tigerjin/opensearch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

convert to gitea

Browse Source
This commit is contained in:
TigErJin
2025-09-15 13:35:51 +09:00
commit ef73e56eb9
38 changed files with 3314 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

514
README.md Normal file
View File

@ -0,0 +1,514 @@
# OpenSearch 3.1 클러스터 구축 가이드 (3-Node)
본 문서는 Ubuntu 24.04 환경에서 3대의 서버를 이용하여 OpenSearch 3.1 클러스터를 구축하고, 최종적으로 로드 밸런서(LB) 중심의 안정적인 프로덕션 아키텍처로 전환하는 전체 과정을 상세히 기술한다.
## 버전 히스토리
* **v1.0:** 개별 노드 직접 접속 방식의 초기 클러스터 구축
* **v2.0:** 로드 밸런서(LB)를 도입하여 고가용성 및 단일 접속점을 확보한 프로덕션 아키텍처로 전환
## 목차
1. [사전 정보](#1-사전-정보)
2. [**v1.0: 초기 클러스터 구축 (LB 미사용)**](#v10-초기-클러스터-구축-lb-미사용)
1. [1단계: 설치](#1단계-설치)
2. [2단계: 사전 준비](#2단계-사전-준비)
3. [3단계: OpenSearch 설정 (`opensearch.yml`)](#3단계-opensearch-설정-opensearchyml)
4. [4단계: JVM 및 시스템 설정](#4단계-jvm-및-시스템-설정)
5. [5단계: 보안 플러그인 설정](#5단계-보안-플러그인-설정)
6. [6단계: 클러스터 시작 및 적용](#6단계-클러스터-시작-및-적용)
7. [7단계: Dashboards 설정](#7단계-dashboards-설정)
8. [8단계: Dashboards 시작 및 확인](#8단계-dashboards-시작-및-확인)
9. [9단계: JWT 인증 테스트](#9단계-jwt-인증-테스트)
3. [**v2.0: LB 중심 아키텍처로 전환**](#v20-lb-중-심-아키텍처로-전환)
1. [10단계: 아키텍처 목표](#10단계-아키텍처-목표)
2. [11단계: LB 준비 및 Nginx 프록시 구축](#11단계-lb-준비-및-nginx-프록시-구축)
3. [12단계: OpenSearch 및 Dashboards 재구성](#12단계-opensearch-및-dashboards-재구성)
4. [13단계: 최종 전환 및 테스트](#13단계-최종-전환-및-테스트)
4. [**부록: 운영 및 관리**](#부록-운영-및-관리)
1. [주요 트러블슈팅 및 교훈](#주요-트러블슈팅-및-교훈)
2. [추가 권장 사항 및 팁](#추가-권장-사항-및-팁)
3. [사용자/역할 추가 (Dashboards UI)](#사용자역할-추가-dashboards-ui)
4. [인증서에서 정확한 DN 추출하기](#인증서에서-정확한-dn-추출하기)
5. [`-nameopt RFC2253` 옵션 상세 설명](#-nameopt-rfc2253-옵션-상세-설명)
---
## 1. 사전 정보
### 서버 사양 (3대 공통)
* **CPU:** 8 vCPU
* **Memory:** 65 GB
* **Disk:** 2 TB SSD
* **OS:** Ubuntu 24.04
* **SSH Port:** 42894
### 노드 정보
| 항목 | Node1 | Node2 | Node3 |
| :--- | :--- | :--- | :--- |
| **호스트네임** | ds-opensearch001 | ds-opensearch002 | ds-opensearch003 |
| **외부 DNS (v1.0)** | ds-osearch001.oneunivrs.com | ds-osearch002.oneunivrs.com | ds-osearch003.oneunivrs.com |
| **내부 DNS** | ds-osnode001.oneunivrs.com | ds-osnode002.oneunivrs.com | ds-osnode003.oneunivrs.com |
| **Private IP** | 10.0.10.8 | 10.0.10.9 | 10.0.10.10 |
### SSL 인증서
* **종류:** 와일드카드 `*.oneunivrs.com`
* **초기 위치:** Node1의 `/data/cert/`
* **파일:** `oneunivrs.pem`, `root.pem`, `oneunivrs_key.pem`
* **DN:** `C=KR, ST=Seoul, O="ONEUNIVERSE Co.,Ltd.", CN=*.oneunivrs.com`
### JWT 인증
* **방식:** 대칭키 (HS256)
* **서명키:** `UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA=`
---
## v1.0: 초기 클러스터 구축 (LB 미사용)
이 버전은 로드 밸런서 없이 각 노드에 직접 접속하는 방식의 기본 클러스터를 구축한다.
### 1단계: 설치
모든 작업은 `root` 계정으로 진행.
**[모든 노드]**
APT 저장소 설정 후 OpenSearch 설치. 초기 admin 비밀번호 지정.
```bash
# APT 저장소 설정 (공식 문서 참조)
# OpenSearch 설치 (3.1.0)
env OPENSEARCH_INITIAL_ADMIN_PASSWORD='DHp5#r#GYQ9d' apt-get install opensearch=3.1.0
# Dashboards도 미리 설치
apt-get install opensearch-dashboards=3.1.0
```
### 2단계: 사전 준비
**[모든 노드]**
#### 2.1. 데이터/로그 디렉토리 생성
```bash
mkdir -p /data/opensearch/{data,logs}
chown -R opensearch:opensearch /data/opensearch
```
#### 2.2. 인증서 복사 및 권한 설정
**[Node1]**
```bash
mkdir -p /etc/opensearch/certs
