From 22b59f2d66a129f5d40951c6b5ab8cda8d7ca6da Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad <61760125+gaiksaya@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:44:57 -0800 Subject: [PATCH] Add security configuration for access and permissions (#140) Signed-off-by: Sayali Gaikawad --- .../lib/nightly-playground-stack.ts | 6 + .../resources/security-config/config.yml | 250 ++++++++++++ .../resources/security-config/roles.yml | 365 ++++++++++++++++++ .../security-config/roles_mapping.yml | 51 +++ .../test/nightly-playground.test.ts | 33 +- 5 files changed, 704 insertions(+), 1 deletion(-) create mode 100644 nightly-playground/resources/security-config/config.yml create mode 100644 nightly-playground/resources/security-config/roles.yml create mode 100644 nightly-playground/resources/security-config/roles_mapping.yml diff --git a/nightly-playground/lib/nightly-playground-stack.ts b/nightly-playground/lib/nightly-playground-stack.ts index 4e51852..f83f84e 100644 --- a/nightly-playground/lib/nightly-playground-stack.ts +++ b/nightly-playground/lib/nightly-playground-stack.ts @@ -27,6 +27,10 @@ export class NightlyPlaygroundStack { throw new Error('dashboardsUrl parameter cannot be empty! Please provide the OpenSearch-Dashboards distribution URL'); } + const securtityConfig = '{ "resources/security-config/config.yml" : "opensearch/config/opensearch-security/config.yml", ' + + '"resources/security-config/roles_mapping.yml" : "opensearch/config/opensearch-security/roles_mapping.yml", ' + + '"resources/security-config/roles.yml" : "opensearch/config/opensearch-security/roles.yml"}'; + // @ts-ignore const networkStack = new NetworkStack(scope, `networkStack-${id}`, { ...props, @@ -49,6 +53,8 @@ export class NightlyPlaygroundStack { distributionUrl, singleNodeCluster: false, dashboardsUrl, + customConfigFiles: securtityConfig, + additionalOsdConfig: '{"opensearch_security.auth.anonymous_auth_enabled": "true"}', }); this.stacks.push(infraStack); diff --git a/nightly-playground/resources/security-config/config.yml b/nightly-playground/resources/security-config/config.yml new file mode 100644 index 0000000..d0f7b4c --- /dev/null +++ b/nightly-playground/resources/security-config/config.yml @@ -0,0 +1,250 @@ +--- + +# This is the main OpenSearch Security configuration file where authentication +# and authorization is defined. +# +# You need to configure at least one authentication domain in the authc of this file. +# An authentication domain is responsible for extracting the user credentials from +# the request and for validating them against an authentication backend like Active Directory for example. +# +# If more than one authentication domain is configured the first one which succeeds wins. +# If all authentication domains fail then the request is unauthenticated. +# In this case an exception is thrown and/or the HTTP status is set to 401. +# +# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect +# the roles from a given backend for the authenticated user. +# +# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. +# http_enabled: true +# transport_enabled: true +# +# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to +# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. +# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous" +# and one role named "anonymous_backendrole". +# If you enable anonymous authentication all HTTP authenticators will not challenge. +# +# +# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" +# first and the challenging one last. +# Because it's not possible to challenge a client with two different authentication methods (for example +# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation +# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. +# +# Default value of the challenge flag is true. +# +# +# HTTP +# basic (challenging) +# proxy (not challenging, needs xff) +# kerberos (challenging) +# clientcert (not challenging, needs https) +# jwt (not challenging) +# host (not challenging) #DEPRECATED, will be removed in a future version. +# host based authentication is configurable in roles_mapping + +# Authc +# internal +# noop +# ldap + +# Authz +# ldap +# noop + + + +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index + # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) + # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently + #filtered_alias_mode: warn + #do_not_fail_on_forbidden: false + #kibana: + # Kibana multitenancy + #multitenancy_enabled: true + #private_tenant_enabled: true + #default_tenant: "" + #server_username: kibanaserver + #index: '.kibana' + http: + anonymous_auth_enabled: true + xff: + enabled: false + internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern + #internalProxies: '.