Reputation: 103
How to use securityConfigSecret in Opensearch with admin password being a sensitive value
I'm trying to use a set of roles with custom-defined permissions and OIDC as authentication backend for the OpenSearch cluster deployed using opensearch-operator. I also want to have the password for the admin user defined separately. I can use the securityConfigSecret to provide all these configs using a secret as follows.
apiVersion: v1
kind: Secret
metadata:
name: opensearch-security-config
namespace: {{ .Values.namespace }}
type: Opaque
stringData:
internal_users.yml: |-
_meta:
type: "internalusers"
config_version: 2
admin:
hash: <MY-CUSTOM-PW-HASH>
reserved: true
backend_roles:
- "admin"
description: "Internal admin user"
config.yml: |-
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: "1"
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
oidc_auth_domain:
description: "Authenticate via OpenID Connect"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: username
roles_key: roles
openid_connect_url: <My-OIDC-AUTH-PROVIDER>
authentication_backend:
type: noop
authz: {}
roles_mapping.yml: |-
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: false
backend_roles:
- "admin"
- "opensearch_admin"
description: "Maps admin role and opensearch_admin to all_access"
alerts_management:
reserved: false
backend_roles:
- "opensearch_alerts_mgmt"
description: "Maps opensearch_alerts_mgmt role to alerts_management"
read_only:
reserved: false
backend_roles:
- "opensearch_readonly"
- "opensearch_alerts_mgmt"
description: "Maps opensearch_readonly role to read_only"
roles.yml: |-
_meta:
type: "roles"
config_version: 2
alerts_management:
reserved: false
cluster_permissions:
- "cluster:admin/opensearch/securityanalytics/*"
- "cluster:admin/opendistro/alerting/*"
read_only:
reserved: false
cluster_permissions:
- "cluster_composite_ops_ro"
- "cluster_monitor"
- "cluster:admin/opensearch/observability/get"
- "cluster:admin/opensearch/ppl"
- "cluster:admin/opensearch/ql/datasources/read"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "read"
- "search"
- "get"
- "indices_monitor"
- "indices:admin/mappings/get"
tenant_permissions:
- tenant_patterns:
- "*"
allowed_actions:
- "kibana_all_read"
However, the password hash for the admin user is a sensitive value in the above config secret, and other configs can be seen as not sensitive contents. Therefore it would be better if we can have the above config secret file on GitHub for future modifications for roles and permissions. But at the moment it cannot be done only because of the admin password hash. Is there any way I can extract the password out and provide it into the deployment in a different way?
Upvotes: 0
Views: 187
Answers (0)
Related Questions
- How can I use local Docker images with Minikube?
- How to change admin password in OpenSearch multi-node cluster?
- How to pull environment variables with Helm charts
- How to use environment/secret variable in Helm?
- Helm how to define .Release.Name value
- How to use kubernetes sealed secrets with helm templates
- How to use PKI Authentication to use the Opensearch Dashboards API?