cp /data/cert/*.pem /etc/opensearch/certs/
# 다른 노드로 전송
scp -P 42894 /etc/opensearch/certs/*.pem root@ds-osnode002.oneunivrs.com:/etc/opensearch/certs/
scp -P 42894 /etc/opensearch/certs/*.pem root@ds-osnode003.oneunivrs.com:/etc/opensearch/certs/
```
**[모든 노드]**
```bash
chown -R opensearch:opensearch /etc/opensearch/certs
chmod 600 /etc/opensearch/certs/oneunivrs_key.pem # 개인키 권한 축소
chmod 644 /etc/opensearch/certs/oneunivrs.pem /etc/opensearch/certs/root.pem
```
### 3단계: OpenSearch 설정 (`opensearch.yml`)
**[모든 노드]**
기존 파일 백업 후, 각 노드에 맞게 `/etc/opensearch/opensearch.yml` 작성.
```yaml
# 클러스터 이름
cluster.name: ds-cluster
# [중요] node.name은 내부 DNS와 일치시킬 것 (클러스터링 실패 방지)
# Node1: node.name: ds-osnode001.oneunivrs.com
# Node2: node.name: ds-osnode002.oneunivrs.com
# Node3: node.name: ds-osnode003.oneunivrs.com
node.name: ds-osnode001.oneunivrs.com # 각 노드에 맞게 수정
# 역할
node.roles: [ cluster_manager, data ]
# 경로
path.data: /data/opensearch/data
path.logs: /data/opensearch/logs
# 메모리 잠금
bootstrap.memory_lock: true
# 네트워크
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
# 클러스터링
discovery.seed_hosts:
- ds-osnode001.oneunivrs.com
- ds-osnode002.oneunivrs.com
- ds-osnode003.oneunivrs.com
# [중요] 최초 마스터 후보 목록. node.name과 일치해야 함.
cluster.initial_cluster_manager_nodes:
- ds-osnode001.oneunivrs.com
- ds-osnode002.oneunivrs.com
- ds-osnode003.oneunivrs.com
# 보안 플러그인
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: certs/oneunivrs.pem
plugins.security.ssl.transport.pemkey_filepath: certs/oneunivrs_key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/oneunivrs.pem
plugins.security.ssl.http.pemkey_filepath: certs/oneunivrs_key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root.pem
# [주의] DN의 쉼표(,)는 백슬래시 두 개(\\)로 이스케이프
plugins.security.nodes_dn:
- "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
plugins.security.authcz.admin_dn:
- "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
plugins.security.allow_default_init_securityindex: true
plugins.security.audit.type: internal_opensearch
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
```
### 4단계: JVM 및 시스템 설정
**[모든 노드]**
#### 4.1. JVM 힙 메모리
`/etc/opensearch/jvm.options` 파일 수정. 31GB로 설정.
```bash
sed -i 's/^-Xms1g/#-Xms1g/' /etc/opensearch/jvm.options
sed -i 's/^-Xmx1g/#-Xmx1g/' /etc/opensearch/jvm.options
echo -e "\n-Xms31g\n-Xmx31g" >> /etc/opensearch/jvm.options
```
#### 4.2. Systemd 오버라이드
메모리 잠금과 경로 권한 부여.
```bash
mkdir -p /etc/systemd/system/opensearch.service.d
cat <<EOF > /etc/systemd/system/opensearch.service.d/override.conf
[Service]
LimitMEMLOCK=infinity
ReadWritePaths=/data/opensearch/
EOF
systemctl daemon-reload
systemctl enable opensearch.service
```
### 5단계: 보안 플러그인 설정
**[Node1에서 작업 후 다른 노드로 복사]**
#### 5.1. 인증 방식 설정 (`config.yml`)
`/etc/opensearch/opensearch-security/config.yml` 수정. JWT 우선, Basic 차선.
```yaml
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
# [중요] order: 0(JWT) -> order: 1(Basic)
jwt_auth_domain:
http_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
jwt_header: "Authorization" # "Bearer " 접두사는 자동 처리됨
subject_key: sub
roles_key: roles