*' # trust all internal proxies, regex pattern + #remoteIpHeader: 'x-forwarded-for' + ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help + ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For + ###### and here https://tools.ietf.org/html/rfc7239 + ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve + authc: + kerberos_auth_domain: + http_enabled: false + transport_enabled: false + order: 6 + http_authenticator: + type: kerberos + challenge: true + config: + # If true a lot of kerberos/security related debugging output will be logged to standard out + krb_debug: false + # If true then the realm will be stripped from the user name + strip_realm_from_principal: true + authentication_backend: + type: noop + basic_internal_auth_domain: + description: "Authenticate via HTTP Basic against internal users database" + http_enabled: true + transport_enabled: true + order: 4 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + proxy_auth_domain: + description: "Authenticate via proxy" + http_enabled: false + transport_enabled: false + order: 3 + http_authenticator: + type: proxy + challenge: false + config: + user_header: "x-proxy-user" + roles_header: "x-proxy-roles" + authentication_backend: + type: noop + jwt_auth_domain: + description: "Authenticate via Json Web Token" + http_enabled: false + transport_enabled: false + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" + jwt_header: "Authorization" + jwt_url_parameter: null + jwt_clock_skew_tolerance_seconds: 30 + roles_key: null + subject_key: null + authentication_backend: + type: noop + clientcert_auth_domain: + description: "Authenticate via SSL client certificates" + http_enabled: false + transport_enabled: false + order: 2 + http_authenticator: + type: clientcert + config: + username_attribute: cn #optional, if omitted DN becomes username + challenge: false + authentication_backend: + type: noop + ldap: + description: "Authenticate via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + order: 5 + http_authenticator: + type: basic + challenge: false + authentication_backend: + # LDAP authentication backend (authenticate users against a LDAP or Active Directory) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(sAMAccountName={0})' + # Use this attribute from the user as username (if not set then DN is used) + username_attribute: null + authz: + roles_from_myldap: + description: "Authorize via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + rolebase: 'ou=groups,dc=example,dc=com' + # Filter to search for roles (currently in the whole subtree beneath rolebase) + # {0} is substituted with the DN of the user + # {1} is substituted with the username + # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute + rolesearch: '(member={0})' + # Specify the name of the attribute which value should be substituted with {2} above + userroleattribute: null + # Roles as an attribute of the user entry + userrolename: disabled + #userrolename: memberOf + # The attribute in a role entry containing the name of that role, Default is "name". + # Can also be "dn" to use the full DN as rolename. + rolename: cn + # Resolve nested roles transitive (roles which are members of other roles and so on ...) + resolve_nested_roles: true + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(uid={0})' + # Skip users matching a user name, a wildcard or a regex pattern + #skip_users: + # - 'cn=Michael Jackson,ou*people,o=TEST' + # - '/\S*/' + roles_from_another_ldap: + description: "Authorize via another Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + type: ldap + #config goes here ... + # auth_failure_listeners: + # ip_rate_limiting: + # type: ip + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 + # internal_authentication_backend_limiting: + # type: username + # authentication_backend: intern + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 diff --git a/nightly-playground/resources/security-config/roles.yml b/nightly-playground/resources/security-config/roles.yml new file mode 100644 index 0000000..b3b69f5 --- /dev/null +++ b/nightly-playground/resources/security-config/roles.yml @@ -0,0 +1,365 @@ +--- +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +# Allows users to view monitors, destinations and alerts +alerting_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/get' + - 'cluster:admin/opendistro/alerting/destination/get' + - 'cluster:admin/opendistro/alerting/monitor/get' + - 'cluster:admin/opendistro/alerting/monitor/search' + - 'cluster:admin/opensearch/alerting/findings/get' + +# Allows users to view and acknowledge alerts +alerting_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/*' + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/alerting/*' + - 