commit ef73e56eb9f816ba51f4e245d6ea87fa832c59c3 Author: TigErJin Date: Mon Sep 15 13:35:51 2025 +0900 convert to gitea diff --git a/README.md b/README.md new file mode 100644 index 0000000..b5cfcd9 --- /dev/null +++ b/README.md @@ -0,0 +1,514 @@ +# OpenSearch 3.1 클러스터 구축 가이드 (3-Node) + +본 문서는 Ubuntu 24.04 환경에서 3대의 서버를 이용하여 OpenSearch 3.1 클러스터를 구축하고, 최종적으로 로드 밸런서(LB) 중심의 안정적인 프로덕션 아키텍처로 전환하는 전체 과정을 상세히 기술한다. + +## 버전 히스토리 +* **v1.0:** 개별 노드 직접 접속 방식의 초기 클러스터 구축 +* **v2.0:** 로드 밸런서(LB)를 도입하여 고가용성 및 단일 접속점을 확보한 프로덕션 아키텍처로 전환 + +## 목차 +1. [사전 정보](#1-사전-정보) +2. [**v1.0: 초기 클러스터 구축 (LB 미사용)**](#v10-초기-클러스터-구축-lb-미사용) + 1. [1단계: 설치](#1단계-설치) + 2. [2단계: 사전 준비](#2단계-사전-준비) + 3. [3단계: OpenSearch 설정 (`opensearch.yml`)](#3단계-opensearch-설정-opensearchyml) + 4. [4단계: JVM 및 시스템 설정](#4단계-jvm-및-시스템-설정) + 5. [5단계: 보안 플러그인 설정](#5단계-보안-플러그인-설정) + 6. [6단계: 클러스터 시작 및 적용](#6단계-클러스터-시작-및-적용) + 7. [7단계: Dashboards 설정](#7단계-dashboards-설정) + 8. [8단계: Dashboards 시작 및 확인](#8단계-dashboards-시작-및-확인) + 9. [9단계: JWT 인증 테스트](#9단계-jwt-인증-테스트) +3. [**v2.0: LB 중심 아키텍처로 전환**](#v20-lb-중-심-아키텍처로-전환) + 1. [10단계: 아키텍처 목표](#10단계-아키텍처-목표) + 2. [11단계: LB 준비 및 Nginx 프록시 구축](#11단계-lb-준비-및-nginx-프록시-구축) + 3. [12단계: OpenSearch 및 Dashboards 재구성](#12단계-opensearch-및-dashboards-재구성) + 4. [13단계: 최종 전환 및 테스트](#13단계-최종-전환-및-테스트) +4. [**부록: 운영 및 관리**](#부록-운영-및-관리) + 1. [주요 트러블슈팅 및 교훈](#주요-트러블슈팅-및-교훈) + 2. [추가 권장 사항 및 팁](#추가-권장-사항-및-팁) + 3. [사용자/역할 추가 (Dashboards UI)](#사용자역할-추가-dashboards-ui) + 4. [인증서에서 정확한 DN 추출하기](#인증서에서-정확한-dn-추출하기) + 5. [`-nameopt RFC2253` 옵션 상세 설명](#-nameopt-rfc2253-옵션-상세-설명) + +--- + +## 1. 사전 정보 + +### 서버 사양 (3대 공통) +* **CPU:** 8 vCPU +* **Memory:** 65 GB +* **Disk:** 2 TB SSD +* **OS:** Ubuntu 24.04 +* **SSH Port:** 42894 + +### 노드 정보 +| 항목 | Node1 | Node2 | Node3 | +| :--- | :--- | :--- | :--- | +| **호스트네임** | ds-opensearch001 | ds-opensearch002 | ds-opensearch003 | +| **외부 DNS (v1.0)** | ds-osearch001.oneunivrs.com | ds-osearch002.oneunivrs.com | ds-osearch003.oneunivrs.com | +| **내부 DNS** | ds-osnode001.oneunivrs.com | ds-osnode002.oneunivrs.com | ds-osnode003.oneunivrs.com | +| **Private IP** | 10.0.10.8 | 10.0.10.9 | 10.0.10.10 | + +### SSL 인증서 +* **종류:** 와일드카드 `*.oneunivrs.com` +* **초기 위치:** Node1의 `/data/cert/` +* **파일:** `oneunivrs.pem`, `root.pem`, `oneunivrs_key.pem` +* **DN:** `C=KR, ST=Seoul, O="ONEUNIVERSE Co.,Ltd.", CN=*.oneunivrs.com` + +### JWT 인증 +* **방식:** 대칭키 (HS256) +* **서명키:** `UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA=` + +--- + +## v1.0: 초기 클러스터 구축 (LB 미사용) + +이 버전은 로드 밸런서 없이 각 노드에 직접 접속하는 방식의 기본 클러스터를 구축한다. + +### 1단계: 설치 +모든 작업은 `root` 계정으로 진행. + +**[모든 노드]** +APT 저장소 설정 후 OpenSearch 설치. 초기 admin 비밀번호 지정. + +```bash +# APT 저장소 설정 (공식 문서 참조) + +# OpenSearch 설치 (3.1.0) +env OPENSEARCH_INITIAL_ADMIN_PASSWORD='DHp5#r#GYQ9d' apt-get install opensearch=3.1.0 + +# Dashboards도 미리 설치 +apt-get install opensearch-dashboards=3.1.0 +``` + +### 2단계: 사전 준비 +**[모든 노드]** +#### 2.1. 데이터/로그 디렉토리 생성 +```bash +mkdir -p /data/opensearch/{data,logs} +chown -R opensearch:opensearch /data/opensearch +``` +#### 2.2. 인증서 복사 및 권한 설정 +**[Node1]** +```bash +mkdir -p /etc/opensearch/certs +cp /data/cert/*.pem /etc/opensearch/certs/ + +# 다른 노드로 전송 +scp -P 42894 /etc/opensearch/certs/*.pem root@ds-osnode002.oneunivrs.com:/etc/opensearch/certs/ +scp -P 42894 /etc/opensearch/certs/*.pem root@ds-osnode003.oneunivrs.com:/etc/opensearch/certs/ +``` + +**[모든 노드]** +```bash +chown -R opensearch:opensearch /etc/opensearch/certs +chmod 600 /etc/opensearch/certs/oneunivrs_key.pem # 개인키 권한 축소 +chmod 644 /etc/opensearch/certs/oneunivrs.pem /etc/opensearch/certs/root.pem +``` + +### 3단계: OpenSearch 설정 (`opensearch.yml`) +**[모든 노드]** +기존 파일 백업 후, 각 노드에 맞게 `/etc/opensearch/opensearch.yml` 작성. + +```yaml +# 클러스터 이름 +cluster.name: ds-cluster + +# [중요] node.name은 내부 DNS와 일치시킬 것 (클러스터링 실패 방지) +# Node1: node.name: ds-osnode001.oneunivrs.com +# Node2: node.name: ds-osnode002.oneunivrs.com +# Node3: node.name: ds-osnode003.oneunivrs.com +node.name: ds-osnode001.oneunivrs.com # 각 노드에 맞게 수정 + +# 역할 +node.roles: [ cluster_manager, data ] + +# 경로 +path.data: /data/opensearch/data +path.logs: /data/opensearch/logs + +# 메모리 잠금 +bootstrap.memory_lock: true + +# 네트워크 +network.host: 0.0.0.0 +http.port: 9200 +transport.port: 9300 + +# 클러스터링 +discovery.seed_hosts: + - ds-osnode001.oneunivrs.com + - ds-osnode002.oneunivrs.com + - ds-osnode003.oneunivrs.com + +# [중요] 최초 마스터 후보 목록. node.name과 일치해야 함. +cluster.initial_cluster_manager_nodes: + - ds-osnode001.oneunivrs.com + - ds-osnode002.oneunivrs.com + - ds-osnode003.oneunivrs.com + +# 보안 플러그인 +plugins.security.ssl.transport.enabled: true +plugins.security.ssl.transport.pemcert_filepath: certs/oneunivrs.pem +plugins.security.ssl.transport.pemkey_filepath: certs/oneunivrs_key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root.pem +plugins.security.ssl.transport.enforce_hostname_verification: false + +plugins.security.ssl.http.enabled: true +plugins.security.ssl.http.pemcert_filepath: certs/oneunivrs.pem +plugins.security.ssl.http.pemkey_filepath: certs/oneunivrs_key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: certs/root.pem + +# [주의] DN의 쉼표(,)는 백슬래시 두 개(\\)로 이스케이프 +plugins.security.nodes_dn: + - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR" +plugins.security.authcz.admin_dn: + - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR" + +plugins.security.allow_default_init_securityindex: true +plugins.security.audit.type: internal_opensearch +plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +``` + +### 4단계: JVM 및 시스템 설정 +**[모든 노드]** +#### 4.1. JVM 힙 메모리 +`/etc/opensearch/jvm.options` 파일 수정. 31GB로 설정. +```bash +sed -i 's/^-Xms1g/#-Xms1g/' /etc/opensearch/jvm.options +sed -i 's/^-Xmx1g/#-Xmx1g/' /etc/opensearch/jvm.options +echo -e "\n-Xms31g\n-Xmx31g" >> /etc/opensearch/jvm.options +``` +#### 4.2. Systemd 오버라이드 +메모리 잠금과 경로 권한 부여. +```bash +mkdir -p /etc/systemd/system/opensearch.service.d +cat < /etc/systemd/system/opensearch.service.d/override.conf +[Service] +LimitMEMLOCK=infinity +ReadWritePaths=/data/opensearch/ +EOF + +systemctl daemon-reload +systemctl enable opensearch.service +``` + +### 5단계: 보안 플러그인 설정 +**[Node1에서 작업 후 다른 노드로 복사]** +#### 5.1. 인증 방식 설정 (`config.yml`) +`/etc/opensearch/opensearch-security/config.yml` 수정. JWT 우선, Basic 차선. +```yaml +--- +_meta: + type: "config" + config_version: 2 +config: + dynamic: + http: + anonymous_auth_enabled: false + authc: + # [중요] order: 0(JWT) -> order: 1(Basic) + jwt_auth_domain: + http_enabled: true + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA=" + jwt_header: "Authorization" # "Bearer " 접두사는 자동 처리됨 + subject_key: sub + roles_key: roles + authentication_backend: + type: noop + basic_internal_auth_domain: + http_enabled: true + order: 1 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: internal +``` +#### 5.2. 역할 매핑 (`roles_mapping.yml`) +`/etc/opensearch/opensearch-security/roles_mapping.yml` 수정. +```yaml +# ... (기존 내용 유지) +all_access: + reserved: false + users: + - "admin" # 내부 사용자 + backend_roles: + - "admin" # JWT를 통해 온 사용자 +# ... (기존 내용 유지) +``` +#### 5.3. 파일 복사 및 권한 설정 +**[Node1]** +```bash +scp -P 42894 /etc/opensearch/opensearch-security/config.yml root@ds-osnode002.oneunivrs.com:/etc/opensearch/opensearch-security/ +scp -P 42894 /etc/opensearch/opensearch-security/roles_mapping.yml root@ds-osnode002.oneunivrs.com:/etc/opensearch/opensearch-security/ +scp -P 42894 /etc/opensearch/opensearch-security/config.yml root@ds-osnode003.oneunivrs.com:/etc/opensearch/opensearch-security/ +scp -P 42894 /etc/opensearch/opensearch-security/roles_mapping.yml root@ds-osnode003.oneunivrs.com:/etc/opensearch/opensearch-security/ +``` +**[모든 노드]** +```bash +chown -R opensearch:opensearch /etc/opensearch +find /etc/opensearch -type d -exec chmod 750 {} \; +find /etc/opensearch -type f -exec chmod 640 {} \; +chmod 600 /etc/opensearch/certs/oneunivrs_key.pem +chmod -R 600 /etc/opensearch/opensearch-security/* +``` + +### 6단계: 클러스터 시작 및 적용 +#### 6.1. 클러스터 시작 +마스터가 아닌 노드부터 순차적으로 시작. +```bash +systemctl start opensearch.service # Node3 -> Node2 -> Node1 순으로 실행 +``` +#### 6.2. 개인키 변환 (PKCS#8) +`securityadmin.sh`는 PKCS#8 형식을 요구함. +**[Node1]** +```bash +openssl pkcs8 -topk8 -inform PEM -outform PEM -in /etc/opensearch/certs/oneunivrs_key.pem -out /etc/opensearch/certs/oneunivrs_key.p8.pem -nocrypt +chown opensearch:opensearch /etc/opensearch/certs/oneunivrs_key.p8.pem +chmod 600 /etc/opensearch/certs/oneunivrs_key.p8.pem +``` +#### 6.3. 보안 설정 적용 +**[Node1]** +```bash +# [중요] 3.1 버전은 REST 포트(9200)와 변환된 키(.p8.pem) 사용 +/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \ + -cd /etc/opensearch/opensearch-security/ \ + -cacert /etc/opensearch/certs/root.pem \ + -cert /etc/opensearch/certs/oneunivrs.pem \ + -key /etc/opensearch/certs/oneunivrs_key.p8.pem \ + -h ds-osnode001.oneunivrs.com \ + -p 9200 \ + -icl \ + -nhnv +``` + +### 7단계: Dashboards 설정 +**[Node1]** +#### 7.1. 대시보드용 인증서 복사 +```bash +mkdir -p /etc/opensearch-dashboards/certs +cp /etc/opensearch/certs/*.pem /etc/opensearch-dashboards/certs/ +chown -R opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/certs +``` +#### 7.2. `opensearch_dashboards.yml` 설정 +```yaml +server.port: 5601 +server.host: "0.0.0.0" +server.name: "oneunivrs-opensearch-dashboards" + +# 고가용성을 위해 클러스터 노드 모두 기재 +opensearch.hosts: + - https://ds-osearch001.oneunivrs.com:9200 + - https://ds-osearch002.oneunivrs.com:9200 + - https://ds-osearch003.oneunivrs.com:9200 + +# [중요] 2.x 이후 버전의 설정 키 이름 +opensearch.requestHeadersWhitelist: [ "securitytenant", "authorization" ] + +# 대시보드 HTTPS +server.ssl.enabled: true +server.ssl.certificate: /etc/opensearch-dashboards/certs/oneunivrs.pem +server.ssl.key: /etc/opensearch-dashboards/certs/oneunivrs_key.pem + +# [중요] 2.x 이후 버전의 설정 키 이름 (배열) +opensearch.ssl: + verificationMode: full + certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ] + +# 서비스 계정 +opensearch.username: "kibanaserver" +opensearch.password: "kibanaserver" + +# 보안 연동 +opensearch_security: + multitenancy.enabled: true + auth.anonymous_auth_enabled: false + cookie.password: "강력하고_랜덤한_문자열_사용" +``` + +### 8단계: Dashboards 시작 및 확인 +**[Node1]** +```bash +systemctl start opensearch-dashboards.service +systemctl enable opensearch-dashboards.service +``` +브라우저에서 `https://ds-osearch001.oneunivrs.com:5601` 접속. `admin` / `DHp5#r#GYQ9d` 로그인 확인. + +### 9단계: JWT 인증 테스트 +#### 9.1. 서버에서 직접 토큰 생성 +외부 도구의 키 처리 방식 문제로 서버에서 직접 생성하는 것이 가장 확실. +**[Node1]** +```bash +pip install pyjwt +vi create_token.py +``` +```python +# create_token.py +import jwt, time, base64 +base64_secret = "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA=" +# [핵심] Base64 디코딩 +decoded_secret = base64.b64decode(base64_secret) +payload = { "sub": "admin", "roles": ["admin"], "exp": int(time.time()) + 3600 } +token = jwt.encode(payload, decoded_secret, algorithm="HS256") +print(token) +``` +```bash +python3 create_token.py # 토큰 생성 후 복사 +``` +#### 9.2. `curl`로 API 호출 +```bash +curl -k -H "Authorization: Bearer <방금_생성한_토큰>" "https://ds-osearch001.oneunivrs.com:9200" +``` +성공 응답 확인. + +--- + +## v2.0: LB 중심 아키텍처로 전환 + +초기 구축된 클러스터를 프로덕션 환경에 적합하도록 로드 밸런서(LB) 중심의 고가용성 아키텍처로 전환한다. + +### 10단계: 아키텍처 목표 +* **AS-IS:** 클라이언트가 개별 노드(`ds-osearch001` 등)에 직접 접속. +* **TO-BE:** 클라이언트는 LB의 단일 대표 주소(`ds-opensearch.oneunivrs.com`)에만 접속. 노드들은 내부망에 격리되어 보안 강화. + +### 11단계: LB 준비 및 Nginx 프록시 구축 + +LB의 헬스 체크 제약(200 OK만 허용)을 우회하기 위해, 모든 OpenSearch 노드에 헬스 체크 전용 Nginx 프록시를 설치한다. + +**[모든 노드 (Node1, Node2, Node3)에서 실행]** +```bash +# Nginx 설치 +apt-get update && apt-get install nginx -y + +# Nginx용 SSL 디렉토리 생성 및 인증서 복사 +mkdir -p /etc/nginx/ssl +cp /etc/opensearch/certs/*.pem /etc/nginx/ssl/ + +# 기본 설정 비활성화 +rm /etc/nginx/sites-enabled/default + +# 헬스 체크용 설정 파일 생성 +vi /etc/nginx/sites-available/opensearch-healthcheck +``` + +`opensearch-healthcheck` 파일에 아래 내용을 작성한다. +```nginx +server { + listen 9201 ssl; + # [주의] IPv6 비활성화 환경에서는 아래 라인 주석 처리 + # listen [::]:9201 ssl; + + # 각 노드의 내부 DNS 또는 IP로 설정 + server_name ds-osnode001.oneunivrs.com; # Node2에서는 ds-osnode002... + + ssl_certificate /etc/nginx/ssl/oneunivrs.pem; + ssl_certificate_key /etc/nginx/ssl/oneunivrs_key.pem; + + location / { + # 헬스 체크 요청에 무조건 200 OK 응답 + return 200 'Healthy'; + add_header Content-Type text/plain; + add_header Content-Length 7; + } +} +``` + +```bash +# 설정 활성화 및 재시작 +ln -s /etc/nginx/sites-available/opensearch-healthcheck /etc/nginx/sites-enabled/ +nginx -t +systemctl restart nginx +systemctl enable nginx +``` + +### 12단계: OpenSearch 및 Dashboards 재구성 + +**[로드 밸런서 설정]** +* **대표 DNS:** `ds-opensearch.oneunivrs.com`을 생성하여 LB의 Public IP에 연결. +* **리스너:** `HTTPS:9200` (API용), `HTTPS:5601` (Dashboards용) 생성. +* **SSL 인증서:** `oneunivrs.com` 인증서를 LB에 설치. +* **`opensearch-api` 타겟 그룹:** + * **대상:** `10.0.10.8:9200`, `10.0.10.9:9200`, `10.0.10.10:9200` + * **헬스 체크:** `HTTPS`, Port `9201`, Path `/`, Method `GET` +* **`opensearch-dashboard` 타겟 그룹:** + * **대상:** `10.0.10.8:5601` + * **헬스 체크:** `HTTPS`, Port `9201`, Path `/`, Method `GET` (API와 동일한 프록시 사용) + +**[Node1의 Dashboards 설정 변경]** +`/etc/opensearch-dashboards/opensearch_dashboards.yml`을 수정하여 LB를 바라보게 한다. +```yaml +# opensearch.hosts를 새로운 LB 대표 DNS로 변경 +opensearch.hosts: ["https://ds-opensearch.oneunivrs.com:9200"] + +# [중요] LB <-> Dashboards 간 SNI 문제 해결을 위한 옵션 추가 +opensearch.ssl: + alwaysPresentCertificate: true + verificationMode: full + certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ] +``` +```bash +# Dashboards 서비스 재시작 +systemctl restart opensearch-dashboards.service +``` + +### 13단계: 최종 전환 및 테스트 +1. LB 콘솔에서 `opensearch-api`와 `opensearch-dashboard` 타겟 그룹의 상태가 모두 `healthy`로 바뀌는지 확인한다. +2. 모든 클라이언트의 접속 주소를 `https://ds-opensearch.oneunivrs.com`으로 변경한다. +3. API와 Dashboards 접속이 모두 정상적으로 이루어지는지 최종 확인한다. + ```bash + curl -k -H "Authorization: Bearer <최종_토큰>" "https://ds-opensearch.oneunivrs.com:9200" + ``` +4. (선택 사항) 전환이 안정화되면, 개별 노드의 외부 IP를 제거하고 방화벽을 강화하여 보안 수준을 높인다. + +--- + +## 부록: 운영 및 관리 + +### 주요 트러블슈팅 및 교훈 +1. **클러스터 형성 실패 (`cluster-manager not discovered`):** `opensearch.yml`의 `node.name`과 `cluster.initial_cluster_manager_nodes` 목록의 이름이 불일치. 클러스터링 관련 설정의 이름은 정확히 일치해야 함. +2. **`securityadmin.sh` 실행 실패:** + * **원인 1 (`InvalidKeySpecException`):** `securityadmin.sh`는 PKCS#8 형식의 개인키를 필요로 함. `openssl pkcs8` 명령으로 변환하여 해결. + * **원인 2 (포트 오류):** OpenSearch 2.12 이후 `securityadmin.sh`는 REST 포트(9200)를 사용. +3. **Dashboards 시작 실패:** 2.x 버전 이후 변경된 설정 키 이름 문제 (`requestHeadersWhitelist`, `ssl.ca`). 버전업 시 공식 문서의 Breaking Changes를 반드시 확인해야 함. +4. **JWT 인증 실패 (`Unauthorized`):** + * **근본 원인:** `signing_key`를 Base64 문자열 그대로 사용. + * **해결:** `signing_key`를 **Base64 디코딩**한 바이너리 값을 실제 비밀키로 사용하여 토큰을 생성해야 함. +5. **LB 헬스 체크 실패 (`503`, `401`, `405` 등):** + * **원인:** 사용하는 LB가 헬스 체크 성공 기준으로 `200 OK`만 허용하는데, 보안이 활성화된 OpenSearch/Dashboards는 인증되지 않은 요청에 `200 OK`를 반환하지 않음. + * **해결:** 모든 노드에 Nginx를 헬스 체크 전용 프록시로 설치. LB는 Nginx의 `9201` 포트로 헬스 체크를 요청하고, Nginx는 무조건 `200 OK`를 응답하여 문제를 우회함. + +### 추가 권장 사항 및 팁 +1. **롤링 리스타트 시 샤드 재배치 중단:** `/_cluster/settings` API를 통해 `cluster.routing.rebalance.enable`을 `none`으로 설정하면 재시작 속도를 높일 수 있음. +2. **인덱스 템플릿 및 ILM:** 데이터가 많아지기 전에 Dashboards의 `Index Management` 메뉴에서 인덱스 템플릿과 ILM(수명 주기 관리) 정책을 설정하여 운영을 자동화할 것. +3. **스냅샷 및 복구:** 데이터 유실 방지를 위해 Dashboards의 `Snapshots` 메뉴에서 외부 저장소(S3 등)로의 주기적인 백업을 반드시 설정할 것. +4. **방화벽 설정:** LB 전환 후 노드들의 외부 IP를 제거하고, OS 방화벽(UFW 등)을 사용해 신뢰할 수 있는 내부 IP 대역에서의 접속만 허용하여 보안을 강화할 것. + +### 사용자/역할 추가 (Dashboards UI) +`admin` 계정으로 Dashboards에 로그인 후, `Security` 메뉴에서 YAML 파일 수정 없이 직관적으로 사용자, 역할, 역할 매핑을 관리할 수 있다. 일회성 작업은 UI를 사용하는 것이 편리하다. +* **역할 생성:** `Security > Roles > Create role` +* **사용자 생성:** `Security > Internal Users > Create internal user` +* **역할 매핑:** `Security > Roles > (역할 선택) > Mapped users > Manage mapping` + +### 인증서에서 정확한 DN 추출하기 +`opensearch.yml`의 `nodes_dn`, `admin_dn` 설정 시, `openssl` 명령어로 정확한 DN을 추출하여 사용하면 실수를 방지할 수 있다. + +```bash +# [권장] RFC2253 형식으로 출력 +openssl x509 -in /data/cert/oneunivrs.pem -noout -subject -nameopt RFC2253 +``` +**출력 예시:** `CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\,Ltd.,ST=Seoul,C=KR` +**`opensearch.yml` 적용 시:** YAML 문자열 내에서 백슬래시(`\`)는 이스케이프해야 하므로 `\\`로 변경해야 한다. +`"CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"` + +### `-nameopt RFC2253` 옵션 상세 설명 +이 옵션은 기계가 파싱하기 좋은 표준 형식으로 DN을 출력한다. +* `subject=` 같은 불필요한 접두사가 없다. +* 쉼표(`,`)로만 구분되며 불필요한 공백이 없다. +* **가장 중요:** DN 값 자체에 포함된 특수 문자(예: `Co.,Ltd.