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
```
#### 5.2. 역할 매핑 (`roles_mapping.yml`)
`/etc/opensearch/opensearch-security/roles_mapping.yml` 수정.
```yaml
# ... (기존 내용 유지)
all_access:
reserved: false
users:
- "admin" # 내부 사용자
backend_roles:
- "admin" # JWT를 통해 온 사용자
# ... (기존 내용 유지)
```
#### 5.3. 파일 복사 및 권한 설정
**[Node1]**
```bash
scp -P 42894 /etc/opensearch/opensearch-security/config.yml root@ds-osnode002.oneunivrs.com:/etc/opensearch/opensearch-security/
scp -P 42894 /etc/opensearch/opensearch-security/roles_mapping.yml root@ds-osnode002.oneunivrs.com:/etc/opensearch/opensearch-security/
scp -P 42894 /etc/opensearch/opensearch-security/config.yml root@ds-osnode003.oneunivrs.com:/etc/opensearch/opensearch-security/
scp -P 42894 /etc/opensearch/opensearch-security/roles_mapping.yml root@ds-osnode003.oneunivrs.com:/etc/opensearch/opensearch-security/
```
**[모든 노드]**
```bash
chown -R opensearch:opensearch /etc/opensearch
find /etc/opensearch -type d -exec chmod 750 {} \;
find /etc/opensearch -type f -exec chmod 640 {} \;
chmod 600 /etc/opensearch/certs/oneunivrs_key.pem
chmod -R 600 /etc/opensearch/opensearch-security/*
```
### 6단계: 클러스터 시작 및 적용
#### 6.1. 클러스터 시작
마스터가 아닌 노드부터 순차적으로 시작.
```bash
systemctl start opensearch.service # Node3 -> Node2 -> Node1 순으로 실행
```
#### 6.2. 개인키 변환 (PKCS#8)
`securityadmin.sh`는 PKCS#8 형식을 요구함.
**[Node1]**
```bash
openssl pkcs8 -topk8 -inform PEM -outform PEM -in /etc/opensearch/certs/oneunivrs_key.pem -out /etc/opensearch/certs/oneunivrs_key.p8.pem -nocrypt
chown opensearch:opensearch /etc/opensearch/certs/oneunivrs_key.p8.pem
chmod 600 /etc/opensearch/certs/oneunivrs_key.p8.pem
```
#### 6.3. 보안 설정 적용
**[Node1]**
```bash
# [중요] 3.1 버전은 REST 포트(9200)와 변환된 키(.p8.pem) 사용
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-cd /etc/opensearch/opensearch-security/ \
-cacert /etc/opensearch/certs/root.pem \
-cert /etc/opensearch/certs/oneunivrs.pem \
-key /etc/opensearch/certs/oneunivrs_key.p8.pem \
-h ds-osnode001.oneunivrs.com \
-p 9200 \
-icl \
-nhnv
```
### 7단계: Dashboards 설정
**[Node1]**
#### 7.1. 대시보드용 인증서 복사
```bash
mkdir -p /etc/opensearch-dashboards/certs
cp /etc/opensearch/certs/*.pem /etc/opensearch-dashboards/certs/
chown -R opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/certs
```
#### 7.2. `opensearch_dashboards.yml` 설정
```yaml
server.port: 5601
server.host: "0.0.0.0"
server.name: "oneunivrs-opensearch-dashboards"
# 고가용성을 위해 클러스터 노드 모두 기재
opensearch.hosts:
- https://ds-osearch001.oneunivrs.com:9200
- https://ds-osearch002.oneunivrs.com:9200
- https://ds-osearch003.oneunivrs.com:9200
# [중요] 2.x 이후 버전의 설정 키 이름
opensearch.requestHeadersWhitelist: [ "securitytenant", "authorization" ]
# 대시보드 HTTPS
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/certs/oneunivrs.pem
server.ssl.key: /etc/opensearch-dashboards/certs/oneunivrs_key.pem
# [중요] 2.x 이후 버전의 설정 키 이름 (배열)
opensearch.ssl:
verificationMode: full
certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ]
# 서비스 계정
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
# 보안 연동
opensearch_security:
multitenancy.enabled: true
