yml
-openid_auth_domain:
-  http_enabled: true
-  transport_enabled: true
-  order: 0
-  http_authenticator:
-    type: openid
-    challenge: false
-    config:
-      subject_key: preferred_username
-      roles_key: roles
-      openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
-  authentication_backend:
-    type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      openid_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: openid
+          challenge: false
+          config:
+            subject_key: preferred_username
+            roles_key: roles
+            openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
+        authentication_backend:
+          type: noop
 ```
 
 The following table shows the configuration parameters.
@@ -370,26 +377,33 @@ Because OpenSearch Dashboards requires that the internal OpenSearch Dashboards s
 Modify and apply the following example settings in `config.yml`:
 
 ```yml
-basic_internal_auth_domain:
-  http_enabled: true
-  transport_enabled: true
-  order: 0
-  http_authenticator:
-    type: basic
-    challenge: false
-  authentication_backend:
-    type: internal
-openid_auth_domain:
-  http_enabled: true
-  transport_enabled: true
-  order: 1
-  http_authenticator:
-    type: openid
-    challenge: false
-    config:
-      subject_key: preferred_username
-      roles_key: roles
-      openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
-  authentication_backend:
-    type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          type: internal
+      openid_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 1
+        http_authenticator:
+          type: openid
+          challenge: false
+          config:
+            subject_key: preferred_username
+            roles_key: roles
+            openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
+        authentication_backend:
+          type: noop
 ```
diff --git a/_security/authentication-backends/saml.md b/_security/authentication-backends/saml.md
@@ -59,20 +59,26 @@ We provide a fully functional example that can help you understand how to use SA
 To use SAML for authentication, you need to configure a respective authentication domain in the `authc` section of `config/opensearch-security/config.yml`. Because SAML works solely on the HTTP layer, you do not need any `authentication_backend` and can set it to `noop`. Place all SAML-specific configuration options in this chapter in the `config` section of the SAML HTTP authenticator:
 
 ```yml
-authc:
-  saml_auth_domain:
-    http_enabled: true
-    transport_enabled: false
-    order: 1
-    http_authenticator:
-      type: saml
-      challenge: true
-      config:
-        idp:
-          metadata_file: okta.xml
-          ...
-    authentication_backend:
-      type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      saml_auth_domain:
+        http_enabled: true
+        transport_enabled: false
+        order: 1
+        http_authenticator:
+          type: saml
+          challenge: true
+          config:
+            idp:
+              metadata_file: okta.xml
+              ...
+        authentication_backend:
+          type: noop
 ```
 
 After you have configured SAML in `config.yml`, you must also [activate it in OpenSearch Dashboards](#opensearch-dashboards-configuration).
@@ -83,27 +89,33 @@ After you have configured SAML in `config.yml`, you must also [activate it in Op
 We recommend adding at least one other authentication domain, such as LDAP or the internal user database, to support API access to OpenSearch without SAML. For OpenSearch Dashboards and the internal OpenSearch Dashboards server user, you also must add another authentication domain that supports basic authentication. This authentication domain should be placed first in the chain, and the `challenge` flag must be set to `false`:
 
 ```yml
-authc:
-  basic_internal_auth_domain:
-    http_enabled: true
-    transport_enabled: true
-    order: 0
-    http_authenticator:
-      type: basic
-      challenge: false
-    authentication_backend:
-      type: internal
-  saml_auth_domain:
-    http_enabled: true
-    transport_enabled: false
-    order: 1
-    http_authenticator:
-      type: saml
-      challenge: true
-      config:
-        ...
-    authentication_backend:
-      type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          type: internal
+      saml_auth_domain:
+        http_enabled: true
+        transport_enabled: false
+        order: 1
+        http_authenticator:
+          type: saml
+          challenge: true
+          config:
+            ...
+        authentication_backend:
+          type: noop
 ```
 
 
@@ -310,25 +322,31 @@ Name | Description
 The following example shows the minimal configuration:
 
 ```yml
-authc:
-  saml_auth_domain:
-    http_enabled: true
-    transport_enabled: false
-    order: 1
-    http_authenticator:
-      type: saml
-      challenge: true
-      config:
-        idp:
-          metadata_file: metadata.xml
-          entity_id: http://idp.example.com/
-        sp:
-          entity_id: https://opensearch-dashboards.example.com
-        kibana_url: https://opensearch-dashboards.example.com:5601/
-        roles_key: Role
-        exchange_key: 'peuvgOLrjzuhXf ...'
-    authentication_backend:
-      type: noop
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      saml_auth_domain:
+        http_enabled: true
+        transport_enabled: false
+        order: 1
+        http_authenticator:
+          type: saml
+          challenge: true
+          config:
+            idp:
+              metadata_file: metadata.xml
+              entity_id: http://idp.example.com/
+            sp:
+              entity_id: https://opensearch-dashboards.example.com
+            kibana_url: https://opensearch-dashboards.example.com:5601/
+            roles_key: Role
+            exchange_key: 'peuvgOLrjzuhXf ...'
+        authentication_backend:
+          type: noop
 ```
 
 ## OpenSearch Dashboards configuration