`의 쉼표)를 백슬래시(`\`)로 자동으로 이스케이프 처리해준다. +* OpenSearch 보안 플러그인은 이 형식을 가장 안정적으로 인식하므로, DN 설정 시 반드시 사용하는 것이 좋다. diff --git a/cert/oneunivrs.pem b/cert/oneunivrs.pem new file mode 100644 index 0000000..4cdfb71 --- /dev/null +++ b/cert/oneunivrs.pem @@ -0,0 +1,74 @@ +-----BEGIN CERTIFICATE----- +MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB +lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G +A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD +EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy +dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE +BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s +THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0 +6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET +c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1 +iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5 +AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D +mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD +VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA +DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud +JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB +AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn +gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T +ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy +bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp +Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy +dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp +BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor +BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G +pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc +7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ +htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC +IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2 +PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h +qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy +QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ +KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp +3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1 +PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS +N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M +k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg +rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx +MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV +BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE +ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6 +YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q +9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x +on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h +fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi +rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ +YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow +HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn +Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/ +AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG +BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl +cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy +bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy +dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ +aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA +lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6 +pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP +bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3 +OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn +R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc +SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf +FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO +s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc +6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV +idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH +MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU= +-----END CERTIFICATE----- diff --git a/cert/oneunivrs_key.pem b/cert/oneunivrs_key.pem new file mode 100644 index 0000000..562a9c1 --- /dev/null +++ b/cert/oneunivrs_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4 +Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm +O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13 +Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih +AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU +JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy +mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ +jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg +uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS +TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN +NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ +7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg +RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN +DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM +Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO +Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M +peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN +e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2 +JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1 +C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n +gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd +r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt +Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J +Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD +ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG +-----END RSA PRIVATE KEY----- diff --git a/cert/oneunivrs_key_pkcs8.pem b/cert/oneunivrs_key_pkcs8.pem new file mode 100644 index 0000000..bcfe158 --- /dev/null +++ b/cert/oneunivrs_key_pkcs8.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY5fgocCi0pQQn +dodxndIDDSrfrgOMO5Drxiv9dt4aw/TpSHgeLiPtvFphIT+I49RFsi24925ikjXr +K5aiunjCeewkzRjzXKefNUfvBcUhARNzZOY7UGbqwf+cT/vTNNC+t6XbVvEOM1GO +vnaooz+mC1yPzuWM568T6ScyCUmQtjWJLXcrDPkSjUbKngYUgKMWqi8RNKzBTEoV +YKhXFRCLLc02yMtlhAZjlCxwE5HdxPkAeKEAnIVCK+GXQbsPh8G9fX36QrKu1Qcc +hyVUd9RElVnvycakkq65krB0HruHDsOY8lQmccsYkWyDqa/PN2oFBD0EzPKiIp+/ +raDAPn5rAgMBAAECggEAd7yEgTZhkk/iejKZ1OPt8tdLCs5SkRC1ESOGV1dOh3IT ++tCR1v9bwDsRnbswCs7S+WLCkPCvFGVotJmMf+r3DU0nSq2aj4Zf1qkgO9hwmaax +aSuTWb0qA4DzLgSNnWvzrMVPH0XgrxkvdeC5OqFcWrq873qlCGNCKHi2tY2g+exI +B5yCnVZn/EU06ndy8pBPfJMikG8s580r9NJNbQgrXz2NxgfyuaHreQ0UatBUMirG +cWQ6Z6mGa6tbZcuaHwgLM9Ip4SLc8AKBwI006WOHLlG4gGx17sxaeprARr+KS4Ci +cf6tCTgrYwMcSH4bWHjQdOrefFGrwJbCEJDvG6PCKQKBgQD5w5t55KgE+Ak1lmXI +aBXG/0Wa+IE8t5D/T4xskPWxsTyZNtJt2uBE2OMI90/D3NYUA7ypfLGA4oKwHZWc +O7+MklWFkN58rH7JAlKGo0WwJapEmJaguY0M2t8aGS7iYvteabHbOvowSqTvTdgP +AWxOTVxYO08VzhrulQw1XpiwxQKBgQDeUEwObZhHr81t2faxk73o18+vk0sQt+Xg +cV5yIsqwpWsJToAD4NzEGnwsA1zkcBpxR84amTlh5RRAZ4eYVnO5/eVaRQezJAeA +2zOnf1tjxRNwSygmTF7fN/EFeNkgiWdPHgyl5SduHl3SeIyW5os6MDEkgvUrWRUK +Kk4Ye54FbwKBgQC5MZMM9MCovomFlHjv+k17ejhQSkb5kFsRFBjZPzsOgI6gRIgP +MKXuJqthMI+SeSK7QHIZcf3jxRCGKcmPSLYlMzP6j4qJAxYXUYODlXjMvYDc0A+Q +KUUu7PNUVKvw7NfaD6DzH233dMGLNzsnFTULck0wlvly/5n0oculnvi0yQKBgCE+ +UKE3sjXGDCoJFeKn/RX8b4oJtIfjd/R//2eB3F1d3wudOXdbAKgyba8HMbTXLp0R +57gCgZop70VSNeyJwPRnCwzclbIsCRMztB2v5bKdnbKFCpPvh6BJdTkkQROkeFZU +X//OrH7C+7SlYiCOiPNCkZasHo1E3OiQOu1eTtrxAoGAE3AzTW14NBDnLYpNt9Zs +/xQy8cnX0M8OIBTbJJnv6mHpyFz64COAPoknGt/RoD125E4KTM6WxukNM6zP3UAP +44yZs4PdIZ6eGwRUuLnYvAc9s85V19Mk4YO6D9gw+tL50t2ioF8QNLc6pEgGar7M +yAWa3W8XnjQfjjI4fN8E44Y= +-----END PRIVATE KEY----- diff --git a/cert/root.pem b/cert/root.pem new file mode 100644 index 0000000..2795cf3 --- /dev/null +++ b/cert/root.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw +MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV +BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU +aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B +3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY +tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ +Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 +VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT +79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 +c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT +Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l +c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee +UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE +Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd +BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF +Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO +VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 +ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs +8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR +iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze +Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ +XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ +qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB +VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB +L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG +jjxDah2nGN59PRbxYvnKkKj9 +-----END CERTIFICATE----- diff --git a/create_jwt.py b/create_jwt.py new file mode 100644 index 0000000..620327d --- /dev/null +++ b/create_jwt.py @@ -0,0 +1,26 @@ +# create_jwt.py +import jwt +import time +import base64 +# ★★★★★ 1단계에서 생성한 동일한 비밀 키를 сюда 붙여넣습니다 ★★★★★ +secret_key = "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA=" + +secret_key_64 = base64.b64decode(secret_key) + +# 페이로드 데이터 정의 (이전과 동일) +payload = { + 'sub': 'admin', + 'roles': ['admin'], + 'exp': int(time.time()) + 3600, + 'iat': int(time.time()) +} + +# ★★★★★ JWT 생성 (알고리즘: HS256) ★★★★★ +token = jwt.encode( + payload, + secret_key_64, + algorithm='HS256' +) + +# 생성된 토큰 출력 +print(token) \ No newline at end of file diff --git a/opensearch-dashboards/certs/oneunivrs.pem b/opensearch-dashboards/certs/oneunivrs.pem new file mode 100644 index 0000000..4cdfb71 --- /dev/null +++ b/opensearch-dashboards/certs/oneunivrs.pem @@ -0,0 +1,74 @@ +-----BEGIN CERTIFICATE----- +MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB +lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G +A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD +EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy +dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE +BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s +THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0 +6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET +c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1 +iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5 +AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D +mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD +VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA +DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud +JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB +AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn +gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T +ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy +bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp +Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy +dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp +BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor +BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G +pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc +7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ +htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC +IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2 +PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h +qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy +QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ +KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp +3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1 +PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS +N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M +k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg +rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx +MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV +BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE +ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6 +YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q +9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x +on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h +fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi +rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ +YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow +HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn +Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/ +AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG +BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl +cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy +bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy +dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ +aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA +lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6 +pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP +bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3 +OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn +R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc +SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf +FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO +s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc +6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV +idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH +MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU= +-----END CERTIFICATE----- diff --git a/opensearch-dashboards/certs/oneunivrs_key.pem b/opensearch-dashboards/certs/oneunivrs_key.pem new file mode 100644 index 0000000..562a9c1 --- /dev/null +++ b/opensearch-dashboards/certs/oneunivrs_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4 +Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm +O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13 +Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih +AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU +JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy +mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ +jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg +uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS +TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN +NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ +7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg +RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN +DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM +Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO +Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M +peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN +e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2 +JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1 +C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n +gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd +r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt +Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J +Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD +ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG +-----END RSA PRIVATE KEY----- diff --git a/opensearch-dashboards/certs/root.pem b/opensearch-dashboards/certs/root.pem new file mode 100644 index 0000000..2795cf3 --- /dev/null +++ b/opensearch-dashboards/certs/root.