auth.anonymous_auth_enabled: false
cookie.password: "강력하고_랜덤한_문자열_사용"
```
### 8단계: Dashboards 시작 및 확인
**[Node1]**
```bash
systemctl start opensearch-dashboards.service
systemctl enable opensearch-dashboards.service
```
브라우저에서 `https://ds-osearch001.oneunivrs.com:5601` 접속. `admin` / `DHp5#r#GYQ9d` 로그인 확인.
### 9단계: JWT 인증 테스트
#### 9.1. 서버에서 직접 토큰 생성
외부 도구의 키 처리 방식 문제로 서버에서 직접 생성하는 것이 가장 확실.
**[Node1]**
```bash
pip install pyjwt
vi create_token.py
```
```python
# create_token.py
import jwt, time, base64
base64_secret = "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
# [핵심] Base64 디코딩
decoded_secret = base64.b64decode(base64_secret)
payload = { "sub": "admin", "roles": ["admin"], "exp": int(time.time()) + 3600 }
token = jwt.encode(payload, decoded_secret, algorithm="HS256")
print(token)
```
```bash
python3 create_token.py # 토큰 생성 후 복사
```
#### 9.2. `curl`로 API 호출
```bash
curl -k -H "Authorization: Bearer <방금_생성한_토큰>" "https://ds-osearch001.oneunivrs.com:9200"
```
성공 응답 확인.
---
## v2.0: LB 중심 아키텍처로 전환
초기 구축된 클러스터를 프로덕션 환경에 적합하도록 로드 밸런서(LB) 중심의 고가용성 아키텍처로 전환한다.
### 10단계: 아키텍처 목표
* **AS-IS:** 클라이언트가 개별 노드(`ds-osearch001` 등)에 직접 접속.
* **TO-BE:** 클라이언트는 LB의 단일 대표 주소(`ds-opensearch.oneunivrs.com`)에만 접속. 노드들은 내부망에 격리되어 보안 강화.
### 11단계: LB 준비 및 Nginx 프록시 구축
LB의 헬스 체크 제약(200 OK만 허용)을 우회하기 위해, 모든 OpenSearch 노드에 헬스 체크 전용 Nginx 프록시를 설치한다.
**[모든 노드 (Node1, Node2, Node3)에서 실행]**
```bash
# Nginx 설치
apt-get update && apt-get install nginx -y
# Nginx용 SSL 디렉토리 생성 및 인증서 복사
mkdir -p /etc/nginx/ssl
cp /etc/opensearch/certs/*.pem /etc/nginx/ssl/
# 기본 설정 비활성화
rm /etc/nginx/sites-enabled/default
# 헬스 체크용 설정 파일 생성
vi /etc/nginx/sites-available/opensearch-healthcheck
```
`opensearch-healthcheck` 파일에 아래 내용을 작성한다.
```nginx
server {
listen 9201 ssl;
# [주의] IPv6 비활성화 환경에서는 아래 라인 주석 처리
# listen [::]:9201 ssl;
# 각 노드의 내부 DNS 또는 IP로 설정
server_name ds-osnode001.oneunivrs.com; # Node2에서는 ds-osnode002...
ssl_certificate /etc/nginx/ssl/oneunivrs.pem;
ssl_certificate_key /etc/nginx/ssl/oneunivrs_key.pem;
location / {
# 헬스 체크 요청에 무조건 200 OK 응답
return 200 'Healthy';
add_header Content-Type text/plain;
add_header Content-Length 7;
}
}
```
```bash
# 설정 활성화 및 재시작
ln -s /etc/nginx/sites-available/opensearch-healthcheck /etc/nginx/sites-enabled/
nginx -t
systemctl restart nginx
systemctl enable nginx
```
### 12단계: OpenSearch 및 Dashboards 재구성
**[로드 밸런서 설정]**
* **대표 DNS:** `ds-opensearch.oneunivrs.com`을 생성하여 LB의 Public IP에 연결.
* **리스너:** `HTTPS:9200` (API용), `HTTPS:5601` (Dashboards용) 생성.
* **SSL 인증서:** `oneunivrs.com` 인증서를 LB에 설치.
* **`opensearch-api` 타겟 그룹:**
* **대상:** `10.0.10.8:9200`, `10.0.10.9:9200`, `10.0.10.10:9200`
* **헬스 체크:** `HTTPS`, Port `9201`, Path `/`, Method `GET`
* **`opensearch-dashboard` 타겟 그룹:**
* **대상:** `10.0.10.8:5601`
* **헬스 체크:** `HTTPS`, Port `9201`, Path `/`, Method `GET` (API와 동일한 프록시 사용)
**[Node1의 Dashboards 설정 변경]**
`/etc/opensearch-dashboards/opensearch_dashboards.yml`을 수정하여 LB를 바라보게 한다.
```yaml
# opensearch.hosts를 새로운 LB 대표 DNS로 변경
opensearch.hosts: ["https://ds-opensearch.oneunivrs.com:9200"]
# [중요] LB <-> Dashboards 간 SNI 문제 해결을 위한 옵션 추가
opensearch.ssl:
