Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding security installation information #20231130 #6605

Merged
Show file tree
Hide file tree
Changes from 29 commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
f0447a8
additing security installation page #20231130
AntonEliatra Mar 6, 2024
a576b43
Update security-installation.md
AntonEliatra Mar 6, 2024
116e2d9
Update security-installation.md
AntonEliatra Mar 6, 2024
f87895f
Update security-installation.md
AntonEliatra Mar 6, 2024
160427c
Update security-installation.md
AntonEliatra Mar 7, 2024
7b7c3d4
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
5225ac3
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
7184980
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
d4ac83f
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
854a51d
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
5577a3a
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
6166746
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
43249c1
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
ed05ca2
Update _security/configuration/security-installation.md
AntonEliatra Mar 12, 2024
785a439
renaming to enabling security
AntonEliatra Mar 12, 2024
74385c7
additing security installation page #20231130
AntonEliatra Mar 13, 2024
615edff
additing security installation page #20231130
AntonEliatra Mar 13, 2024
f9b8a17
additing security installation page #20231130
AntonEliatra Mar 13, 2024
3c8536d
additing security installation page #20231130
AntonEliatra Mar 13, 2024
f96f81e
Update enabling-security.md
Naarcha-AWS Mar 14, 2024
c9d49c6
Update enabling-security.md
Naarcha-AWS Mar 14, 2024
abcd8e5
moving security installation page #20231130
AntonEliatra Mar 15, 2024
b409fd9
moving security installation page #20231130
AntonEliatra Mar 15, 2024
c1af7ce
Update disable-enable-security.md
Naarcha-AWS Mar 18, 2024
3ebeac9
Update disable-enable-security.md
Naarcha-AWS Mar 18, 2024
c4471b4
Update disable-enable-security.md
Naarcha-AWS Mar 19, 2024
9494cdf
Apply suggestions from code review
Naarcha-AWS Mar 19, 2024
2f55274
Merge branch 'main' into adding-security-installation-page
Naarcha-AWS Mar 19, 2024
53d9834
Apply suggestions from code review
Naarcha-AWS Mar 20, 2024
b35d86b
fixes on security disable-enable page
AntonEliatra Mar 22, 2024
381f39c
Merge branch 'main' into adding-security-installation-page
Naarcha-AWS Mar 22, 2024
910c777
Made some updates to the structure
hdhalter Mar 27, 2024
54dbf5e
Merge branch 'main' into adding-security-installation-page
Naarcha-AWS Mar 27, 2024
2f2946a
Apply suggestions from code review
Naarcha-AWS Mar 27, 2024
be77d13
Apply suggestions from code review
Naarcha-AWS Mar 27, 2024
1189abd
Apply suggestions from code review
Naarcha-AWS Mar 27, 2024
d22c12b
fixes on security disable-enable page
AntonEliatra Mar 27, 2024
233d6ba
adding link for installation method on security installation page
AntonEliatra Mar 27, 2024
c2900e2
Update disable-enable-security.md
hdhalter Mar 28, 2024
c7e1562
Update _security/configuration/disable-enable-security.md
AntonEliatra Mar 29, 2024
39b7700
Update _security/configuration/disable-enable-security.md
AntonEliatra Mar 29, 2024
ff00e95
Update _security/configuration/disable-enable-security.md
AntonEliatra Mar 29, 2024
ac2585c
Update _security/configuration/disable-enable-security.md
AntonEliatra Mar 29, 2024
ace8202
Update disable-enable-security.md
AntonEliatra Mar 29, 2024
7044593
Apply suggestions from code review
Naarcha-AWS Mar 29, 2024
4422a9d
Merge branch 'main' into adding-security-installation-page
Naarcha-AWS Mar 29, 2024
5fa5323
Merge branch 'main' into adding-security-installation-page
Naarcha-AWS Apr 3, 2024
f045f81
Update disable-enable-security.md
AntonEliatra Apr 4, 2024
cfdaef5
Apply suggestions from code review
AntonEliatra Apr 4, 2024
f0bd141
Apply suggestions from code review
Naarcha-AWS Apr 4, 2024
2aebcaa
Merge branch 'main' into adding-security-installation-page
Naarcha-AWS Apr 4, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
185 changes: 185 additions & 0 deletions _security/configuration/disable-enable-security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
---
layout: default
title: Disabling and enabling the Security plugin
parent: Configuration
nav_order: 40
has_toc: true
redirect_from:
- /security-plugin/configuration/disable/
---