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw +MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV +BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU +aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B +3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY +tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ +Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 +VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT +79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 +c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT +Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l +c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee +UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE +Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd +BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF +Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO +VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 +ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs +8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR +iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze +Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ +XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ +qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB +VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB +L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG +jjxDah2nGN59PRbxYvnKkKj9 +-----END CERTIFICATE----- diff --git a/opensearch-dashboards/node.options b/opensearch-dashboards/node.options new file mode 100644 index 0000000..fa07baf --- /dev/null +++ b/opensearch-dashboards/node.options @@ -0,0 +1,9 @@ +## Node command line options +## See `node --help` and `node --v8-options` for available options +## Please note you should specify one option per line + +## max size of old space in megabytes +#--max-old-space-size=4096 + +## max size of semi space in megabytes +#--max-semi-space-size=64 diff --git a/opensearch-dashboards/opensearch_dashboards.yml b/opensearch-dashboards/opensearch_dashboards.yml new file mode 100644 index 0000000..76c1053 --- /dev/null +++ b/opensearch-dashboards/opensearch_dashboards.yml @@ -0,0 +1,47 @@ +# ================= DUAL USE: DO NOT EDIT ================= +# OpenSearch Dashboards가 사용할 포트. 기본값 5601. +server.port: 5601 + +# 외부에서 접속할 수 있도록 모든 네트워크 인터페이스에서 리슨. +server.host: "0.0.0.0" + +# 브라우저에 표시될 대시보드 서버 이름. +server.name: "oneunivrs-opensearch-dashboards" + +# 연결할 OpenSearch 클러스터 노드 목록. (HTTPS 필수) +# 고가용성을 위해 3개 노드를 모두 기재. +#opensearch.hosts: +# - https://ds-osearch001.oneunivrs.com:9200 +# - https://ds-osearch002.oneunivrs.com:9200 +# - https://ds-osearch003.oneunivrs.com:9200 +# [원상 복구] LB의 대표 주소 하나만 사용하되, https로 변경 +opensearch.hosts: ["https://ds-opensearch.oneunivrs.com:9200"] + +# 인증 관련 헤더를 허용 목록에 추가. +opensearch.requestHeadersWhitelist: [ "securitytenant", "authorization" ] + +# 대시보드와 브라우저 간 통신을 HTTPS로 암호화. +server.ssl.enabled: true +server.ssl.certificate: /etc/opensearch-dashboards/certs/oneunivrs.pem +server.ssl.key: /etc/opensearch-dashboards/certs/oneunivrs_key.pem + +# 대시보드가 OpenSearch 클러스터와 통신 시 SSL/TLS 설정. +opensearch.ssl: + verificationMode: full + # 서버 인증서 검증에 사용할 CA 루트 인증서. + certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ] + +# OpenSearch 클러스터에 접속할 서비스 계정. +# 보안상 admin 대신 기본 제공되는 kibanaserver 계정 사용을 권장. +# (kibanaserver 계정의 기본 PW는 계정명과 동일) +opensearch.username: "kibanaserver" +opensearch.password: "mY9!lytaVBkX" + +# OpenSearch Security 플러그인과 연동 설정. +opensearch_security: + # 멀티 테넌시 기능 활성화. + multitenancy.enabled: true + # 로그인하지 않은 사용자는 접속 불가. + auth.anonymous_auth_enabled: false + # 쿠키의 비밀번호. 임의의 긴 문자열로 변경하는 것을 권장. + cookie.password: "ChpPaDg2agzDD2czacgdAgivjXh1JSOPZuz+EhF3jDg=" diff --git a/opensearch-dashboards/opensearch_dashboards.yml.bak b/opensearch-dashboards/opensearch_dashboards.yml.bak new file mode 100644 index 0000000..c6e9c6c --- /dev/null +++ b/opensearch-dashboards/opensearch_dashboards.yml.bak @@ -0,0 +1,233 @@ +--- +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 + +# Description: +# Default configuration for OpenSearch Dashboards + +# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use. +# server.port: 5601 + +# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values. +# The default is 'localhost', which usually means remote machines will not be able to connect. +# To allow connections from remote users, set this parameter to a non-loopback address. +# server.host: "localhost" + +# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy. +# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath +# from requests it receives, and to prevent a deprecation warning at startup. +# This setting cannot end in a slash. +# server.basePath: "" + +# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with +# `server.basePath` or require that they are rewritten by your reverse proxy. +# server.rewriteBasePath: false + +# The maximum payload size in bytes for incoming server requests. +# server.maxPayloadBytes: 1048576 + +# The OpenSearch Dashboards server's name. This is used for display purposes. +# server.name: "your-hostname" + +# The URLs of the OpenSearch instances to use for all your queries. +# opensearch.hosts: ["http://localhost:9200"] + +# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and +# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist. +# opensearchDashboards.index: ".opensearch_dashboards" + +# The default application to load. +# opensearchDashboards.defaultAppId: "home" + +# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck. +# This settings should be used for large clusters or for clusters with ingest heavy nodes. +# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes. +# +# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting +# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up +# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id: +# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here +# opensearch.optimizedHealthcheckId: "cluster_id" + +# If your OpenSearch is protected with basic authentication, these settings provide +# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards +# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which +# is proxied through the OpenSearch Dashboards server. +# opensearch.username: "opensearch_dashboards_system" +# opensearch.password: "pass" + +# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. +# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser. +# server.ssl.enabled: false +# server.ssl.certificate: /path/to/your/server.crt +# server.ssl.key: /path/to/your/server.key + +# Optional settings that provide the paths to the PEM-format SSL certificate and key files. +# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when +# xpack.security.http.ssl.client_authentication in OpenSearch is set to required. +# opensearch.ssl.certificate: /path/to/your/client.crt +# opensearch.ssl.key: /path/to/your/client.key + +# Optional setting that enables you to specify a path to the PEM file for the certificate +# authority for your OpenSearch instance. +# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] + +# To disregard the validity of SSL certificates, change this setting's value to 'none'. +# opensearch.ssl.verificationMode: full + +# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of +# the opensearch.requestTimeout setting. +# opensearch.pingTimeout: 1500 + +# Time in milliseconds to wait for responses from the back end or OpenSearch. This value +# must be a positive integer. +# opensearch.requestTimeout: 30000 + +# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side +# headers, set this value to [] (an empty list). +# opensearch.requestHeadersWhitelist: [ authorization ] + +# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten +# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration. +# opensearch.customHeaders: {} + +# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable. +# opensearch.shardTimeout: 30000 + +# Logs queries sent to OpenSearch. Requires logging.verbose set to true. +# opensearch.logQueries: false + +# Specifies the path where OpenSearch Dashboards creates the process ID file. +# pid.file: /var/run/opensearchDashboards.pid + +# Enables you to specify a file where OpenSearch Dashboards stores log output. +# logging.dest: stdout + +# 2.15 Ignore 'ENOSPC' error for logging stream. +# When set to true, the 'ENOSPC' error message will not cause the OpenSearch Dashboards process to crash. Otherwise, +# the original behavior will be maintained. It is disabled by default. +# logging.ignoreEnospcError: false + +# Set the value of this setting to true to suppress all logging output. +# logging.silent: false + +# Set the value of this setting to true to suppress all logging output other than error messages. +# logging.quiet: false + +# Set the value of this setting to true to log all events, including system usage information +# and all requests. +# logging.verbose: false + +# Set the interval in milliseconds to sample system and process performance +# metrics. Minimum is 100ms. Defaults to 5000. +# ops.interval: 5000 + +# Specifies locale to be used for all localizable strings, dates and number formats. +# Supported languages are the following: English - en , by default , Chinese - zh-CN . +# i18n.locale: "en" + +# Set the allowlist to check input graphite Url. Allowlist is the default check list. +# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite'] + +# Set the blocklist to check input graphite Url. Blocklist is an IP list. +# Below is an example for reference +# vis_type_timeline.graphiteBlockedIPs: [ +# //Loopback +# '127.0.0.0/8', +# '::1/128', +# //Link-local Address for IPv6 +# 'fe80::/10', +# //Private IP address for IPv4 +# '10.0.0.0/8', +# '172.16.0.0/12', +# '192.168.0.0/16', +# //Unique local address (ULA) +# 'fc00::/7', +# //Reserved IP address +# '0.0.0.0/8', +# '100.64.0.0/10', +# '192.0.0.0/24', +# '192.0.2.0/24', +# '198.18.0.0/15', +# '192.88.99.0/24', +# '198.51.100.0/24', +# '203.0.113.0/24', +# '224.0.0.0/4', +# '240.0.0.0/4', +# '255.255.255.255/32', +# '::/128', +# '2001:db8::/32', +# 'ff00::/8', +# ] +# vis_type_timeline.graphiteBlockedIPs: [] + +# opensearchDashboards.branding: +# logo: +# defaultUrl: "" +# darkModeUrl: "" +# mark: +# defaultUrl: "" +# darkModeUrl: "" +# loadingLogo: +# defaultUrl: "" +# darkModeUrl: "" +# faviconUrl: "" +# applicationTitle: "" + +# Set the value of this setting to true to capture region blocked warnings and errors +# for your map rendering services. +# map.showRegionBlockedWarning: false% + +# Set the value of this setting to false to suppress search usage telemetry +# for reducing the load of OpenSearch cluster. +# data.search.usageTelemetry.enabled: false + +# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false' +# Set the value of this setting to false to disable VisBuilder +# functionality in Visualization. +# vis_builder.enabled: false + +# 2.4 New Experimental Feature +# Set the value of this setting to true to enable the experimental multiple data source +# support feature. Use with caution. +# data_source.enabled: false +# Set the value of these settings to customize crypto materials to encryption saved credentials +# in data sources. +# data_source.encryption.wrappingKeyName: 'changeme' +# data_source.encryption.wrappingKeyNamespace: 'changeme' +# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + +# 2.6 New ML Commons Dashboards Feature +# Set the value of this setting to true to enable the ml commons dashboards +# ml_commons_dashboards.enabled: false + +# 2.12 New Experimental Assistant Dashboards Feature +# Set the value of this setting to true to enable the assistant dashboards +# assistant.chat.enabled: false + +# 2.13 New Query Assistant Feature +# Set the value of this setting to false to disable the query assistant +# observability.query_assist.enabled: false + +# 2.14 Enable Ui Metric Collectors in Usage Collector +# Set the value of this setting to true to enable UI Metric collections +# usageCollection.uiMetric.enabled: false + +# 2.18 New Experimental Settings +# Set the value to true to enable +# assistant.alertInsight.enabled: false +# assistant.smartAnomalyDetector.enabled: false +# assistant.text2viz.enabled: false +# queryEnhancements.queryAssist.summary.enabled: false + +opensearch.hosts: [https://localhost:9200] +opensearch.ssl.verificationMode: none +opensearch.username: kibanaserver +opensearch.password: kibanaserver +opensearch.requestHeadersWhitelist: [authorization, securitytenant] + +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.preferred: [Private, Global] +opensearch_security.readonly_mode.roles: [kibana_read_only] +# Use this setting if you are running opensearch-dashboards without https +opensearch_security.cookie.secure: false diff --git a/opensearch/certs/oneunivrs.pem b/opensearch/certs/oneunivrs.pem new file mode 100644 index 0000000..4a8e588 --- /dev/null +++ b/opensearch/certs/oneunivrs.pem @@ -0,0 +1,75 @@ +-----BEGIN CERTIFICATE----- +MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB +lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G +A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD +EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy +dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE +BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s +THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0 +6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET +c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1 +iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5 +AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D +mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD +VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA +DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud +JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB +AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn +gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T +ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy +bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp +Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy +dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp +BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor +BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G +pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc +7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ +htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC +IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2 +PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h +qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy +QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ +KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp +3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1 +PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS +N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M +k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg +rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx +MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV +BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE +ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6 +YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q +9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x +on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h +fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi +rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ +YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow +HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn +Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/ +AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG +BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl +cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy +bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy +dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ +aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA +lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6 +pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP +bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3 +OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn +R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc +SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf +FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO +s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc +6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV +idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH +MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU= +-----END CERTIFICATE----- + diff --git a/opensearch/certs/oneunivrs_key.p8.pem b/opensearch/certs/oneunivrs_key.p8.pem new file mode 100644 index 0000000..bcfe158 --- /dev/null +++ b/opensearch/certs/oneunivrs_key.p8.