alwaysPresentCertificate: true
verificationMode: full
certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ]
```
```bash
# Dashboards 서비스 재시작
systemctl restart opensearch-dashboards.service
```
### 13단계: 최종 전환 및 테스트
1. LB 콘솔에서 `opensearch-api``opensearch-dashboard` 타겟 그룹의 상태가 모두 `healthy`로 바뀌는지 확인한다.
2. 모든 클라이언트의 접속 주소를 `https://ds-opensearch.oneunivrs.com`으로 변경한다.
3. API와 Dashboards 접속이 모두 정상적으로 이루어지는지 최종 확인한다.
```bash
curl -k -H "Authorization: Bearer <최종_토큰>" "https://ds-opensearch.oneunivrs.com:9200"
```
4. (선택 사항) 전환이 안정화되면, 개별 노드의 외부 IP를 제거하고 방화벽을 강화하여 보안 수준을 높인다.
---
## 부록: 운영 및 관리
### 주요 트러블슈팅 및 교훈
1. **클러스터 형성 실패 (`cluster-manager not discovered`):** `opensearch.yml`의 `node.name`과 `cluster.initial_cluster_manager_nodes` 목록의 이름이 불일치. 클러스터링 관련 설정의 이름은 정확히 일치해야 함.
2. **`securityadmin.sh` 실행 실패:**
* **원인 1 (`InvalidKeySpecException`):** `securityadmin.sh`는 PKCS#8 형식의 개인키를 필요로 함. `openssl pkcs8` 명령으로 변환하여 해결.
* **원인 2 (포트 오류):** OpenSearch 2.12 이후 `securityadmin.sh`는 REST 포트(9200)를 사용.
3. **Dashboards 시작 실패:** 2.x 버전 이후 변경된 설정 키 이름 문제 (`requestHeadersWhitelist`, `ssl.ca`). 버전업 시 공식 문서의 Breaking Changes를 반드시 확인해야 함.
4. **JWT 인증 실패 (`Unauthorized`):**
* **근본 원인:** `signing_key`를 Base64 문자열 그대로 사용.
* **해결:** `signing_key`를 **Base64 디코딩**한 바이너리 값을 실제 비밀키로 사용하여 토큰을 생성해야 함.
5. **LB 헬스 체크 실패 (`503`, `401`, `405` 등):**
* **원인:** 사용하는 LB가 헬스 체크 성공 기준으로 `200 OK`만 허용하는데, 보안이 활성화된 OpenSearch/Dashboards는 인증되지 않은 요청에 `200 OK`를 반환하지 않음.
* **해결:** 모든 노드에 Nginx를 헬스 체크 전용 프록시로 설치. LB는 Nginx의 `9201` 포트로 헬스 체크를 요청하고, Nginx는 무조건 `200 OK`를 응답하여 문제를 우회함.
### 추가 권장 사항 및 팁
1. **롤링 리스타트 시 샤드 재배치 중단:** `/_cluster/settings` API를 통해 `cluster.routing.rebalance.enable`을 `none`으로 설정하면 재시작 속도를 높일 수 있음.
2. **인덱스 템플릿 및 ILM:** 데이터가 많아지기 전에 Dashboards의 `Index Management` 메뉴에서 인덱스 템플릿과 ILM(수명 주기 관리) 정책을 설정하여 운영을 자동화할 것.
3. **스냅샷 및 복구:** 데이터 유실 방지를 위해 Dashboards의 `Snapshots` 메뉴에서 외부 저장소(S3 등)로의 주기적인 백업을 반드시 설정할 것.
4. **방화벽 설정:** LB 전환 후 노드들의 외부 IP를 제거하고, OS 방화벽(UFW 등)을 사용해 신뢰할 수 있는 내부 IP 대역에서의 접속만 허용하여 보안을 강화할 것.
### 사용자/역할 추가 (Dashboards UI)
`admin` 계정으로 Dashboards에 로그인 후, `Security` 메뉴에서 YAML 파일 수정 없이 직관적으로 사용자, 역할, 역할 매핑을 관리할 수 있다. 일회성 작업은 UI를 사용하는 것이 편리하다.
* **역할 생성:** `Security > Roles > Create role`
* **사용자 생성:** `Security > Internal Users > Create internal user`
* **역할 매핑:** `Security > Roles > (역할 선택) > Mapped users > Manage mapping`
### 인증서에서 정확한 DN 추출하기
`opensearch.yml`의 `nodes_dn`, `admin_dn` 설정 시, `openssl` 명령어로 정확한 DN을 추출하여 사용하면 실수를 방지할 수 있다.
```bash
# [권장] RFC2253 형식으로 출력
openssl x509 -in /data/cert/oneunivrs.pem -noout -subject -nameopt RFC2253
```
**출력 예시:** `CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\,Ltd.,ST=Seoul,C=KR`
**`opensearch.yml` 적용 시:** YAML 문자열 내에서 백슬래시(`\`)는 이스케이프해야 하므로 `\\`로 변경해야 한다.
`"CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"`
### `-nameopt RFC2253` 옵션 상세 설명
이 옵션은 기계가 파싱하기 좋은 표준 형식으로 DN을 출력한다.
* `subject=` 같은 불필요한 접두사가 없다.
* 쉼표(`,`)로만 구분되며 불필요한 공백이 없다.
* **가장 중요:** DN 값 자체에 포함된 특수 문자(예: `Co.,Ltd.`의 쉼표)를 백슬래시(`\`)로 자동으로 이스케이프 처리해준다.
* OpenSearch 보안 플러그인은 이 형식을 가장 안정적으로 인식하므로, DN 설정 시 반드시 사용하는 것이 좋다.