# Disabling and enabling the Security plugin

The Security plugin is installed by default with OpenSearch, but you can disable it temporarily if you want to make testing or internal usage more straightforward. You can then enable it once you're ready to configure security for your cluster.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved

If you have your own security solution or need to remove the Security plugin for development purposes, you can uninstall the plugin completely. Note that OpenSearch Dashboards can run only against a secure cluster, so if you uninstall the OpenSearch Security plugin, you'll have to also uninstall the Dashboard plugin.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved


## Disabling security

To disable the Security plugin for OpenSearch, add the following line in `opensearch.yml`:

```yml
plugins.security.disabled: true
```

AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
natebower marked this conversation as resolved.
Show resolved Hide resolved
## Removing the Security plugin

If you want to remove the Security plugin in your OpenSearch instance without changing your configuration settings in `opensearch.yml`, use the following steps.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved

1. Delete the `plugins/opensearch-security` folder on all nodes.
1. Delete all `plugins.security.*` configuration entries from `opensearch.yml`.
1. Uninstall the Security plugin by using the following command:

```bash
/usr/share/opensearch/opensearch-plugin remove opensearch-security
```

To perform these steps on the Docker image, see [Working with plugins]({{site.url}}{{site.baseurl}}/opensearch/install/docker#working-with-plugins).

Disabling or removing the plugin exposes the configuration index for the Security plugin. If the index contains sensitive information, be sure to protect it through some other means. If you no longer need the index, delete it.
{: .warning }


## Removing the OpenSearch Dashboards Security plugin

If you disable the Security plugin in `opensearch.yml` and still want to use OpenSearch Dashboards, you must remove the corresponding OpenSearch Dashboards Security plugin. For more information, see [OpenSearch Dashboards remove plugins]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/plugins/#remove-plugins).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirm whether the linked text is the actual/exact name of the page.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you disable the Security plugin in `opensearch.yml` and still want to use OpenSearch Dashboards, you must remove the corresponding OpenSearch Dashboards Security plugin. For more information, see [OpenSearch Dashboards remove plugins]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/plugins/#remove-plugins).
If you disable the Security plugin in `opensearch.yml` and still want to use OpenSearch Dashboards, you must remove the corresponding OpenSearch Dashboards plugin. For more information, see [OpenSearch Dashboards remove plugins]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/plugins/#remove-plugins).


Refer to the following installation types to remove the OpenSearch Dashboards plugin.

### Docker

1. Remove all Security plugin configuration settings from `opensearch_dashboards.yml` or place the example file in the same folder as the `Dockerfile`:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"move the example file to"?

Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

```yml
---
server.name: opensearch-dashboards
server.host: "0.0.0.0"
opensearch.hosts: http://localhost:9200
```

1. Create a new `Dockerfile`:

```
FROM opensearchproject/opensearch-dashboards:{{site.opensearch_dashboards_version}}
RUN /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards
COPY --chown=opensearch-dashboards:opensearch-dashboards opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/
```

1. To build the new Docker image, run the following command:

```bash
docker build --tag=opensearch-dashboards-no-security .
```

1. In `docker-compose.yml`, change `opensearchproject/opensearch-dashboards:{{site.opensearch_dashboards_version}}` to `opensearch-dashboards-no-security`.
1. Change `OPENSEARCH_HOSTS` or `opensearch.hosts` to `http://` rather than `https://`.
1. Enter `docker-compose up`.

### Tarball

1. Navigate to the `/bin` directory in your OpenSearch Dashboards installation folder and stop the running OpenSearch Dashboards instance by pressing `Ctrl + C`.