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY5fgocCi0pQQn +dodxndIDDSrfrgOMO5Drxiv9dt4aw/TpSHgeLiPtvFphIT+I49RFsi24925ikjXr +K5aiunjCeewkzRjzXKefNUfvBcUhARNzZOY7UGbqwf+cT/vTNNC+t6XbVvEOM1GO +vnaooz+mC1yPzuWM568T6ScyCUmQtjWJLXcrDPkSjUbKngYUgKMWqi8RNKzBTEoV +YKhXFRCLLc02yMtlhAZjlCxwE5HdxPkAeKEAnIVCK+GXQbsPh8G9fX36QrKu1Qcc +hyVUd9RElVnvycakkq65krB0HruHDsOY8lQmccsYkWyDqa/PN2oFBD0EzPKiIp+/ +raDAPn5rAgMBAAECggEAd7yEgTZhkk/iejKZ1OPt8tdLCs5SkRC1ESOGV1dOh3IT ++tCR1v9bwDsRnbswCs7S+WLCkPCvFGVotJmMf+r3DU0nSq2aj4Zf1qkgO9hwmaax +aSuTWb0qA4DzLgSNnWvzrMVPH0XgrxkvdeC5OqFcWrq873qlCGNCKHi2tY2g+exI +B5yCnVZn/EU06ndy8pBPfJMikG8s580r9NJNbQgrXz2NxgfyuaHreQ0UatBUMirG +cWQ6Z6mGa6tbZcuaHwgLM9Ip4SLc8AKBwI006WOHLlG4gGx17sxaeprARr+KS4Ci +cf6tCTgrYwMcSH4bWHjQdOrefFGrwJbCEJDvG6PCKQKBgQD5w5t55KgE+Ak1lmXI +aBXG/0Wa+IE8t5D/T4xskPWxsTyZNtJt2uBE2OMI90/D3NYUA7ypfLGA4oKwHZWc +O7+MklWFkN58rH7JAlKGo0WwJapEmJaguY0M2t8aGS7iYvteabHbOvowSqTvTdgP +AWxOTVxYO08VzhrulQw1XpiwxQKBgQDeUEwObZhHr81t2faxk73o18+vk0sQt+Xg +cV5yIsqwpWsJToAD4NzEGnwsA1zkcBpxR84amTlh5RRAZ4eYVnO5/eVaRQezJAeA +2zOnf1tjxRNwSygmTF7fN/EFeNkgiWdPHgyl5SduHl3SeIyW5os6MDEkgvUrWRUK +Kk4Ye54FbwKBgQC5MZMM9MCovomFlHjv+k17ejhQSkb5kFsRFBjZPzsOgI6gRIgP +MKXuJqthMI+SeSK7QHIZcf3jxRCGKcmPSLYlMzP6j4qJAxYXUYODlXjMvYDc0A+Q +KUUu7PNUVKvw7NfaD6DzH233dMGLNzsnFTULck0wlvly/5n0oculnvi0yQKBgCE+ +UKE3sjXGDCoJFeKn/RX8b4oJtIfjd/R//2eB3F1d3wudOXdbAKgyba8HMbTXLp0R +57gCgZop70VSNeyJwPRnCwzclbIsCRMztB2v5bKdnbKFCpPvh6BJdTkkQROkeFZU +X//OrH7C+7SlYiCOiPNCkZasHo1E3OiQOu1eTtrxAoGAE3AzTW14NBDnLYpNt9Zs +/xQy8cnX0M8OIBTbJJnv6mHpyFz64COAPoknGt/RoD125E4KTM6WxukNM6zP3UAP +44yZs4PdIZ6eGwRUuLnYvAc9s85V19Mk4YO6D9gw+tL50t2ioF8QNLc6pEgGar7M +yAWa3W8XnjQfjjI4fN8E44Y= +-----END PRIVATE KEY----- diff --git a/opensearch/certs/oneunivrs_key.pem b/opensearch/certs/oneunivrs_key.pem new file mode 100644 index 0000000..562a9c1 --- /dev/null +++ b/opensearch/certs/oneunivrs_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4 +Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm +O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13 +Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih +AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU +JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy +mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ +jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg +uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS +TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN +NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ +7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg +RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN +DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM +Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO +Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M +peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN +e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2 +JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1 +C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n +gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd +r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt +Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J +Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD +ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG +-----END RSA PRIVATE KEY----- diff --git a/opensearch/certs/root.pem b/opensearch/certs/root.pem new file mode 100644 index 0000000..2795cf3 --- /dev/null +++ b/opensearch/certs/root.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw +MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV +BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU +aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B +3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY +tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ +Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 +VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT +79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 +c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT +Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l +c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee +UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE +Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd +BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF +Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO +VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 +ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs +8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR +iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze +Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ +XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ +qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB +VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB +L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG +jjxDah2nGN59PRbxYvnKkKj9 +-----END CERTIFICATE----- diff --git a/opensearch/fips_java.security b/opensearch/fips_java.security new file mode 100644 index 0000000..674fbe5 --- /dev/null +++ b/opensearch/fips_java.security @@ -0,0 +1,10 @@ +# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in approved-only mode +# Intended to be used complementary with a single equal sign e.g. 'java.security.properties=fips_java.security' + +security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All}; +security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS +security.provider.3=SUN +security.provider.4=SunJGSS + +ssl.KeyManagerFactory.algorithm=PKIX +ssl.TrustManagerFactory.algorithm=PKIX diff --git a/opensearch/jvm.options b/opensearch/jvm.options new file mode 100644 index 0000000..1f7b4e3 --- /dev/null +++ b/opensearch/jvm.options @@ -0,0 +1,98 @@ +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://opensearch.org/docs/opensearch/install/important-settings/ +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +#-Xms1g +#-Xmx1g + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +8-10:-XX:+UseConcMarkSweepGC +8-10:-XX:CMSInitiatingOccupancyFraction=75 +8-10:-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1GC is the default GC for all JDKs 11 and newer +11-:-XX:+UseG1GC +# See https://github.com/elastic/elasticsearch/pull/46169 for the history +# behind these settings, but the tl;dr is that default values can lead +# to situations where heap usage grows enough to trigger a circuit breaker +# before GC kicks in. +11-:-XX:G1ReservePercent=25 +11-:-XX:InitiatingHeapOccupancyPercent=30 + +## JVM temporary directory +-Djava.io.tmpdir=${OPENSEARCH_TMPDIR} + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps; ensure the directory exists and +# has sufficient space +-XX:HeapDumpPath=/var/lib/opensearch + +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=/var/log/opensearch/hs_err_pid%p.log + +## JDK 8 GC logging +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:/var/log/opensearch/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/opensearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m + +# JDK 20+ Incubating Vector Module for SIMD optimizations; +# disabling may reduce performance on vector optimized lucene +20-:--add-modules=jdk.incubator.vector + +# See please https://bugs.openjdk.org/browse/JDK-8341127 (openjdk/jdk#21283) +23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache +23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached + +21-:-javaagent:agent/opensearch-agent.jar +21-:--add-opens=java.base/java.nio=org.apache.arrow.memory.core,ALL-UNNAMED + +## OpenSearch Performance Analyzer +-Dclk.tck=100 +-Djdk.attach.allowAttachSelf=true +-Djava.security.policy=file:///etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy +--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED + +# Set heap size to 31GB +-Xms31g +-Xmx31g diff --git a/opensearch/log4j2.properties b/opensearch/log4j2.properties new file mode 100644 index 0000000..d040afa --- /dev/null +++ b/opensearch/log4j2.properties @@ -0,0 +1,275 @@ +# +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. +# +# Modifications Copyright OpenSearch Contributors. See +# GitHub history for details. +# + +status = error + +appender.console.type = Console +appender.console.name = console +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +######## Server JSON ############################ +appender.rolling.type = RollingFile +appender.rolling.name = rolling +appender.rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_server.json +appender.rolling.filePermissions = rw-r----- +appender.rolling.layout.type = OpenSearchJsonLayout +appender.rolling.layout.type_name = server + +appender.rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz +appender.rolling.policies.type = Policies +appender.rolling.policies.time.type = TimeBasedTriggeringPolicy +appender.rolling.policies.time.interval = 1 +appender.rolling.policies.time.modulate = true +appender.rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.rolling.policies.size.size = 128MB +appender.rolling.strategy.type = DefaultRolloverStrategy +appender.rolling.strategy.fileIndex = nomax +appender.rolling.strategy.action.type = Delete +appender.rolling.strategy.action.basepath = ${sys:opensearch.logs.base_path} +appender.rolling.strategy.action.condition.type = IfFileName +appender.rolling.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-* +appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize +appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB +################################################ +######## Server - old style pattern ########### +appender.rolling_old.type = RollingFile +appender.rolling_old.name = rolling_old +appender.rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}.log +appender.rolling_old.filePermissions = rw-r----- +appender.rolling_old.layout.type = PatternLayout +appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz +appender.rolling_old.policies.type = Policies +appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy +appender.rolling_old.policies.time.interval = 1 +appender.rolling_old.policies.time.modulate = true +appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.rolling_old.policies.size.size = 128MB +appender.rolling_old.strategy.type = DefaultRolloverStrategy +appender.rolling_old.strategy.fileIndex = nomax +appender.rolling_old.strategy.action.type = Delete +appender.rolling_old.strategy.action.basepath = ${sys:opensearch.logs.base_path} +appender.rolling_old.strategy.action.condition.type = IfFileName +appender.rolling_old.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-* +appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize +appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB +################################################ + +rootLogger.level = info +rootLogger.appenderRef.console.ref = console +rootLogger.appenderRef.rolling.ref = rolling +rootLogger.appenderRef.rolling_old.ref = rolling_old + +######## Deprecation JSON ####################### +appender.deprecation_rolling.type = RollingFile +appender.deprecation_rolling.name = deprecation_rolling +appender.deprecation_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.json +appender.deprecation_rolling.filePermissions = rw-r----- +appender.deprecation_rolling.layout.type = OpenSearchJsonLayout +appender.deprecation_rolling.layout.type_name = deprecation +appender.deprecation_rolling.layout.opensearchmessagefields=x-opaque-id +appender.deprecation_rolling.filter.rate_limit.type = RateLimitingFilter + +appender.deprecation_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation-%i.json.gz +appender.deprecation_rolling.policies.type = Policies +appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.deprecation_rolling.policies.size.size = 1GB +appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy +appender.deprecation_rolling.strategy.max = 4 + +appender.header_warning.type = HeaderWarningAppender +appender.header_warning.name = header_warning +################################################# +######## Deprecation - old style pattern ####### +appender.deprecation_rolling_old.type = RollingFile +appender.deprecation_rolling_old.name = deprecation_rolling_old +appender.deprecation_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.log +appender.deprecation_rolling_old.filePermissions = rw-r----- +appender.deprecation_rolling_old.layout.type = PatternLayout +appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.deprecation_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _deprecation-%i.log.gz +appender.deprecation_rolling_old.policies.type = Policies +appender.deprecation_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.deprecation_rolling_old.policies.size.size = 1GB +appender.deprecation_rolling_old.strategy.type = DefaultRolloverStrategy +appender.deprecation_rolling_old.strategy.max = 4 +################################################# +logger.deprecation.name = org.opensearch.deprecation +logger.deprecation.level = deprecation +logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling +logger.deprecation.appenderRef.deprecation_rolling_old.ref = deprecation_rolling_old +logger.deprecation.appenderRef.header_warning.ref = header_warning +logger.deprecation.additivity = false + +######## Search Request Slowlog JSON #################### +appender.search_request_slowlog_json_appender.type = RollingFile +appender.search_request_slowlog_json_appender.name = search_request_slowlog_json_appender +appender.search_request_slowlog_json_appender.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\ + .cluster_name}_index_search_slowlog.json +appender.search_request_slowlog_json_appender.filePermissions = rw-r----- +appender.search_request_slowlog_json_appender.layout.type = OpenSearchJsonLayout +appender.search_request_slowlog_json_appender.layout.type_name = search_request_slowlog +appender.search_request_slowlog_json_appender.layout.opensearchmessagefields=message,took,took_millis,phase_took,total_hits,search_type,shards,source,id + +appender.search_request_slowlog_json_appender.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\ + .cluster_name}_index_search_slowlog-%i.json.gz +appender.search_request_slowlog_json_appender.policies.type = Policies +appender.search_request_slowlog_json_appender.policies.size.type = SizeBasedTriggeringPolicy +appender.search_request_slowlog_json_appender.policies.size.size = 1GB +appender.search_request_slowlog_json_appender.strategy.type = DefaultRolloverStrategy +appender.search_request_slowlog_json_appender.strategy.max = 4 +################################################# +######## Search Request Slowlog Log File - old style pattern #### +appender.search_request_slowlog_log_appender.type = RollingFile +appender.search_request_slowlog_log_appender.name = search_request_slowlog_log_appender +appender.search_request_slowlog_log_appender.