74
cert/oneunivrs.pem Normal file
View File

@ -0,0 +1,74 @@
-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB
lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE
BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s
THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0
6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET
c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1
iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5
AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D
mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD
VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA
DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp
BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor
BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G
pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc
7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ
htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC
IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2
PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h
qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy
QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ
KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp
3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1
PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS
N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M
k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg
rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
-----END CERTIFICATE-----

27
cert/oneunivrs_key.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4
Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm
O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13
Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih
AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU
JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy
mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ
jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg
uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS
TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN
NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ
7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg
RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN
DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM
Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO
Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M
peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN
e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2
JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1
C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n
gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd
r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt
Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J
Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD
ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG
-----END RSA PRIVATE KEY-----

28
cert/oneunivrs_key_pkcs8.pem Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY5fgocCi0pQQn
dodxndIDDSrfrgOMO5Drxiv9dt4aw/TpSHgeLiPtvFphIT+I49RFsi24925ikjXr
K5aiunjCeewkzRjzXKefNUfvBcUhARNzZOY7UGbqwf+cT/vTNNC+t6XbVvEOM1GO
vnaooz+mC1yPzuWM568T6ScyCUmQtjWJLXcrDPkSjUbKngYUgKMWqi8RNKzBTEoV
YKhXFRCLLc02yMtlhAZjlCxwE5HdxPkAeKEAnIVCK+GXQbsPh8G9fX36QrKu1Qcc
hyVUd9RElVnvycakkq65krB0HruHDsOY8lQmccsYkWyDqa/PN2oFBD0EzPKiIp+/
raDAPn5rAgMBAAECggEAd7yEgTZhkk/iejKZ1OPt8tdLCs5SkRC1ESOGV1dOh3IT
+tCR1v9bwDsRnbswCs7S+WLCkPCvFGVotJmMf+r3DU0nSq2aj4Zf1qkgO9hwmaax
aSuTWb0qA4DzLgSNnWvzrMVPH0XgrxkvdeC5OqFcWrq873qlCGNCKHi2tY2g+exI
B5yCnVZn/EU06ndy8pBPfJMikG8s580r9NJNbQgrXz2NxgfyuaHreQ0UatBUMirG
cWQ6Z6mGa6tbZcuaHwgLM9Ip4SLc8AKBwI006WOHLlG4gGx17sxaeprARr+KS4Ci
cf6tCTgrYwMcSH4bWHjQdOrefFGrwJbCEJDvG6PCKQKBgQD5w5t55KgE+Ak1lmXI
aBXG/0Wa+IE8t5D/T4xskPWxsTyZNtJt2uBE2OMI90/D3NYUA7ypfLGA4oKwHZWc
O7+MklWFkN58rH7JAlKGo0WwJapEmJaguY0M2t8aGS7iYvteabHbOvowSqTvTdgP
AWxOTVxYO08VzhrulQw1XpiwxQKBgQDeUEwObZhHr81t2faxk73o18+vk0sQt+Xg
cV5yIsqwpWsJToAD4NzEGnwsA1zkcBpxR84amTlh5RRAZ4eYVnO5/eVaRQezJAeA
2zOnf1tjxRNwSygmTF7fN/EFeNkgiWdPHgyl5SduHl3SeIyW5os6MDEkgvUrWRUK
Kk4Ye54FbwKBgQC5MZMM9MCovomFlHjv+k17ejhQSkb5kFsRFBjZPzsOgI6gRIgP
MKXuJqthMI+SeSK7QHIZcf3jxRCGKcmPSLYlMzP6j4qJAxYXUYODlXjMvYDc0A+Q
KUUu7PNUVKvw7NfaD6DzH233dMGLNzsnFTULck0wlvly/5n0oculnvi0yQKBgCE+
UKE3sjXGDCoJFeKn/RX8b4oJtIfjd/R//2eB3F1d3wudOXdbAKgyba8HMbTXLp0R
57gCgZop70VSNeyJwPRnCwzclbIsCRMztB2v5bKdnbKFCpPvh6BJdTkkQROkeFZU
X//OrH7C+7SlYiCOiPNCkZasHo1E3OiQOu1eTtrxAoGAE3AzTW14NBDnLYpNt9Zs
/xQy8cnX0M8OIBTbJJnv6mHpyFz64COAPoknGt/RoD125E4KTM6WxukNM6zP3UAP
44yZs4PdIZ6eGwRUuLnYvAc9s85V19Mk4YO6D9gw+tL50t2ioF8QNLc6pEgGar7M
yAWa3W8XnjQfjjI4fN8E44Y=
-----END PRIVATE KEY-----

34
cert/root.pem Normal file
View File

@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----

26
create_jwt.py Normal file
View File

@ -0,0 +1,26 @@
# create_jwt.py
import jwt
import time
import base64
# ★★★★★ 1단계에서 생성한 동일한 비밀 키를 сюда 붙여넣습니다 ★★★★★
secret_key = "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
secret_key_64 = base64.b64decode(secret_key)
# 페이로드 데이터 정의 (이전과 동일)
payload = {
'sub': 'admin',
'roles': ['admin'],
'exp': int(time.time()) + 3600,
'iat': int(time.time())
}
# ★★★★★ JWT 생성 (알고리즘: HS256) ★★★★★
token = jwt.encode(
payload,
secret_key_64,
algorithm='HS256'
)
# 생성된 토큰 출력
print(token)

74
opensearch-dashboards/certs/oneunivrs.pem Normal file
View File

@ -0,0 +1,74 @@
-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB
lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE
BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s
THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0
6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET
c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1
iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5
AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D
mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD
VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA
DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp
BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor
BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G
pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc
7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ
htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC
IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2
PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h
qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy
QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ
KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp
3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1
PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS
N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M
k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg
rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
-----END CERTIFICATE-----

27
opensearch-dashboards/certs/oneunivrs_key.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4
Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm
O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13
Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih
AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU
JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy
mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ
jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg
uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS
TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN
NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ
7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg
RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN
DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM
Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO
Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M
peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN
e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2
JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1
C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n
gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd
r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt
Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J
Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD
ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG
-----END RSA PRIVATE KEY-----

34
opensearch-dashboards/certs/root.pem Normal file
View File

@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----

9
opensearch-dashboards/node.options Normal file
View File

@ -0,0 +1,9 @@
## Node command line options
## See `node --help` and `node --v8-options` for available options
## Please note you should specify one option per line
## max size of old space in megabytes
#--max-old-space-size=4096
## max size of semi space in megabytes
#--max-semi-space-size=64