'cluster:admin/opensearch/alerting/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allow users to read Anomaly Detection detectors and results +anomaly_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/ad/detector/info' + - 'cluster:admin/opendistro/ad/detector/search' + - 'cluster:admin/opendistro/ad/detectors/get' + - 'cluster:admin/opendistro/ad/result/search' + - 'cluster:admin/opendistro/ad/tasks/search' + - 'cluster:admin/opendistro/ad/detector/validate' + - 'cluster:admin/opendistro/ad/result/topAnomalies' + +# Allows users to use all Anomaly Detection functionality +anomaly_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/ad/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allow users to execute read only k-NN actions +knn_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_stats_action' + +# Allow users to use all k-NN functionality +knn_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_training_model_action' + - 'cluster:admin/knn_training_job_router_action' + - 'cluster:admin/knn_training_job_route_decision_info_action' + - 'cluster:admin/knn_warmup_action' + - 'cluster:admin/knn_delete_model_action' + - 'cluster:admin/knn_remove_model_from_cache_action' + - 'cluster:admin/knn_update_model_graveyard_action' + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_stats_action' + +# Allows users to read Notebooks +notebooks_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/list' + - 'cluster:admin/opendistro/notebooks/get' + +# Allows users to all Notebooks functionality +notebooks_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/create' + - 'cluster:admin/opendistro/notebooks/update' + - 'cluster:admin/opendistro/notebooks/delete' + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + +# Allows users to read observability objects +observability_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/get' + +# Allows users to all Observability functionality +observability_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/create' + - 'cluster:admin/opensearch/observability/update' + - 'cluster:admin/opensearch/observability/delete' + - 'cluster:admin/opensearch/observability/get' + +# Allows users to read and download Reports +reports_instances_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to read and download Reports and Report-definitions +reports_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to all Reports functionality +reports_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/create' + - 'cluster:admin/opendistro/reports/definition/update' + - 'cluster:admin/opendistro/reports/definition/on_demand' + - 'cluster:admin/opendistro/reports/definition/delete' + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to use all asynchronous-search functionality +asynchronous_search_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:data/read/search*' + +# Allows users to read stored asynchronous-search results +asynchronous_search_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/get' + +# Allows user to use all index_management actions - ism policies, rollups, transforms +index_management_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ism/*" + - "cluster:admin/opendistro/rollup/*" + - "cluster:admin/opendistro/transform/*" + - "cluster:admin/opensearch/notifications/feature/publish" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/opensearch/ism/*' + +# Allows users to use all cross cluster replication functionality at leader cluster +cross_cluster_replication_leader_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/read/plugins/replication/changes" + - "indices:data/read/plugins/replication/file_chunk" + +# Allows users to use all cross cluster replication functionality at follower cluster +cross_cluster_replication_follower_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/plugins/replication/autofollow/update" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/write/plugins/replication/changes" + - "indices:admin/plugins/replication/index/start" + - "indices:admin/plugins/replication/index/pause" + - "indices:admin/plugins/replication/index/resume" + - "indices:admin/plugins/replication/index/stop" + - "indices:admin/plugins/replication/index/update" + - "indices:admin/plugins/replication/index/status_check" + +# Allow users to read ML stats/models/tasks +ml_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/stats/nodes' + - 'cluster:admin/opensearch/ml/models/get' + - 'cluster:admin/opensearch/ml/models/search' + - 'cluster:admin/opensearch/ml/tasks/get' + - 'cluster:admin/opensearch/ml/tasks/search' + +# Allows users to use all ML functionality +ml_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opensearch/ml/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + +# Allows users to use all Notifications functionality +notifications_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/*' + +# Allows users to read Notifications config/channels +notifications_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/configs/get' + - 'cluster:admin/opensearch/notifications/features' + - 'cluster:admin/opensearch/notifications/channels/get' + +# Allows users to use all snapshot management functionality +snapshot_management_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + - 'cluster:admin/repository/*' + - 'cluster:admin/snapshot/*' + +# Allows users to see snapshots, repositories, and snapshot management policies +snapshot_management_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/policy/get' + - 'cluster:admin/opensearch/snapshot_management/policy/search' + - 'cluster:admin/opensearch/snapshot_management/policy/explain' + - 'cluster:admin/repository/get' + - 'cluster:admin/snapshot/get' + +# Allows user to use point in time functionality +point_in_time_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'manage_point_in_time' + +# Allows users to see security analytics detectors and others +security_analytics_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/get' + - 'cluster:admin/opensearch/securityanalytics/detector/get' + - 'cluster:admin/opensearch/securityanalytics/detector/search' + - 'cluster:admin/opensearch/securityanalytics/findings/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/view/get' + - 'cluster:admin/opensearch/securityanalytics/rule/get' + - 'cluster:admin/opensearch/securityanalytics/rule/search' + +# Allows users to use all security analytics functionality +security_analytics_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + - 'cluster:admin/opensearch/securityanalytics/detector/*' + - 'cluster:admin/opensearch/securityanalytics/findings/*' + - 'cluster:admin/opensearch/securityanalytics/mapping/*' + - 'cluster:admin/opensearch/securityanalytics/rule/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mapping/put' + - 'indices:admin/mappings/get' + +# Allows users to view and acknowledge alerts +security_analytics_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + +opendistro_security_anonymous_role: + reserved: true + cluster_permissions: + - 'cluster:monitor/state' + - 'cluster:monitor/health' + - 'cluster:monitor/nodes/info' + index_permissions: + - index_patterns: + - ".kibana" + - ".kibana-6" + - ".kibana_*" + - ".opensearch_dashboards" + - ".opensearch_dashboards-6" + - ".opensearch_dashboards_*" + allowed_actions: + - "read" + - index_patterns: + - ".tasks" + - ".management-beats" + - "*:.tasks" + - "*:.management-beats" + allowed_actions: + - "read" + - index_patterns: + - 'opensearch_dashboards_sample_data_logs' + - 'opensearch_dashboards_sample_data_flights' + - 'opensearch_dashboards_sample_data_ecommerce' + allowed_actions: + - "read" + - index_patterns: + - '*' + allowed_actions: + - "read" + - "indices:data/read/mget" + - "indices:data/read/msearch" + - "indices:data/read/mtv" + - "indices:admin/get" + - "indices:admin/aliases/exists*" + - "indices:admin/aliases/get*" + - "indices:admin/mappings/get" + - "indices:data/read/scroll" + - "indices:monitor/settings/get" + - "indices:monitor/stats" + tenant_permissions: + - tenant_patterns: + - 'global_tenant' + allowed_actions: + - "kibana_all_read" diff --git a/nightly-playground/resources/security-config/roles_mapping.yml b/nightly-playground/resources/security-config/roles_mapping.yml new file mode 100644 index 0000000..35716dc --- /dev/null +++ b/nightly-playground/resources/security-config/roles_mapping.yml @@ -0,0 +1,51 @@ +--- +# In this file users, backendroles and hosts can be mapped to Security roles. +# Permissions for OpenSearch roles are configured in roles.yml + +_meta: + type: "rolesmapping" + config_version: 2 + +# Define your roles mapping here +opendistro_security_anonymous_role: + backend_roles: + - "opendistro_security_anonymous_backendrole" +## Demo roles mapping + +all_access: + reserved: false + backend_roles: + - "admin" + description: "Maps admin to all_access" + +own_index: + reserved: false + users: + - "*" + description: "Allow full access to an index named like the username" + +logstash: + reserved: false + backend_roles: + - "logstash" + +kibana_user: + reserved: false + backend_roles: + - "kibanauser" + description: "Maps kibanauser to kibana_user" + +readall: + reserved: false + backend_roles: + - "readall" + +manage_snapshots: + reserved: false + backend_roles: + - "snapshotrestore" + +kibana_server: + reserved: true + users: + - "kibanaserver" diff --git a/nightly-playground/test/nightly-playground.test.ts b/nightly-playground/test/nightly-playground.test.ts index f797c8c..48f5b1e 100644 --- a/nightly-playground/test/nightly-playground.test.ts +++ b/nightly-playground/test/nightly-playground.test.ts @@ -9,7 +9,7 @@ import { App } from 'aws-cdk-lib'; import { Template } from 'aws-cdk-lib/assertions'; import { NightlyPlaygroundStack } from '../lib/nightly-playground-stack'; -test('Ensure security is always enabled', () => { +test('Ensure security is always enabled with custom role mapping', () => { const app = new App({ context: { distVersion: '2.3.0', @@ -32,6 +32,37 @@ test('Ensure security is always enabled', () => { Port: 443, Protocol: 'TCP', }); + infraTemplate.hasResource('AWS::AutoScaling::AutoScalingGroup', { + /* eslint-disable max-len */ + Metadata: { + 'AWS::CloudFormation::Init': { + config: { + commands: { + '009': { + command: 'set -ex; echo "_meta:\n type: config\n config_version: 2\nconfig:\n dynamic:\n http:\n anonymous_auth_enabled: true\n xff:\n enabled: false\n internalProxies: 192\\.168\\.0\\.10|192\\.168\\.0\\.11\n authc:\n kerberos_auth_domain:\n http_enabled: false\n transport_enabled: false\n order: 6\n http_authenticator:\n type: kerberos\n challenge: true\n config:\n krb_debug: false\n strip_realm_from_principal: true\n authentication_backend:\n type: noop\n basic_internal_auth_domain:\n description: Authenticate via HTTP Basic against internal users database\n http_enabled: true\n transport_enabled: true\n order: 4\n http_authenticator:\n type: basic\n challenge: true\n authentication_backend:\n type: intern\n proxy_auth_domain:\n description: Authenticate via proxy\n http_enabled: false\n transport_enabled: false\n order: 3\n http_authenticator:\n type: proxy\n challenge: false\n config:\n user_header: x-proxy-user\n roles_header: x-proxy-roles\n authentication_backend:\n type: noop\n jwt_auth_domain:\n description: Authenticate via Json Web Token\n http_enabled: false\n transport_enabled: false\n order: 0\n http_authenticator:\n type: jwt\n challenge: false\n config:\n signing_key: base64 encoded HMAC key or public RSA/ECDSA pem key\n jwt_header: Authorization\n jwt_url_parameter: null\n jwt_clock_skew_tolerance_seconds: 30\n roles_key: null\n subject_key: null\n authentication_backend:\n type: noop\n clientcert_auth_domain:\n description: Authenticate via SSL client certificates\n http_enabled: false\n transport_enabled: false\n order: 2\n http_authenticator:\n type: clientcert\n config:\n username_attribute: cn\n challenge: false\n authentication_backend:\n type: noop\n ldap:\n description: Authenticate via LDAP or Active Directory\n http_enabled: false\n transport_enabled: false\n order: 5\n http_authenticator:\n type: basic\n challenge: false\n authentication_backend:\n type: ldap\n config:\n enable_ssl: false\n enable_start_tls: false\n enable_ssl_client_auth: false\n verify_hostnames: true\n hosts:\n - localhost:8389\n bind_dn: null\n password: null\n userbase: ou=people,dc=example,dc=com\n usersearch: (sAMAccountName={0})\n username_attribute: null\n authz:\n roles_from_myldap:\n description: Authorize via LDAP or Active Directory\n http_enabled: false\n transport_enabled: false\n authorization_backend:\n type: ldap\n config:\n enable_ssl: false\n enable_start_tls: false\n enable_ssl_client_auth: false\n verify_hostnames: true\n hosts:\n - localhost:8389\n bind_dn: null\n password: null\n rolebase: ou=groups,dc=example,dc=com\n rolesearch: (member={0})\n userroleattribute: null\n userrolename: disabled\n rolename: cn\n resolve_nested_roles: true\n userbase: ou=people,dc=example,dc=com\n usersearch: (uid={0})\n roles_from_another_ldap:\n description: Authorize via another Active Directory\n http_enabled: false\n transport_enabled: false\n authorization_backend:\n type: ldap\n" > opensearch/config/opensearch-security/config.yml', + cwd: '/home/ec2-user', + ignoreErrors: false, + }, + '010': { + command: "set -ex; echo \"_meta:\n type: rolesmapping\n config_version: 2\nopendistro_security_anonymous_role:\n backend_roles:\n - opendistro_security_anonymous_backendrole\nall_access:\n reserved: false\n backend_roles:\n - admin\n description: Maps admin to all_access\nown_index:\n reserved: false\n users:\n - '*'\n description: Allow full access to an index named like the username\nlogstash:\n reserved: false\n backend_roles:\n - logstash\nkibana_user:\n reserved: false\n backend_roles:\n - kibanauser\n description: Maps kibanauser to kibana_user\nreadall:\n reserved: false\n backend_roles:\n - readall\nmanage_snapshots:\n reserved: false\n backend_roles:\n - snapshotrestore\nkibana_server:\n reserved: true\n users:\n - kibanaserver\n\" > opensearch/config/opensearch-security/roles_mapping.yml", + cwd: '/home/ec2-user', + ignoreErrors: false, + }, + '011': { + command: "set -ex; echo \"_meta:\n type: roles\n config_version: 2\nkibana_read_only:\n reserved: true\nsecurity_rest_api_access:\n reserved: true\nalerting_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/alerting/alerts/get\n - cluster:admin/opendistro/alerting/destination/get\n - cluster:admin/opendistro/alerting/monitor/get\n - cluster:admin/opendistro/alerting/monitor/search\n - cluster:admin/opensearch/alerting/findings/get\nalerting_ack_alerts:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/alerting/alerts/*\nalerting_full_access:\n reserved: true\n cluster_permissions:\n - cluster_monitor\n - cluster:admin/opendistro/alerting/*\n - cluster:admin/opensearch/alerting/*\n - cluster:admin/opensearch/notifications/feature/publish\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices_monitor\n - indices:admin/aliases/get\n - indices:admin/mappings/get\nanomaly_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/ad/detector/info\n - cluster:admin/opendistro/ad/detector/search\n - cluster:admin/opendistro/ad/detectors/get\n - cluster:admin/opendistro/ad/result/search\n - cluster:admin/opendistro/ad/tasks/search\n - cluster:admin/opendistro/ad/detector/validate\n - cluster:admin/opendistro/ad/result/topAnomalies\nanomaly_full_access:\n reserved: true\n cluster_permissions:\n - cluster_monitor\n - cluster:admin/opendistro/ad/*\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices_monitor\n - indices:admin/aliases/get\n - indices:admin/mappings/get\nknn_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/knn_search_model_action\n - cluster:admin/knn_get_model_action\n - cluster:admin/knn_stats_action\nknn_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/knn_training_model_action\n - cluster:admin/knn_training_job_router_action\n - cluster:admin/knn_training_job_route_decision_info_action\n - cluster:admin/knn_warmup_action\n - cluster:admin/knn_delete_model_action\n - cluster:admin/knn_remove_model_from_cache_action\n - cluster:admin/knn_update_model_graveyard_action\n - cluster:admin/knn_search_model_action\n - cluster:admin/knn_get_model_action\n - cluster:admin/knn_stats_action\nnotebooks_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/notebooks/list\n - cluster:admin/opendistro/notebooks/get\nnotebooks_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/notebooks/create\n - cluster:admin/opendistro/notebooks/update\n - cluster:admin/opendistro/notebooks/delete\n - cluster:admin/opendistro/notebooks/get\n - cluster:admin/opendistro/notebooks/list\nobservability_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/observability/get\nobservability_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/observability/create\n - cluster:admin/opensearch/observability/update\n - cluster:admin/opensearch/observability/delete\n - cluster:admin/opensearch/observability/get\nreports_instances_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/reports/instance/list\n - cluster:admin/opendistro/reports/instance/get\n - cluster:admin/opendistro/reports/menu/download\nreports_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/reports/definition/get\n - cluster:admin/opendistro/reports/definition/list\n - cluster:admin/opendistro/reports/instance/list\n - cluster:admin/opendistro/reports/instance/get\n - cluster:admin/opendistro/reports/menu/download\nreports_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/reports/definition/create\n - cluster:admin/opendistro/reports/definition/update\n - cluster:admin/opendistro/reports/definition/on_demand\n - cluster:admin/opendistro/reports/definition/delete\n - cluster:admin/opendistro/reports/definition/get\n - cluster:admin/opendistro/reports/definition/list\n - cluster:admin/opendistro/reports/instance/list\n - cluster:admin/opendistro/reports/instance/get\n - cluster:admin/opendistro/reports/menu/download\nasynchronous_search_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/asynchronous_search/*\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices:data/read/search*\nasynchronous_search_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/asynchronous_search/get\nindex_management_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opendistro/ism/*\n - cluster:admin/opendistro/rollup/*\n - cluster:admin/opendistro/transform/*\n - cluster:admin/opensearch/notifications/feature/publish\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices:admin/opensearch/ism/*\ncross_cluster_replication_leader_full_access:\n reserved: true\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices:admin/plugins/replication/index/setup/validate\n - indices:data/read/plugins/replication/changes\n - indices:data/read/plugins/replication/file_chunk\ncross_cluster_replication_follower_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/plugins/replication/autofollow/update\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices:admin/plugins/replication/index/setup/validate\n - indices:data/write/plugins/replication/changes\n - indices:admin/plugins/replication/index/start\n - indices:admin/plugins/replication/index/pause\n - indices:admin/plugins/replication/index/resume\n - indices:admin/plugins/replication/index/stop\n - indices:admin/plugins/replication/index/update\n - indices:admin/plugins/replication/index/status_check\nml_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/ml/stats/nodes\n - cluster:admin/opensearch/ml/models/get\n - cluster:admin/opensearch/ml/models/search\n - cluster:admin/opensearch/ml/tasks/get\n - cluster:admin/opensearch/ml/tasks/search\nml_full_access:\n reserved: true\n cluster_permissions:\n - cluster_monitor\n - cluster:admin/opensearch/ml/*\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices_monitor\nnotifications_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/notifications/*\nnotifications_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/notifications/configs/get\n - cluster:admin/opensearch/notifications/features\n - cluster:admin/opensearch/notifications/channels/get\nsnapshot_management_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/snapshot_management/*\n - cluster:admin/opensearch/notifications/feature/publish\n - cluster:admin/repository/*\n - cluster:admin/snapshot/*\nsnapshot_management_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/snapshot_management/policy/get\n - cluster:admin/opensearch/snapshot_management/policy/search\n - cluster:admin/opensearch/snapshot_management/policy/explain\n - cluster:admin/repository/get\n - cluster:admin/snapshot/get\npoint_in_time_full_access:\n reserved: true\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - manage_point_in_time\nsecurity_analytics_read_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/securityanalytics/alerts/get\n - cluster:admin/opensearch/securityanalytics/detector/get\n - cluster:admin/opensearch/securityanalytics/detector/search\n - cluster:admin/opensearch/securityanalytics/findings/get\n - cluster:admin/opensearch/securityanalytics/mapping/get\n - cluster:admin/opensearch/securityanalytics/mapping/view/get\n - cluster:admin/opensearch/securityanalytics/rule/get\n - cluster:admin/opensearch/securityanalytics/rule/search\nsecurity_analytics_full_access:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/securityanalytics/alerts/*\n - cluster:admin/opensearch/securityanalytics/detector/*\n - cluster:admin/opensearch/securityanalytics/findings/*\n - cluster:admin/opensearch/securityanalytics/mapping/*\n - cluster:admin/opensearch/securityanalytics/rule/*\n index_permissions:\n - index_patterns:\n - '*'\n allowed_actions:\n - indices:admin/mapping/put\n - indices:admin/mappings/get\nsecurity_analytics_ack_alerts:\n reserved: true\n cluster_permissions:\n - cluster:admin/opensearch/securityanalytics/alerts/*\nopendistro_security_anonymous_role:\n reserved: true\n cluster_permissions:\n - cluster:monitor/state\n - cluster:monitor/health\n - cluster:monitor/nodes/info\n index_permissions:\n - index_patterns:\n - .kibana\n - .kibana-6\n - .kibana_*\n - .opensearch_dashboards\n - .opensearch_dashboards-6\n - .opensearch_dashboards_*\n allowed_actions:\n - read\n - index_patterns:\n - .tasks\n - .management-beats\n - '*:.tasks'\n - '*:.management-beats'\n allowed_actions:\n - read\n - index_patterns:\n - opensearch_dashboards_sample_data_logs\n - opensearch_dashboards_sample_data_flights\n - opensearch_dashboards_sample_data_ecommerce\n allowed_actions:\n - read\n - index_patterns:\n - '*'\n allowed_actions:\n - read\n - indices:data/read/mget\n - indices:data/read/msearch\n - indices:data/read/mtv\n - indices:admin/get\n - indices:admin/aliases/exists*\n - indices:admin/aliases/get*\n - indices:admin/mappings/get\n - indices:data/read/scroll\n - indices:monitor/settings/get\n - indices:monitor/stats\n tenant_permissions:\n - tenant_patterns:\n - global_tenant\n allowed_actions:\n - kibana_all_read\n\" > opensearch/config/opensearch-security/roles.yml", + cwd: '/home/ec2-user', + ignoreErrors: false, + }, + '015': { + command: "set -ex;cd opensearch-dashboards; echo \"opensearch_security.auth.anonymous_auth_enabled: 'true'\n\">>config/opensearch_dashboards.yml", + cwd: '/home/ec2-user', + ignoreErrors: false, + }, + }, + }, + }, + }, + }); }); test('Throw an error for missing distVersion', () => {