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_search_slowlog.log +appender.search_request_slowlog_log_appender.filePermissions = rw-r----- +appender.search_request_slowlog_log_appender.layout.type = PatternLayout +appender.search_request_slowlog_log_appender.layout.pattern = [%d{ISO8601}][%-5p][%c{1.}] [%node_name]%marker %m%n + +appender.search_request_slowlog_log_appender.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_search_slowlog-%i.log.gz +appender.search_request_slowlog_log_appender.policies.type = Policies +appender.search_request_slowlog_log_appender.policies.size.type = SizeBasedTriggeringPolicy +appender.search_request_slowlog_log_appender.policies.size.size = 1GB +appender.search_request_slowlog_log_appender.strategy.type = DefaultRolloverStrategy +appender.search_request_slowlog_log_appender.strategy.max = 4 +################################################# +logger.search_request_slowlog_logger.name = cluster.search.request.slowlog +logger.search_request_slowlog_logger.level = trace +logger.search_request_slowlog_logger.appenderRef.search_request_slowlog_json_appender.ref = search_request_slowlog_json_appender +logger.search_request_slowlog_logger.appenderRef.search_request_slowlog_log_appender.ref = search_request_slowlog_log_appender +logger.search_request_slowlog_logger.additivity = false + +######## Search slowlog JSON #################### +appender.index_search_slowlog_rolling.type = RollingFile +appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling +appender.index_search_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\ + .cluster_name}_index_search_slowlog.json +appender.index_search_slowlog_rolling.filePermissions = rw-r----- +appender.index_search_slowlog_rolling.layout.type = OpenSearchJsonLayout +appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog +appender.index_search_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id + +appender.index_search_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\ + .cluster_name}_index_search_slowlog-%i.json.gz +appender.index_search_slowlog_rolling.policies.type = Policies +appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.index_search_slowlog_rolling.policies.size.size = 1GB +appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy +appender.index_search_slowlog_rolling.strategy.max = 4 +################################################# +######## Search slowlog - old style pattern #### +appender.index_search_slowlog_rolling_old.type = RollingFile +appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old +appender.index_search_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_search_slowlog.log +appender.index_search_slowlog_rolling_old.filePermissions = rw-r----- +appender.index_search_slowlog_rolling_old.layout.type = PatternLayout +appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.index_search_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_search_slowlog-%i.log.gz +appender.index_search_slowlog_rolling_old.policies.type = Policies +appender.index_search_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.index_search_slowlog_rolling_old.policies.size.size = 1GB +appender.index_search_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy +appender.index_search_slowlog_rolling_old.strategy.max = 4 +################################################# +logger.index_search_slowlog_rolling.name = index.search.slowlog +logger.index_search_slowlog_rolling.level = trace +logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling +logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling_old.ref = index_search_slowlog_rolling_old +logger.index_search_slowlog_rolling.additivity = false + +######## Indexing slowlog JSON ################## +appender.index_indexing_slowlog_rolling.type = RollingFile +appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling +appender.index_indexing_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_indexing_slowlog.json +appender.index_indexing_slowlog_rolling.filePermissions = rw-r----- +appender.index_indexing_slowlog_rolling.layout.type = OpenSearchJsonLayout +appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog +appender.index_indexing_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,doc_type,id,routing,source + +appender.index_indexing_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_indexing_slowlog-%i.json.gz +appender.index_indexing_slowlog_rolling.policies.type = Policies +appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.index_indexing_slowlog_rolling.policies.size.size = 1GB +appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy +appender.index_indexing_slowlog_rolling.strategy.max = 4 +################################################# +######## Indexing slowlog - old style pattern ## +appender.index_indexing_slowlog_rolling_old.type = RollingFile +appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old +appender.index_indexing_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_indexing_slowlog.log +appender.index_indexing_slowlog_rolling_old.filePermissions = rw-r----- +appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout +appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.index_indexing_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\ + _index_indexing_slowlog-%i.log.gz +appender.index_indexing_slowlog_rolling_old.policies.type = Policies +appender.index_indexing_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.index_indexing_slowlog_rolling_old.policies.size.size = 1GB +appender.index_indexing_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy +appender.index_indexing_slowlog_rolling_old.strategy.max = 4 +################################################# + +logger.index_indexing_slowlog.name = index.indexing.slowlog.index +logger.index_indexing_slowlog.level = trace +logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling +logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling_old.ref = index_indexing_slowlog_rolling_old +logger.index_indexing_slowlog.additivity = false + +######## Task details log JSON #################### +appender.task_detailslog_rolling.type = RollingFile +appender.task_detailslog_rolling.name = task_detailslog_rolling +appender.task_detailslog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.json +appender.task_detailslog_rolling.filePermissions = rw-r----- +appender.task_detailslog_rolling.layout.type = OpenSearchJsonLayout +appender.task_detailslog_rolling.layout.type_name = task_detailslog +appender.task_detailslog_rolling.layout.opensearchmessagefields=taskId,type,action,description,start_time_millis,resource_stats,metadata + +appender.task_detailslog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.json.gz +appender.task_detailslog_rolling.policies.type = Policies +appender.task_detailslog_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.task_detailslog_rolling.policies.size.size = 1GB +appender.task_detailslog_rolling.strategy.type = DefaultRolloverStrategy +appender.task_detailslog_rolling.strategy.max = 4 +################################################# +######## Task details log - old style pattern #### +appender.task_detailslog_rolling_old.type = RollingFile +appender.task_detailslog_rolling_old.name = task_detailslog_rolling_old +appender.task_detailslog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.log +appender.task_detailslog_rolling_old.filePermissions = rw-r----- +appender.task_detailslog_rolling_old.layout.type = PatternLayout +appender.task_detailslog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.task_detailslog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.log.gz +appender.task_detailslog_rolling_old.policies.type = Policies +appender.task_detailslog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.task_detailslog_rolling_old.policies.size.size = 1GB +appender.task_detailslog_rolling_old.strategy.type = DefaultRolloverStrategy +appender.task_detailslog_rolling_old.strategy.max = 4 +################################################# +logger.task_detailslog_rolling.name = task.detailslog +logger.task_detailslog_rolling.level = trace +logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling.ref = task_detailslog_rolling +logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling_old.ref = task_detailslog_rolling_old +logger.task_detailslog_rolling.additivity = false diff --git a/opensearch/opensearch-notifications-core/notifications-core.yml b/opensearch/opensearch-notifications-core/notifications-core.yml new file mode 100644 index 0000000..9ae7ed4 --- /dev/null +++ b/opensearch/opensearch-notifications-core/notifications-core.yml @@ -0,0 +1,19 @@ +--- +## + # Copyright OpenSearch Contributors + # SPDX-License-Identifier: Apache-2.0 +## + +# configuration file for the notifications-core plugin +opensearch.notifications.core: + email: + size_limit: 10000000 + minimum_header_length: 160 + http: + max_connections: 60 + max_connection_per_route: 20 + connection_timeout: 5000 # in milliseconds + socket_timeout: 50000 + host_deny_list: [] + allowed_config_types: ["slack","chime","microsoft_teams","webhook","email","sns","ses_account","smtp_account","email_group"] + tooltip_support: true diff --git a/opensearch/opensearch-notifications/notifications.yml b/opensearch/opensearch-notifications/notifications.yml new file mode 100644 index 0000000..61969ac --- /dev/null +++ b/opensearch/opensearch-notifications/notifications.yml @@ -0,0 +1,12 @@ +--- +## + # Copyright OpenSearch Contributors + # SPDX-License-Identifier: Apache-2.0 +## + +# configuration file for the notifications plugin +opensearch.notifications: + general: + operation_timeout_ms: 60000 # 60 seconds, Minimum 100ms + default_items_query_count: 100 # default number of items to query + filter_send_by_backend_roles: false # Does sendNotification needs to validate user's backend roles diff --git a/opensearch/opensearch-observability/observability.yml b/opensearch/opensearch-observability/observability.yml new file mode 100644 index 0000000..6bc2c48 --- /dev/null +++ b/opensearch/opensearch-observability/observability.yml @@ -0,0 +1,28 @@ +--- +## +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +## + +# configuration file for the observability plugin +opensearch.notebooks: + general: + operationTimeoutMs: 60000 # 60 seconds, Minimum 100ms + defaultItemsQueryCount: 100 # default number of items to query + polling: + jobLockDurationSeconds: 300 # 5 Minutes, Minimum 10 seconds + minPollingDurationSeconds: 300 # 5 Minutes, Minimum 60 seconds + maxPollingDurationSeconds: 900 # 15 Minutes, Minimum 5 Minutes + maxLockRetries: 1 # Max number of retries to retry locking + access: + adminAccess: "AllObservabilityObjects" + # adminAccess values: + ## Standard -> Admin user access follows standard user + ## AllObservabilityObjects -> Admin user with "all_access" role can see all observability objects of all users. + filterBy: "NoFilter" # Applied when tenant != __user__ + # filterBy values: + ## NoFilter -> everyone see each other's observability objects + ## User -> observability objects are visible to only themselves + ## Roles -> observability objects are visible to users having any one of the role of creator + ## BackendRoles -> observability objects are visible to users having any one of the backend role of creator + ignoreRoles: ["own_index", "kibana_user", "observability_full_access", "observability_read_access"] diff --git a/opensearch/opensearch-reports-scheduler/reports-scheduler.yml b/opensearch/opensearch-reports-scheduler/reports-scheduler.yml new file mode 100644 index 0000000..d48464c --- /dev/null +++ b/opensearch/opensearch-reports-scheduler/reports-scheduler.yml @@ -0,0 +1,11 @@ +--- +## + # Copyright OpenSearch Contributors + # SPDX-License-Identifier: Apache-2.0 +## + +# configuration file for the reports scheduler plugin +opensearch.reports: + general: + operationTimeoutMs: 60000 # 60 seconds, Minimum 100ms + defaultItemsQueryCount: 100 # default number of items to query diff --git a/opensearch/opensearch-security/action_groups.yml b/opensearch/opensearch-security/action_groups.yml new file mode 100644 index 0000000..7c40612 --- /dev/null +++ b/opensearch/opensearch-security/action_groups.yml @@ -0,0 +1,3 @@ +_meta: + type: "actiongroups" + config_version: 2 diff --git a/opensearch/opensearch-security/allowlist.yml b/opensearch/opensearch-security/allowlist.yml new file mode 100644 index 0000000..e669557 --- /dev/null +++ b/opensearch/opensearch-security/allowlist.yml @@ -0,0 +1,69 @@ +--- +_meta: + type: "allowlist" + config_version: 2 + +# Description: +# enabled - feature flag. +# if enabled is false, the allowlisting feature is removed. +# This is like removing the check that checks if an API is allowlisted. +# This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting. +# if enabled is true, then all users except SuperAdmin can access only the APIs in requests +# SuperAdmin can access all APIs. +# SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn: +# Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. +# +# requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints + +# Examples showing how to configure this yml file (make sure the _meta data from above is also there): +# Example 1: +# To enable allowlisting and allowlist GET /_cluster/settings +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# +# Example 2: +# If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT): +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# +# Example 3: +# If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# /_cat/nodes: +# - GET +# /_cat/shards: +# - GET +# +# Example 4: +# If you want to disable the allowlisting feature, set enabled to false. +# enabled: false +# requests: +# /_cluster/settings: +# - GET +# +#At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant. + + +#this name must be config +config: + enabled: false + requests: + /_cluster/settings: + - GET + /_cat/nodes: + - GET diff --git a/opensearch/opensearch-security/audit.yml b/opensearch/opensearch-security/audit.yml new file mode 100644 index 0000000..dcfbad8 --- /dev/null +++ b/opensearch/opensearch-security/audit.yml @@ -0,0 +1,85 @@ +_meta: + type: "audit" + config_version: 2 + +config: + # enable/disable audit logging + enabled: true + + audit: + # Enable/disable REST API auditing + enable_rest: true + + # Categories to exclude from REST API auditing + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Enable/disable Transport API auditing + enable_transport: true + + # Categories to exclude from Transport API auditing + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Users to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_users: ["test-user", "employee-*"] + ignore_users: + - kibanaserver + + # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_requests: ["indices:data/read/*", "SearchRequest"] + ignore_requests: [] + + # Log individual operations in a bulk request + resolve_bulk_requests: false + + # Include the body of the request (if available) for both REST and the transport layer + log_request_body: true + + # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns + resolve_indices: true + + # Exclude sensitive headers from being included in the logs. Eg: Authorization + exclude_sensitive_headers: true + + compliance: + # enable/disable compliance + enabled: true + + # Log updates to internal security changes + internal_config: true + + # Log external config files for the node + external_config: false + + # Log only metadata of the document for read events + read_metadata_only: true + + # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: + # read_watched_fields: { + # "twitter": ["message"] + # "logs-*": ["id", "attr*"] + # } + read_watched_fields: {} + + # List of users to ignore for read events. Wildcard patterns are supported. Eg: + # read_ignore_users: ["test-user", "employee-*"] + read_ignore_users: + - kibanaserver + + # Log only metadata of the document for write events + write_metadata_only: true + + # Log only diffs for document updates + write_log_diffs: false + + # List of indices to watch for write events. Wildcard patterns are supported + # write_watched_indices: ["twitter", "logs-*"] + write_watched_indices: [] + + # List of users to ignore for write events. Wildcard patterns are supported. Eg: + # write_ignore_users: ["test-user", "employee-*"] + write_ignore_users: + - kibanaserver diff --git a/opensearch/opensearch-security/config.yml b/opensearch/opensearch-security/config.yml new file mode 100644 index 0000000..a312c4b --- /dev/null +++ b/opensearch/opensearch-security/config.yml @@ -0,0 +1,49 @@ +--- +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + http: + # 익명(로그인 안 한) 사용자의 요청을 차단 + anonymous_auth_enabled: false + xff: + # X-Forwarded-For 헤더 처리 활성화 (LB/Proxy 환경) + enabled: true + # 프록시의 내부 IP. 