Admin and Super Admin (security admin) Documentation Update (#7069) (#…

…7300)
opensearch-project · Jun 5, 2024 · 9901b61 · 9901b61
1 parent 491fb04
commit 9901b61
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 4 deletions.
diff --git a/_security/access-control/users-roles.md b/_security/access-control/users-roles.md
@@ -242,3 +242,42 @@ Map the role to your user:
 1. Choose the **Mapped users** tab and **Manage mapping**.
 1. For **Internal users**, add your bulk access user.
 1. Choose **Map**.
+
+## Admin and super admin roles
+
+OpenSearch user roles are essential for controlling access to cluster resources. Users can be categorized as regular users, admin users, or super admin users based on their access rights and responsibilities.
+
+For more information about defining users, see [Defining users](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-users). For more information about defining roles, see [Defining roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#defining-roles).
+
+
+### Regular users
+Regular users have basic access permissions that allow them to interact with the OpenSearch cluster, such as querying data and using dashboards, but they do not have administrative privileges.
+
+### Admin users
+Admin users have elevated permissions that allow them to perform various administrative tasks within the cluster. They have broader access compared to regular users, including permissions to:
+- Manage users and roles.
+- Configure permissions.
+- Adjust backend settings.
+
+Admin users can perform these tasks by configuring settings in the `opensearch.yml` file, using OpenSearch Dashboards, or interacting with the REST API. For more information about configuring users and roles, see [predefined roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#predefined-roles).
+
+### Super admin users
+Super admin users have the highest level of administrative authority within the OpenSearch environment. This role is typically reserved for select users and should be managed carefully.
+
+Super admin users have unrestricted access to all settings and data within the cluster, including permissions to:
+- Modify Security plugin configurations.
+- Access and manage the security index `.opendistro_security`.
+- Override any security limitations.
+
+#### Authentication of the super admin role
+
+Super admin users are authenticated through certificates, not passwords. The necessary certificates are defined in the `admin_dn` section of the `opensearch.yml` file and must be signed with the same root certificate authority (CA), as shown in the following example:
+```
+YAML
+plugins.security.authcz.admin_dn:
+- CN=kirk,OU=client,O=client,L=test, C=de
+``` 
+
+If the super admin certificate is signed by a different CA, then the admin CA must be concatenated with the node's CA in the file defined in `plugins.security.ssl.http.pemtrustedcas_filepath` in `opensearch.yml`. 
+
+For more information, see [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates).
diff --git a/_security/configuration/tls.md b/_security/configuration/tls.md
@@ -128,14 +128,16 @@ If your node certificates have an Object ID (OID) identifier in the SAN section,
 
 ## Configuring admin certificates
 
-Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s):
+Super admin certificates are regular client certificates that have elevated rights to perform administrative security tasks. You need an admin certificate to change the Security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/) or the REST API. Super admin certificates are configured in `opensearch.yml` by stating their DN(s):
 
 ```yml
 plugins.security.authcz.admin_dn:
   - CN=admin,OU=SSL,O=Test,L=Test,C=DE
 ```
 
-For security reasons, you can't use wildcards or regular expressions here.
+For security reasons, you cannot use wildcards or regular expressions as values for the `admin_dn` setting.
+
+For more information about admin and super admin user roles, see [Admin and super admin roles](https://opensearch.org/docs/latest/security/access-control/users-roles/#admin-and-super-admin-roles) and [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates).
 
 
 ## (Advanced) OpenSSL
@@ -237,7 +239,6 @@ plugins.security.ssl.http.enabled_protocols:
   - "TLSv1.2"
 ```
 
-
 ## (Advanced) Disabling client initiated renegotiation for Java 8
 
 Set `-Djdk.tls.rejectClientInitiatedRenegotiation=true` to disable secure client initiated renegotiation, which is enabled by default. This can be set via `OPENSEARCH_JAVA_OPTS` in `config/jvm.options`.

diff --git a/_troubleshoot/security-admin.md b/_troubleshoot/security-admin.md
@@ -92,7 +92,7 @@ Connected as CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE
 ERR: CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user
 ```
 
-You must use an admin certificate when executing the script. To learn more, see [Configuring admin certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates).
+You must use an admin certificate when executing the script. To learn more, see  [Configuring super admin certificates](https://opensearch.org/docs/latest/security/configuration/tls/#configuring-admin-certificates).
 
 ## Use the diagnose option