47
opensearch-dashboards/opensearch_dashboards.yml Normal file
View File

@ -0,0 +1,47 @@
# ================= DUAL USE: DO NOT EDIT =================
# OpenSearch Dashboards가 사용할 포트. 기본값 5601.
server.port: 5601
# 외부에서 접속할 수 있도록 모든 네트워크 인터페이스에서 리슨.
server.host: "0.0.0.0"
# 브라우저에 표시될 대시보드 서버 이름.
server.name: "oneunivrs-opensearch-dashboards"
# 연결할 OpenSearch 클러스터 노드 목록. (HTTPS 필수)
# 고가용성을 위해 3개 노드를 모두 기재.
#opensearch.hosts:
# - https://ds-osearch001.oneunivrs.com:9200
# - https://ds-osearch002.oneunivrs.com:9200
# - https://ds-osearch003.oneunivrs.com:9200
# [원상 복구] LB의 대표 주소 하나만 사용하되, https로 변경
opensearch.hosts: ["https://ds-opensearch.oneunivrs.com:9200"]
# 인증 관련 헤더를 허용 목록에 추가.
opensearch.requestHeadersWhitelist: [ "securitytenant", "authorization" ]
# 대시보드와 브라우저 간 통신을 HTTPS로 암호화.
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/certs/oneunivrs.pem
server.ssl.key: /etc/opensearch-dashboards/certs/oneunivrs_key.pem
# 대시보드가 OpenSearch 클러스터와 통신 시 SSL/TLS 설정.
opensearch.ssl:
verificationMode: full
# 서버 인증서 검증에 사용할 CA 루트 인증서.
certificateAuthorities: [ "/etc/opensearch-dashboards/certs/root.pem" ]
# OpenSearch 클러스터에 접속할 서비스 계정.
# 보안상 admin 대신 기본 제공되는 kibanaserver 계정 사용을 권장.
# (kibanaserver 계정의 기본 PW는 계정명과 동일)
opensearch.username: "kibanaserver"
opensearch.password: "mY9!lytaVBkX"
# OpenSearch Security 플러그인과 연동 설정.
opensearch_security:
# 멀티 테넌시 기능 활성화.
multitenancy.enabled: true
# 로그인하지 않은 사용자는 접속 불가.
auth.anonymous_auth_enabled: false
# 쿠키의 비밀번호. 임의의 긴 문자열로 변경하는 것을 권장.
cookie.password: "ChpPaDg2agzDD2czacgdAgivjXh1JSOPZuz+EhF3jDg="