필요시 로드밸런서 IP 추가 + internalProxies: "10\\.0\\.20\\.\\d{1,3}" # 10.0.20.x 대역을 내부 프록시로 인식 + # 원격 클라이언트 IP를 가져올 헤더 + remoteIpHeader: "x-forwarded-for" + authc: + # 기본 내부 인증(internal_users.yml 사용) + basic_internal_auth_domain: + http_enabled: true + transport_enabled: true + order: 1 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: internal + # JWT 인증 설정 + jwt_auth_domain: + http_enabled: true + transport_enabled: false # HTTP API에만 사용 + order: 0 + http_authenticator: + type: jwt + # challenge: false 이므로 JWT 토큰이 없으면 다음 인증(basic) 시도 + challenge: false + config: + # 토큰 서명에 사용할 키 + signing_key: "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA=" + # JWT 헤더 파싱 설정 추가 + jwt_header: "Authorization" + # JWT 토큰에서 사용자 이름을 가져올 필드 + subject_key: sub + # JWT 토큰에서 역할(role)을 가져올 필드 + roles_key: roles + authentication_backend: + # JWT 토큰 내 사용자 정보로 인증 처리 + type: noop diff --git a/opensearch/opensearch-security/config.yml.bak b/opensearch/opensearch-security/config.yml.bak new file mode 100644 index 0000000..1493a0d --- /dev/null +++ b/opensearch/opensearch-security/config.yml.bak @@ -0,0 +1,250 @@ +--- + +# This is the main OpenSearch Security configuration file where authentication +# and authorization is defined. +# +# You need to configure at least one authentication domain in the authc of this file. +# An authentication domain is responsible for extracting the user credentials from +# the request and for validating them against an authentication backend like Active Directory for example. +# +# If more than one authentication domain is configured the first one which succeeds wins. +# If all authentication domains fail then the request is unauthenticated. +# In this case an exception is thrown and/or the HTTP status is set to 401. +# +# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect +# the roles from a given backend for the authenticated user. +# +# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. +# http_enabled: true +# transport_enabled: true +# +# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to +# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. +# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous" +# and one role named "anonymous_backendrole". +# If you enable anonymous authentication all HTTP authenticators will not challenge. +# +# +# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" +# first and the challenging one last. +# Because it's not possible to challenge a client with two different authentication methods (for example +# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation +# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. +# +# Default value of the challenge flag is true. +# +# +# HTTP +# basic (challenging) +# proxy (not challenging, needs xff) +# kerberos (challenging) +# clientcert (not challenging, needs https) +# jwt (not challenging) +# host (not challenging) #DEPRECATED, will be removed in a future version. +# host based authentication is configurable in roles_mapping + +# Authc +# internal +# noop +# ldap + +# Authz +# ldap +# noop + + + +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index + # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) + # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently + #filtered_alias_mode: warn + #do_not_fail_on_forbidden: false + #kibana: + # Kibana multitenancy + #multitenancy_enabled: true + #private_tenant_enabled: true + #default_tenant: "" + #server_username: kibanaserver + #index: '.kibana' + http: + anonymous_auth_enabled: false + xff: + enabled: false + internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern + #internalProxies: '.*' # trust all internal proxies, regex pattern + #remoteIpHeader: 'x-forwarded-for' + ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help + ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For + ###### and here https://tools.ietf.org/html/rfc7239 + ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve + authc: + kerberos_auth_domain: + http_enabled: false + transport_enabled: false + order: 6 + http_authenticator: + type: kerberos + challenge: true + config: + # If true a lot of kerberos/security related debugging output will be logged to standard out + krb_debug: false + # If true then the realm will be stripped from the user name + strip_realm_from_principal: true + authentication_backend: + type: noop + basic_internal_auth_domain: + description: "Authenticate via HTTP Basic against internal users database" + http_enabled: true + transport_enabled: true + order: 4 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + proxy_auth_domain: + description: "Authenticate via proxy" + http_enabled: false + transport_enabled: false + order: 3 + http_authenticator: + type: proxy + challenge: false + config: + user_header: "x-proxy-user" + roles_header: "x-proxy-roles" + authentication_backend: + type: noop + jwt_auth_domain: + description: "Authenticate via Json Web Token" + http_enabled: false + transport_enabled: false + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" + jwt_header: "Authorization" + jwt_url_parameter: null + jwt_clock_skew_tolerance_seconds: 30 + roles_key: null + subject_key: null + authentication_backend: + type: noop + clientcert_auth_domain: + description: "Authenticate via SSL client certificates" + http_enabled: false + transport_enabled: false + order: 2 + http_authenticator: + type: clientcert + config: + username_attribute: cn #optional, if omitted DN becomes username + challenge: false + authentication_backend: + type: noop + ldap: + description: "Authenticate via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + order: 5 + http_authenticator: + type: basic + challenge: false + authentication_backend: + # LDAP authentication backend (authenticate users against a LDAP or Active Directory) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(sAMAccountName={0})' + # Use this attribute from the user as username (if not set then DN is used) + username_attribute: null + authz: + roles_from_myldap: + description: "Authorize via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + rolebase: 'ou=groups,dc=example,dc=com' + # Filter to search for roles (currently in the whole subtree beneath rolebase) + # {0} is substituted with the DN of the user + # {1} is substituted with the username + # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute + rolesearch: '(member={0})' + # Specify the name of the attribute which value should be substituted with {2} above + userroleattribute: null + # Roles as an attribute of the user entry + userrolename: disabled + #userrolename: memberOf + # The attribute in a role entry containing the name of that role, Default is "name". + # Can also be "dn" to use the full DN as rolename. + rolename: cn + # Resolve nested roles transitive (roles which are members of other roles and so on ...) + resolve_nested_roles: true + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(uid={0})' + # Skip users matching a user name, a wildcard or a regex pattern + #skip_users: + # - 'cn=Michael Jackson,ou*people,o=TEST' + # - '/\S*/' + roles_from_another_ldap: + description: "Authorize via another Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + type: ldap + #config goes here ... + # auth_failure_listeners: + # ip_rate_limiting: + # type: ip + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 + # internal_authentication_backend_limiting: + # type: username + # authentication_backend: intern + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 diff --git a/opensearch/opensearch-security/internal_users.yml b/opensearch/opensearch-security/internal_users.yml new file mode 100644 index 0000000..55756f5 --- /dev/null +++ b/opensearch/opensearch-security/internal_users.yml @@ -0,0 +1,50 @@ +--- +_meta: + type: "internalusers" + config_version: 2 +admin: + hash: "$2y$12$PH5uup5xBDwmAAHr9fRvTO2zRgKEDeVzEjFuhZYoohj338BvdaLKG" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" +anomalyadmin: + hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3." + reserved: false + opendistro_security_roles: + - "anomaly_full_access" + description: "Demo anomaly admin user, using internal role" +kibanaserver: + # hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + hash: "$2y$12$xFMwJISLbh2vh8xEUg0kguyGDZVyHyM65opF3Emvdq1Cmnj1hlUNS" + reserved: true + description: "Demo OpenSearch Dashboards user" +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo OpenSearch Dashboards read only user, using external role mapping" +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user, using external role mapping" +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user, using external role mapping" +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user, using external role mapping" diff --git a/opensearch/opensearch-security/nodes_dn.yml b/opensearch/opensearch-security/nodes_dn.yml new file mode 100644 index 0000000..7f8304c --- /dev/null +++ b/opensearch/opensearch-security/nodes_dn.yml @@ -0,0 +1,8 @@ +_meta: + type: "nodesdn" + config_version: 2 + +# Define nodesdn mapping name and corresponding values +# cluster1: +# nodes_dn: +# - CN=*.example.com diff --git a/opensearch/opensearch-security/opensearch.yml.example b/opensearch/opensearch-security/opensearch.yml.example new file mode 100644 index 0000000..d02a254 --- /dev/null +++ b/opensearch/opensearch-security/opensearch.yml.example @@ -0,0 +1,228 @@ +############## OpenSearch Security configuration ############### + +########################################################### +# Add the following settings to your standard opensearch.yml +# alongside with the OpenSearch Security TLS settings. +# Settings must always be the same on all nodes in the cluster. + +############## Common configuration settings ############## + +# Specify a list of DNs which denote the other nodes in the cluster. +# This settings support wildcards and regular expressions +# The list of DNs are also read from security index **in addition** to the yml configuration if +# plugins.security.nodes_dn_dynamic_config_enabled is true. +# NOTE: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. +plugins.security.nodes_dn: + - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE" + - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE" + +# The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to +# manage the allowlisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured +# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs +# which provide means to update/retrieve nodesdn dynamically. +# +# NOTE: The overall allowlisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored +# in security index. +# (default: false) +# NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. +plugins.security.nodes_dn_dynamic_config_enabled: false + +# Defines the DNs (distinguished names) of certificates +# to which admin privileges should be assigned (mandatory) +plugins.security.authcz.admin_dn: + - "CN=kirk,OU=client,O=client,l=tEst, C=De" + +# Define how backend roles should be mapped to Security roles +# MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default) +# BACKENDROLES_ONLY - backend roles are mapped to Security roles directly. Settings in roles_mapping.yml have no effect. +# BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition +plugins.security.roles_mapping_resolution: MAPPING_ONLY + +############## REST Management API configuration settings ############## +# Enable or disable role based access to the REST management API +# Default is that no role is allowed to access the REST management API. +#plugins.security.restapi.roles_enabled: ["all_access","xyz_role"] + +# Disable particular endpoints and their HTTP methods for roles. +# By default all endpoints/methods are allowed. +#plugins.security.restapi.endpoints_disabled..: +# Example: +#plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"] +#plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"] + +# The following endpoints exist: +# ACTIONGROUPS +# CACHE +# CONFIG +# ROLES +# ROLESMAPPING +# INTERNALUSERS +# SYSTEMINFO +# PERMISSIONSINFO + +############## Auditlog configuration settings ############## +# General settings + +# Enable/disable rest request logging (default: true) +#plugins.security.audit.enable_rest: true +# Enable/disable transport request logging (default: false) +#plugins.security.audit.enable_transport: false +# Enable/disable bulk request logging (default: false) +# If enabled all subrequests in bulk requests will be logged too +#plugins.security.audit.resolve_bulk_requests: false +# Disable some categories +#plugins.security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"] +# Disable some requests (wildcard or regex of actions or rest request paths) +#plugins.security.audit.ignore_requests: ["indices:data/read/*","*_bulk"] +# Tune threadpool size, default is 10 +#plugins.security.audit.threadpool.size: 10 +# Tune threadpool max size queue length, default is 100000 +#plugins.security.audit.threadpool.max_queue_len: 100000 + +# Ignore users, e.g. do not log audit requests from that users (default: no ignored users) +#plugins.security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']" + +# Destination of the auditlog events +plugins.security.audit.type: internal_opensearch +#plugins.security.audit.type: external_opensearch +#plugins.security.audit.type: debug +#plugins.security.audit.type: webhook + +# external_opensearch settings +#plugins.security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']" +# Auditlog index can be a static one or one with a date pattern (default is 'auditlog6') +#plugins.security.audit.config.index: auditlog6 # make sure you secure this index properly +#plugins.security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly +#plugins.security.audit.config.type: auditlog +#plugins.security.audit.config.username: auditloguser +#plugins.security.audit.config.password: auditlogpassword +#plugins.security.audit.config.enable_ssl: false +#plugins.security.audit.config.verify_hostnames: false +#plugins.security.audit.config.enable_ssl_client_auth: false +#plugins.security.audit.config.cert_alias: mycert +#plugins.security.audit.config.pemkey_filepath: key.pem +#plugins.security.audit.config.pemkey_content: <...pem base 64 content> +#plugins.security.audit.config.pemkey_password: secret +#plugins.security.audit.config.pemcert_filepath: cert.pem +#plugins.security.audit.config.pemcert_content: <...pem base 64 content> +#plugins.security.audit.config.pemtrustedcas_filepath: ca.pem +#plugins.security.audit.config.pemtrustedcas_content: <...pem base 64 content> + +# webhook settings +#plugins.security.audit.config.webhook.url: "http://mywebhook/endpoint" +# One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK +#plugins.security.audit.config.webhook.format: JSON +#plugins.security.audit.config.webhook.ssl.verify: false +#plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem +#plugins.security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content> + +# log4j settings +#plugins.security.audit.config.log4j.logger_name: auditlogger +#plugins.security.audit.config.log4j.level: INFO + +############## Kerberos configuration settings ############## +# If Kerberos authentication should be used you have to configure: + +# The Path to the krb5.conf file +# Can be absolute or relative to the OpenSearch config directory +#plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf' + +# The Path to the keytab where the acceptor_principal credentials are stored. +# Must be relative to the OpenSearch config directory +#plugins.security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab' + +# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file +#plugins.security.kerberos.acceptor_principal: 'HTTP/localhost' + +############## Advanced configuration settings ############## +# Enable transport layer impersonation +# Allow DNs (distinguished names) to impersonate as other users +#plugins.security.authcz.impersonation_dn: +# "CN=spock,OU=client,O=client,L=Test,C=DE": +# - worf +# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com": +# - user2 +# - user1 + +# Enable rest layer impersonation +# Allow users to impersonate as other users +#plugins.security.authcz.rest_impersonation_user: +# "picard": +# - worf +# "john": +# - steve +# - martin + +# If this is set to true OpenSearch Security will automatically initialize the configuration index +# with the files in the config directory if the index does not exist. +# WARNING: This will use well-known default passwords. +# Use only in a private network/environment. +#plugins.security.allow_default_init_securityindex: false + +# If this is set to true then allow to startup with demo certificates. +# These are certificates issued by floragunn GmbH for demo purposes. +# WARNING: This certificates are well known and therefore unsafe +# Use only in a private network/environment. +#plugins.security.allow_unsafe_democertificates: false + + + +# Password strength rules for password complexity. +# If you want to set up password strength rules for internal users, you can use the below settings for it. +# Password validation rules can be configured through regex. In the below regex example, a user must need +# a password with minimum 8 characters length and must include minimum one uppercase, one lower case, one digit, and one special character.  +# And a custom error message can be configured, in case if a password is not created according to the password strength rule.    +# plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' +# plugins.security.restapi.password_validation_error_message: "A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character." + + +############## Expert settings ############## +# WARNING: Expert settings, do only use if you know what you are doing +# If you set wrong values here this this could be a security risk +# or make OpenSearch Security stop working + +# Name of the index where .opendistro_security stores its configuration. + +#plugins.security.config_index_name: .opendistro_security + +# This defines the OID of server node certificates +#plugins.security.cert.oid: '1.2.3.4.5.5' + +# This specifies the implementation of org.opensearch.security.transport.InterClusterRequestEvaluator +# that is used to determine inter-cluster request. +# Instances of org.opensearch.security.transport.InterClusterRequestEvaluator must implement a single argument +# constructor that takes an org.opensearch.common.settings.Settings +#plugins.security.cert.intercluster_request_evaluator_class: org.opensearch.security.transport.DefaultInterClusterRequestEvaluator + +# By default, normal users can restore snapshots if they have the priviliges 'cluster:admin/snapshot/restore', +# 'indices:admin/create', and 'indices:data/write/index' for the indices to be restored. +# To disable snapshot restore for normal users set 'plugins.security.enable_snapshot_restore_privilege: false'. +# This makes it so that only snapshot restore requests signed by an admin TLS certificate are accepted. +# A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index +# If 'plugins.security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted. +#plugins.security.enable_snapshot_restore_privilege: true +#plugins.security.check_snapshot_restore_write_privileges: true + +# Authentication cache timeout in minutes (A value of 0 disables caching, default is 60) +#plugins.security.cache.ttl_minutes: 60 + +# Disable OpenSearch Security +# WARNING: This can expose your configuration (including passwords) to the public. +#plugins.security.disabled: false + + +# Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role +# to be visible, listed in the plugins.security.protected_indices.roles setting. +# Enable protected indices +# plugins.security.protected_indices.enabled: true +# Specify a list of roles a user must be member of to touch any protected index. +# plugins.security.protected_indices.roles: ['all_access'] +# Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. +# plugins.security.protected_indices.indices: [] + +# System indices are similar to security index, except the contents are not encrypted. +# Indices configured as system indices can be accessed by only super-admin and no role will provide access to these indices. +# Enable system indices +# plugins.security.system_indices.enabled: true +# Specify a list of indices to mark as system. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. +# plugins.security.system_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*', '.opendistro-reports-*', '.opensearch-notifications-*', '.opensearch-notebooks', '.opensearch-observability', '.opendistro-asynchronous-search-response*', '.replication-metadata-store'] diff --git a/opensearch/opensearch-security/roles.yml b/opensearch/opensearch-security/roles.yml new file mode 100644 index 0000000..c65e2a8 --- /dev/null +++ b/opensearch/opensearch-security/roles.yml @@ -0,0 +1,538 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +security_rest_api_full_access: + reserved: true + cluster_permissions: + - 'restapi:admin/actiongroups' + - 'restapi:admin/allowlist' + - 'restapi:admin/config/update' + - 'restapi:admin/internalusers' + - 'restapi:admin/nodesdn' + - 'restapi:admin/roles' + - 'restapi:admin/rolesmapping' + - 'restapi:admin/ssl/certs/info' + - 'restapi:admin/ssl/certs/reload' + - 'restapi:admin/tenants' + +# Allows users to view monitors, destinations and alerts +alerting_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/get' + - 'cluster:admin/opendistro/alerting/destination/get' + - 'cluster:admin/opendistro/alerting/monitor/get' + - 'cluster:admin/opendistro/alerting/monitor/search' + - 'cluster:admin/opensearch/alerting/comments/search' + - 'cluster:admin/opensearch/alerting/findings/get' + - 'cluster:admin/opensearch/alerting/remote/indexes/get' + - 'cluster:admin/opensearch/alerting/workflow/get' + - 'cluster:admin/opensearch/alerting/workflow_alerts/get' + +# Allows users to view and acknowledge alerts +alerting_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/*' + - 'cluster:admin/opendistro/alerting/chained_alerts/*' + - 'cluster:admin/opendistro/alerting/workflow_alerts/*' + - 'cluster:admin/opensearch/alerting/comments/*' + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/*' + - 'cluster:admin/opensearch/alerting/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + - 'cluster_monitor' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + - 'indices_monitor' + +# Allow users to read Anomaly Detection detectors and results +anomaly_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/ad/detector/info' + - 'cluster:admin/opendistro/ad/detector/search' + - 'cluster:admin/opendistro/ad/detector/validate' + - 'cluster:admin/opendistro/ad/detectors/get' + - 'cluster:admin/opendistro/ad/result/search' + - 'cluster:admin/opendistro/ad/result/topAnomalies' + - 'cluster:admin/opendistro/ad/tasks/search' + +# Allows users to use all Anomaly Detection functionality +anomaly_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/ingest/pipeline/delete" + - "cluster:admin/ingest/pipeline/put" + - 'cluster:admin/opendistro/ad/*' + - 'cluster_monitor' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/fields/get' + - 'indices:admin/mappings/fields/get*' + - 'indices:admin/mappings/get' + - 'indices:admin/resolve/index' + - 'indices:admin/setting/put' + - 'indices:data/read/field_caps*' + - 'indices:data/read/search' + - 'indices_monitor' + +# Allow users to execute read only k-NN actions +knn_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_stats_action' + +# Allow users to use all k-NN functionality +knn_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_delete_model_action' + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_remove_model_from_cache_action' + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_stats_action' + - 'cluster:admin/knn_training_job_route_decision_info_action' + - 'cluster:admin/knn_training_job_router_action' + - 'cluster:admin/knn_training_model_action' + - 'cluster:admin/knn_update_model_graveyard_action' + - 'cluster:admin/knn_warmup_action' + +# Allow users to execute read only ip2geo datasource action +ip2geo_datasource_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/geospatial/datasource/get' + +# Allow users to use all ip2geo datasource action +ip2geo_datasource_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/geospatial/datasource/*' + +# Allows users to read Notebooks +notebooks_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + +# Allows users to all Notebooks functionality +notebooks_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/create' + - 'cluster:admin/opendistro/notebooks/delete' + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + - 'cluster:admin/opendistro/notebooks/update' + +# Allows users to read observability objects +observability_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/get' + +# Allows users to all Observability functionality +observability_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/create' + - 'cluster:admin/opensearch/observability/delete' + - 'cluster:admin/opensearch/observability/get' + - 'cluster:admin/opensearch/observability/update' + +# Allows users to all PPL functionality +ppl_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ppl' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mappings/get' + - 'indices:data/read/search*' + - 'indices:monitor/settings/get' + +# Allows users to read and download Reports +reports_instances_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to read and download Reports and Report-definitions +reports_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to all Reports functionality +reports_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/create' + - 'cluster:admin/opendistro/reports/definition/delete' + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/definition/on_demand' + - 'cluster:admin/opendistro/reports/definition/update' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to use all asynchronous-search functionality +asynchronous_search_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:data/read/search*' + +# Allows users to read stored asynchronous-search results +asynchronous_search_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/get' + +# Allows user to use all index_management actions - ism policies, rollups, transforms +index_management_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ism/*" + - "cluster:admin/opendistro/rollup/*" + - "cluster:admin/opendistro/transform/*" + - "cluster:admin/opensearch/controlcenter/lron/*" + - "cluster:admin/opensearch/notifications/channels/get" + - "cluster:admin/opensearch/notifications/feature/publish" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/opensearch/ism/*' + - 'indices:internal/plugins/replication/index/stop' + +# Allows users to use all cross cluster replication functionality at leader cluster +cross_cluster_replication_leader_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/read/plugins/replication/changes" + - "indices:data/read/plugins/replication/file_chunk" + +# Allows users to use all cross cluster replication functionality at follower cluster +cross_cluster_replication_follower_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/plugins/replication/autofollow/update" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/pause" + - "indices:admin/plugins/replication/index/resume" + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:admin/plugins/replication/index/start" + - "indices:admin/plugins/replication/index/status_check" + - "indices:admin/plugins/replication/index/stop" + - "indices:admin/plugins/replication/index/update" + - "indices:data/write/plugins/replication/changes" + +# Allows users to use all cross cluster search functionality at remote cluster +cross_cluster_search_remote_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/shards/search_shards' + - 'indices:data/read/search' + +# Allow users to operate query assistant +query_assistant_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/config/get' + - 'cluster:admin/opensearch/ml/execute' + - 'cluster:admin/opensearch/ml/predict' + - 'cluster:admin/opensearch/ppl' + +# Allow users to read ML stats/models/tasks +ml_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/config/get' + - 'cluster:admin/opensearch/ml/connectors/get' + - 'cluster:admin/opensearch/ml/connectors/search' + - 'cluster:admin/opensearch/ml/controllers/get' + - 'cluster:admin/opensearch/ml/memory/conversation/get' + - 'cluster:admin/opensearch/ml/memory/conversation/interaction/search' + - 'cluster:admin/opensearch/ml/memory/conversation/list' + - 'cluster:admin/opensearch/ml/memory/conversation/search' + - 'cluster:admin/opensearch/ml/memory/interaction/get' + - 'cluster:admin/opensearch/ml/memory/interaction/list' + - 'cluster:admin/opensearch/ml/memory/trace/get' + - 'cluster:admin/opensearch/ml/model_groups/get' + - 'cluster:admin/opensearch/ml/model_groups/search' + - 'cluster:admin/opensearch/ml/models/get' + - 'cluster:admin/opensearch/ml/models/search' + - 'cluster:admin/opensearch/ml/profile/nodes' + - 'cluster:admin/opensearch/ml/stats/nodes' + - 'cluster:admin/opensearch/ml/tasks/get' + - 'cluster:admin/opensearch/ml/tasks/search' + - 'cluster:admin/opensearch/ml/tools/get' + - 'cluster:admin/opensearch/ml/tools/list' + +# Allows users to use all ML functionality +ml_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/*' + - 'cluster_monitor' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + +# Allows users to use all Notifications functionality +notifications_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/*' + +# Allows users to read Notifications config/channels +notifications_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/channels/get' + - 'cluster:admin/opensearch/notifications/configs/get' + - 'cluster:admin/opensearch/notifications/features' + +# Allows users to use all snapshot management functionality +snapshot_management_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/feature/publish' + - 'cluster:admin/opensearch/snapshot_management/*' + - 'cluster:admin/repository/*' + - 'cluster:admin/snapshot/*' + +# Allows users to see snapshots, repositories, and snapshot management policies +snapshot_management_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/policy/explain' + - 'cluster:admin/opensearch/snapshot_management/policy/get' + - 'cluster:admin/opensearch/snapshot_management/policy/search' + - 'cluster:admin/repository/get' + - 'cluster:admin/snapshot/get' + +# Allows user to use point in time functionality +point_in_time_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'manage_point_in_time' + +# Allows users to see security analytics detectors and others +security_analytics_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/get' + - 'cluster:admin/opensearch/securityanalytics/correlationAlerts/get' + - 'cluster:admin/opensearch/securityanalytics/correlations/findings' + - 'cluster:admin/opensearch/securityanalytics/correlations/list' + - 