1. Run the following command to uninstall the Security plugin:

```bash
./bin/opensearch-dashboards-plugin remove securityDashboards
```

1. Remove all Security plugin configuration settings from the `opensearch_dashboards.yml` file or use the following example file:

```yml
---
server.name: opensearch-dashboards
server.host: "0.0.0.0"
opensearch.hosts: http://localhost:9200
```

1. Start OpenSearch Dashboards.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
```bash
./bin/opensearch-dashboards
```

### RPM and Debian

1. Stop the running instance of OpenSearch Dashboards by using the following command:

```bash
sudo systemctl stop opensearch-dashboards
```

1. Navigate to the OpenSearch Dashboards folder `/usr/share/opensearch-dashboards` and run the following command to uninstall the Security plugin:

```bash
./bin/opensearch-dashboards-plugin remove securityDashboards
```

1. Remove all Security plugin configuration settings from the `opensearch_dashboards.yml` file or place the example file in the `/etc/opensearch_dashboards` folder:

```yml
---
server.name: opensearch-dashboards
server.host: "0.0.0.0"
opensearch.hosts: http://localhost:9200
```
1. Start OpenSearch Dashboards:
```bash
sudo systemctl start opensearch-dashboards
```

## Enabling security

The default version of OpenSearch comes with Security features pre-installed, however if the Security plugin was [disabled]({{site.url}}{{site.baseurl}}/security/configuration/disable-enable-security/) or OpenSearch was installed without security, such as when using the minimal distribution method, you can enable the plugin as follows.

A full cluster restart is necessary to enable security features.
{: .warning}

### Installing the OpenSearch plugin

Use the following steps to install the plugin if you previously uninstalled it.

1. Disable shard allocation and stop all nodes in order to prevent shards from moving around when the cluster is restarted.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved

```json
curl -XPUT "http://localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d '{
"transient": {
"cluster.routing.allocation.enable": "none"
}
}'
```
{% include copy.html %}

2. Install the Security plugin on all nodes in your cluster

```bash
bin/opensearch-plugin install opensearch-security
```
{% include copy.html %}

3. Add the necessary configuration to opensearch.yml for TLS encryption.
[Configuration]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/security-settings/) details different settings which need to be configured.

4. Create the `OPENSEARCH_INITIAL_ADMIN_PASSWORD` variable. For more information, see [Setting up a custom admin password](https://opensearch.org/docs/latest/security/configuration/demo-configuration/#setting-up-a-custom-admin-password).

5. Restart the nodes and reenable shard allocation.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved

```json
curl -XPUT "http://localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d '{
"transient": {
"cluster.routing.allocation.enable": "all"
}
}'
```
{% include copy.html %}

### Installing the OpenSearch Dashboards plugin

1. Stop running your OpenSearch Dashboards cluster.
2. Install the Security plugin:

```bash
./bin/opensearch-dashboards-plugin install securityDashboards
```

4. Add necessary [Configuration]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/tls/) settings in the `opensearch_dashboards.yml`
5. Start OpenSearch Dashboards. You should be prompted to enter your log in credentials if the plugin was successfully installed.
121 changes: 0 additions & 121 deletions _security/configuration/disable.md

This file was deleted.

2 changes: 1 addition & 1 deletion _security/configuration/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The plugin includes demo certificates so that you can get up and running quickly
1. Start OpenSearch.
1. [Add users, roles, role mappings, and tenants]({{site.url}}{{site.baseurl}}/security/access-control/index/).

If you don't want to use the plugin, see [Disable security]({{site.url}}{{site.baseurl}}/security/configuration/disable).
If you don't want to use the plugin, see [Disable security]({{site.url}}{{site.baseurl}}/security/configuration/disable-enable-security/).

The Security plugin has several default users, roles, action groups, permissions, and settings for OpenSearch Dashboards that use kibana in their names. We will change these names in a future release.
{: .note }
Expand Down
Loading