'cluster:admin/opensearch/securityanalytics/detector/get' + - 'cluster:admin/opensearch/securityanalytics/detector/search' + - 'cluster:admin/opensearch/securityanalytics/findings/get' + - 'cluster:admin/opensearch/securityanalytics/logtype/search' + - 'cluster:admin/opensearch/securityanalytics/mapping/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/view/get' + - 'cluster:admin/opensearch/securityanalytics/rule/get' + - 'cluster:admin/opensearch/securityanalytics/rule/search' + - 'cluster:admin/opensearch/securityanalytics/threatintel/alerts/get' + - 'cluster:admin/opensearch/securityanalytics/threatintel/iocs/findings/get' + - 'cluster:admin/opensearch/securityanalytics/threatintel/iocs/list' + - 'cluster:admin/opensearch/securityanalytics/threatintel/monitors/search' + - 'cluster:admin/opensearch/securityanalytics/threatintel/sources/get' + - 'cluster:admin/opensearch/securityanalytics/threatintel/sources/search' + +# Allows users to use all security analytics functionality +security_analytics_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + - 'cluster:admin/opensearch/securityanalytics/connections/*' + - 'cluster:admin/opensearch/securityanalytics/correlationAlerts/*' + - 'cluster:admin/opensearch/securityanalytics/correlations/*' + - 'cluster:admin/opensearch/securityanalytics/detector/*' + - 'cluster:admin/opensearch/securityanalytics/findings/*' + - 'cluster:admin/opensearch/securityanalytics/logtype/*' + - 'cluster:admin/opensearch/securityanalytics/mapping/*' + - 'cluster:admin/opensearch/securityanalytics/rule/*' + - 'cluster:admin/opensearch/securityanalytics/threatintel/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mapping/put' + - 'indices:admin/mappings/get' + +# Allows users to view and acknowledge alerts +security_analytics_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + - 'cluster:admin/opensearch/securityanalytics/correlationAlerts/*' + - 'cluster:admin/opensearch/securityanalytics/threatintel/alerts/*' + +# Allows users to use all Flow Framework functionality +flow_framework_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/flow_framework/*' + - 'cluster_monitor' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + - 'indices_monitor' + +# Allow users to read flow framework's workflows and their state +flow_framework_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/flow_framework/workflow/get' + - 'cluster:admin/opensearch/flow_framework/workflow/search' + - 'cluster:admin/opensearch/flow_framework/workflow_state/get' + - 'cluster:admin/opensearch/flow_framework/workflow_state/search' + - 'cluster:admin/opensearch/flow_framework/workflow_step/get' + +# Allows users to use all query insights APIs +query_insights_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/insights/top_queries/*' + index_permissions: + - index_patterns: + - 'top_queries_by_*' + allowed_actions: + - "indices_all" + +# Allow users to execute read only LTR actions +ltr_read_access: + reserved: true + cluster_permissions: + - cluster:admin/ltr/caches/stats + - cluster:admin/ltr/featurestore/list + - cluster:admin/ltr/stats + +# Allow users to execute all LTR actions +ltr_full_access: + reserved: true + cluster_permissions: + - cluster:admin/ltr/* + +# Allow users to use all Search Relevance functionalities +search_relevance_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/search_relevance/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mappings/get' + - 'indices:data/read/search*' + +# Allow users to read Search Relevance resources +search_relevance_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/search_relevance/experiment/get' + - 'cluster:admin/opensearch/search_relevance/judgment/get' + - 'cluster:admin/opensearch/search_relevance/queryset/get' + - 'cluster:admin/opensearch/search_relevance/search_configuration/get' + +# Allow users to read Forecast resources +forecast_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/plugin/forecast/forecaster/info' + - 'cluster:admin/plugin/forecast/forecaster/stats' + - 'cluster:admin/plugin/forecast/forecaster/suggest' + - 'cluster:admin/plugin/forecast/forecaster/validate' + - 'cluster:admin/plugin/forecast/forecasters/get' + - 'cluster:admin/plugin/forecast/forecasters/info' + - 'cluster:admin/plugin/forecast/forecasters/search' + - 'cluster:admin/plugin/forecast/result/topForecasts' + - 'cluster:admin/plugin/forecast/tasks/search' + index_permissions: + - index_patterns: + - 'opensearch-forecast-result*' + allowed_actions: + - 'indices:admin/mappings/fields/get*' + - 'indices:admin/resolve/index' + - 'indices:data/read*' + +# Allows users to use all Forecasting functionality +forecast_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/plugin/forecast/*' + - 'cluster:admin/settings/update' + - 'cluster_monitor' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/aliases/get' + - 'indices:admin/mapping/get' + - 'indices:admin/mapping/put' + - 'indices:admin/mappings/fields/get*' + - 'indices:admin/mappings/get' + - 'indices:admin/resolve/index' + - 'indices:data/read*' + - 'indices:data/read/field_caps*' + - 'indices:data/read/search' + - 'indices:data/write*' + - 'indices_monitor' diff --git a/opensearch/opensearch-security/roles_mapping.yml b/opensearch/opensearch-security/roles_mapping.yml new file mode 100644 index 0000000..89f46bf --- /dev/null +++ b/opensearch/opensearch-security/roles_mapping.yml @@ -0,0 +1,49 @@ +--- +# In this file users, backendroles and hosts can be mapped to Security roles. +# Permissions for OpenSearch roles are configured in roles.yml + +_meta: + type: "rolesmapping" + config_version: 2 + +# Define your roles mapping here + +## Demo roles mapping + +all_access: + reserved: false + backend_roles: + - "admin" + description: "Maps admin to all_access" + +own_index: + reserved: false + users: + - "*" + description: "Allow full access to an index named like the username" + +logstash: + reserved: false + backend_roles: + - "logstash" + +kibana_user: + reserved: false + backend_roles: + - "kibanauser" + description: "Maps kibanauser to kibana_user" + +readall: + reserved: false + backend_roles: + - "readall" + +manage_snapshots: + reserved: false + backend_roles: + - "snapshotrestore" + +kibana_server: + reserved: true + users: + - "kibanaserver" diff --git a/opensearch/opensearch-security/tenants.yml b/opensearch/opensearch-security/tenants.yml new file mode 100644 index 0000000..04104dc --- /dev/null +++ b/opensearch/opensearch-security/tenants.yml @@ -0,0 +1,11 @@ +--- +_meta: + type: "tenants" + config_version: 2 + +# Define your tenants here + +## Demo tenants +admin_tenant: + reserved: false + description: "Demo tenant for admin user" diff --git a/opensearch/opensearch.keystore b/opensearch/opensearch.keystore new file mode 100644 index 0000000..ee62892 Binary files /dev/null and b/opensearch/opensearch.keystore differ diff --git a/opensearch/opensearch.yml b/opensearch/opensearch.yml new file mode 100644 index 0000000..f341f03 --- /dev/null +++ b/opensearch/opensearch.yml @@ -0,0 +1,73 @@ +# ======================== OpenSearch Configuration ========================= +# 클러스터 이름. 모든 노드가 동일해야 함. +cluster.name: ds-cluster + +# 노드 이름. 각 노드마다 고유해야 함. +node.name: ds-osnode001.oneunivrs.com + +# 마스터 노드 및 데이터 노드 역할 부여 +node.roles: [ cluster_manager, data ] + +# 데이터와 로그 파일 경로 지정 +path.data: /data/opensearch/data +path.logs: /data/opensearch/logs + +# 스와핑 방지를 위한 메모리 잠금 (성능 향상) +bootstrap.memory_lock: true + +# 네트워크 설정 +# 모든 네트워크 인터페이스에서 접속 허용. 외부/내부 통신 모두 처리. +network.host: 0.0.0.0 +http.port: 9200 +transport.port: 9300 + +# 클러스터 구성을 위한 노드 탐색 설정 (내부 DNS 사용) +discovery.seed_hosts: + - ds-osnode001.oneunivrs.com + - ds-osnode002.oneunivrs.com + - ds-osnode003.oneunivrs.com + +# 클러스터 최초 구동 시 마스터 후보 노드 목록 (내부 DNS 사용) +cluster.initial_cluster_manager_nodes: + - ds-osnode001.oneunivrs.com + - ds-osnode002.oneunivrs.com + - ds-osnode003.oneunivrs.com + +# ======================== Security Plugin Configuration ======================== +plugins.security.ssl.transport.enabled: true # 노드 간 통신(9300) TLS 활성화 +plugins.security.ssl.transport.pemcert_filepath: certs/oneunivrs.pem +plugins.security.ssl.transport.pemkey_filepath: certs/oneunivrs_key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root.pem +plugins.security.ssl.transport.enforce_hostname_verification: false # 호스트 이름 검증 비활성화 (권장사항은 true 이나, 초기 설정 편의를 위해 false) + +plugins.security.ssl.http.enabled: true # HTTP API(9200) TLS(HTTPS) 활성화 +plugins.security.ssl.http.pemcert_filepath: certs/oneunivrs.pem +plugins.security.ssl.http.pemkey_filepath: certs/oneunivrs_key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: certs/root.pem + +# 클러스터에 참여할 수 있는 노드의 DN(Distinguished Name) 목록 +# O 필드의 쉼표(,)는 백슬래시 두 개(\\)로 이스케이프 처리 +plugins.security.nodes_dn: + - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR" + +# 관리자 권한을 가질 사용자의 DN 목록 +plugins.security.authcz.admin_dn: + - "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR" + +# 보안 플러그인 초기화 시 데모 설정 비활성화 +plugins.security.allow_unsafe_democertificates: false + +# 최초 구동 시 .opensearch-observability, .opensearch-notifications-config 인덱스 생성 허용 +plugins.security.unsupported.allow_now_in_dls: true + +# 최초 구동 시 보안 인덱스 자동 생성 허용 +plugins.security.allow_default_init_securityindex: true + +# 감사 로그를 내부 OpenSearch 인덱스에 기록 +plugins.security.audit.type: internal_opensearch +#plugins.security.audit.config.log_external_config: false +#plugins.security.audit.config.log_internal_config: false +#plugins.security.audit.config.log_security_config: false + +# REST API를 통해 역할(Role)을 관리할 수 있도록 허용 +plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/opensearch/opensearch.yml.bak b/opensearch/opensearch.yml.bak new file mode 100644 index 0000000..67b12b2 --- /dev/null +++ b/opensearch/opensearch.yml.bak @@ -0,0 +1,155 @@ +# ======================== OpenSearch Configuration ========================= +# +# NOTE: OpenSearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. +# +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. +# +# Please consult the documentation for further information on configuration options: +# https://www.opensearch.org +# +# ---------------------------------- Cluster ----------------------------------- +# +# Use a descriptive name for your cluster: +# +#cluster.name: my-application +# +# ------------------------------------ Node ------------------------------------ +# +# Use a descriptive name for the node: +# +#node.name: node-1 +# +# Add custom attributes to the node: +# +#node.attr.rack: r1 +# +# ----------------------------------- Paths ------------------------------------ +# +# Path to directory where to store the data (separate multiple locations by comma): +# +path.data: /var/lib/opensearch +# +# Path to log files: +# +path.logs: /var/log/opensearch +# +# ----------------------------------- Memory ----------------------------------- +# +# Lock the memory on startup: +# +#bootstrap.memory_lock: true +# +# Make sure that the heap size is set to about half the memory available +# on the system and that the owner of the process is allowed to use this +# limit. +# +# OpenSearch performs poorly when the system is swapping the memory. +# +# ---------------------------------- Network ----------------------------------- +# +# Set the bind address to a specific IP (IPv4 or IPv6): +# +#network.host: 192.168.0.1 +# +# Set a custom port for HTTP: +# +#http.port: 9200 +# +# For more information, consult the network module documentation. +# +# --------------------------------- Discovery ---------------------------------- +# +# Pass an initial list of hosts to perform discovery when this node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] +# +#discovery.seed_hosts: ["host1", "host2"] +# +# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes: +# +#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"] +# +# For more information, consult the discovery and cluster formation module documentation. +# +# ---------------------------------- Gateway ----------------------------------- +# +# Block initial recovery after a full cluster restart until N nodes are started: +# +#gateway.recover_after_data_nodes: 3 +# +# For more information, consult the gateway module documentation. +# +# ---------------------------------- Various ----------------------------------- +# +# Require explicit names when deleting indices: +# +#action.destructive_requires_name: true +# +# ---------------------------------- Remote Store ----------------------------------- +# Controls whether cluster imposes index creation only with remote store enabled +# cluster.remote_store.enabled: true +# +# Repository to use for segment upload while enforcing remote store for an index +# node.attr.remote_store.segment.repository: my-repo-1 +# +# Repository to use for translog upload while enforcing remote store for an index +# node.attr.remote_store.translog.repository: my-repo-1 +# +# ---------------------------------- Experimental Features ----------------------------------- +# Gates the visibility of the experimental segment replication features until they are production ready. +# +#opensearch.experimental.feature.segment_replication_experimental.enabled: false +# +# Gates the functionality of a new parameter to the snapshot restore API +# that allows for creation of a new index type that searches a snapshot +# directly in a remote repository without restoring all index data to disk +# ahead of time. +# +#opensearch.experimental.feature.searchable_snapshot.enabled: false +# +# +# Gates the functionality of enabling extensions to work with OpenSearch. +# This feature enables applications to extend features of OpenSearch outside of +# the core. +# +#opensearch.experimental.feature.extensions.enabled: false +# +# +# Gates the optimization of datetime formatters caching along with change in default datetime formatter +# Once there is no observed impact on performance, this feature flag can be removed. +# +#opensearch.experimental.optimization.datetime_formatter_caching.enabled: false + + +######## Start OpenSearch Security Demo Configuration ######## +# WARNING: revise all the lines below before you go into production +plugins.security.ssl.transport.pemcert_filepath: esnode.pem +plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.http.enabled: true +plugins.security.ssl.http.pemcert_filepath: esnode.pem +plugins.security.ssl.http.pemkey_filepath: esnode-key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem +plugins.security.allow_unsafe_democertificates: true +plugins.security.allow_default_init_securityindex: true +plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de'] +plugins.security.audit.type: internal_opensearch +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access] +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector, + .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, + .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta, + .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config, + .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*, + .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*, + .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources, + .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models, + .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates, + .plugins-flow-framework-state, .plugins-search-relevance-experiment, .plugins-search-relevance-judgment-cache] +node.max_local_storage_nodes: 3 +######## End OpenSearch Security Demo Configuration ######## diff --git a/opensearch/securityadmin_demo.sh b/opensearch/securityadmin_demo.sh new file mode 100644 index 0000000..b0023a7 --- /dev/null +++ b/opensearch/securityadmin_demo.sh @@ -0,0 +1,2 @@ +#!/bin/bash +sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/etc/opensearch/opensearch-security" -icl -key "/etc/opensearch/kirk-key.pem" -cert "/etc/opensearch/kirk.pem" -cacert "/etc/opensearch/root-ca.pem" -nhnv