233
opensearch-dashboards/opensearch_dashboards.yml.bak Normal file
View File

@ -0,0 +1,233 @@
---
# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0
# Description:
# Default configuration for OpenSearch Dashboards
# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
# server.port: 5601
# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
# server.host: "localhost"
# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
# server.basePath: ""
# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# server.rewriteBasePath: false
# The maximum payload size in bytes for incoming server requests.
# server.maxPayloadBytes: 1048576
# The OpenSearch Dashboards server's name. This is used for display purposes.
# server.name: "your-hostname"
# The URLs of the OpenSearch instances to use for all your queries.
# opensearch.hosts: ["http://localhost:9200"]
# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
# opensearchDashboards.index: ".opensearch_dashboards"
# The default application to load.
# opensearchDashboards.defaultAppId: "home"
# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
# This settings should be used for large clusters or for clusters with ingest heavy nodes.
# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
#
# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
# opensearch.optimizedHealthcheckId: "cluster_id"
# If your OpenSearch is protected with basic authentication, these settings provide
# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
# is proxied through the OpenSearch Dashboards server.
# opensearch.username: "opensearch_dashboards_system"
# opensearch.password: "pass"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
# server.ssl.enabled: false
# server.ssl.certificate: /path/to/your/server.crt
# server.ssl.key: /path/to/your/server.key
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
# opensearch.ssl.certificate: /path/to/your/client.crt
# opensearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your OpenSearch instance.
# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
# opensearch.ssl.verificationMode: full
# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
# the opensearch.requestTimeout setting.
# opensearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or OpenSearch. This value
# must be a positive integer.
# opensearch.requestTimeout: 30000
# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
# headers, set this value to [] (an empty list).
# opensearch.requestHeadersWhitelist: [ authorization ]
# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
# opensearch.customHeaders: {}
# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
# opensearch.shardTimeout: 30000
# Logs queries sent to OpenSearch. Requires logging.verbose set to true.
# opensearch.logQueries: false
# Specifies the path where OpenSearch Dashboards creates the process ID file.
# pid.file: /var/run/opensearchDashboards.pid
# Enables you to specify a file where OpenSearch Dashboards stores log output.
# logging.dest: stdout
# 2.15 Ignore 'ENOSPC' error for logging stream.
# When set to true, the 'ENOSPC' error message will not cause the OpenSearch Dashboards process to crash. Otherwise,
# the original behavior will be maintained. It is disabled by default.
# logging.ignoreEnospcError: false
# Set the value of this setting to true to suppress all logging output.
# logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
# logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
# logging.verbose: false
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
# ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
# i18n.locale: "en"
# Set the allowlist to check input graphite Url. Allowlist is the default check list.
# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
# Set the blocklist to check input graphite Url. Blocklist is an IP list.
# Below is an example for reference
# vis_type_timeline.graphiteBlockedIPs: [
# //Loopback
# '127.0.0.0/8',
# '::1/128',
# //Link-local Address for IPv6
# 'fe80::/10',
# //Private IP address for IPv4
# '10.0.0.0/8',
# '172.16.0.0/12',
# '192.168.0.0/16',
# //Unique local address (ULA)
# 'fc00::/7',
# //Reserved IP address
# '0.0.0.0/8',
# '100.64.0.0/10',
# '192.0.0.0/24',
# '192.0.2.0/24',
# '198.18.0.0/15',
# '192.88.99.0/24',
# '198.51.100.0/24',
# '203.0.113.0/24',
# '224.0.0.0/4',
# '240.0.0.0/4',
# '255.255.255.255/32',
# '::/128',
# '2001:db8::/32',
# 'ff00::/8',
# ]
# vis_type_timeline.graphiteBlockedIPs: []
# opensearchDashboards.branding:
# logo:
# defaultUrl: ""
# darkModeUrl: ""
# mark:
# defaultUrl: ""
# darkModeUrl: ""
# loadingLogo:
# defaultUrl: ""
# darkModeUrl: ""
# faviconUrl: ""
# applicationTitle: ""
# Set the value of this setting to true to capture region blocked warnings and errors
# for your map rendering services.
# map.showRegionBlockedWarning: false%
# Set the value of this setting to false to suppress search usage telemetry
# for reducing the load of OpenSearch cluster.
# data.search.usageTelemetry.enabled: false
# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false'
# Set the value of this setting to false to disable VisBuilder
# functionality in Visualization.
# vis_builder.enabled: false
# 2.4 New Experimental Feature
# Set the value of this setting to true to enable the experimental multiple data source
# support feature. Use with caution.
# data_source.enabled: false
# Set the value of these settings to customize crypto materials to encryption saved credentials
# in data sources.
# data_source.encryption.wrappingKeyName: 'changeme'
# data_source.encryption.wrappingKeyNamespace: 'changeme'
# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
# 2.6 New ML Commons Dashboards Feature
# Set the value of this setting to true to enable the ml commons dashboards
# ml_commons_dashboards.enabled: false
# 2.12 New Experimental Assistant Dashboards Feature
# Set the value of this setting to true to enable the assistant dashboards
# assistant.chat.enabled: false
# 2.13 New Query Assistant Feature
# Set the value of this setting to false to disable the query assistant
# observability.query_assist.enabled: false
# 2.14 Enable Ui Metric Collectors in Usage Collector
# Set the value of this setting to true to enable UI Metric collections
# usageCollection.uiMetric.enabled: false
# 2.18 New Experimental Settings
# Set the value to true to enable
# assistant.alertInsight.enabled: false
# assistant.smartAnomalyDetector.enabled: false
# assistant.text2viz.enabled: false
# queryEnhancements.queryAssist.summary.enabled: false
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false

75
opensearch/certs/oneunivrs.pem Normal file
View File

@ -0,0 +1,75 @@
-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgIQI7HwYLK90Z/u0busbZkuOjANBgkqhkiG9w0BAQsFADCB
lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
dmVyIENBMB4XDTI1MDQzMDAwMDAwMFoXDTI2MDUyMjIzNTk1OVowVjELMAkGA1UE
BhMCS1IxDjAMBgNVBAgTBVNlb3VsMR0wGwYDVQQKExRPTkVVTklWRVJTRSBDby4s
THRkLjEYMBYGA1UEAwwPKi5vbmV1bml2cnMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP0
6Uh4Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQET
c2TmO1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1
iS13Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5
AHihAJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7D
mPJUJnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABo4IDZDCCA2AwHwYD
VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFOeCCHyzfBxA
DQOtvxaUEQ/makYHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAp
BgNVHREEIjAggg8qLm9uZXVuaXZycy5jb22CDW9uZXVuaXZycy5jb20wggF/Bgor
BgEEAdZ5AgQCBIIBbwSCAWsBaQB3AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5G
pD8PyqnGAAABloRdhrYAAAQDAEgwRgIhAN7bBgG7YfBKNZYEFpiXQLasqWEZpPYc
7/HMQfqWHaTEAiEA8KcmKp0OovpLTIYDNOZvbcWf1DbS56RrjyC4UR0BelEAdgAZ
htTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZaEXYaTAAAEAwBHMEUC
IQDd8FgCGV0daf8q6UtPt0vU3Y8dFurpu0TzFHLvhLsp8QIgbn9AfJTvWolax+R2
PEStX+gCsArz6Zopuu03MMiEsiUAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0h
qSWsYcVOIQAAAZaEXYaXAAAEAwBHMEUCIQCa5ZG/2uiQiNVTP9yFjftDsxKSsuFy
QKADyYvD8RC7iAIgaRszfxOAefjvCWWjWaYqVkZRv7Q4CqRMbi9OjXmkneUwDQYJ
KoZIhvcNAQELBQADggEBAIRkgwjittu7Rzb2tWzbsnLbYn9q0Q92xF9FDAJzoOTp
3NNo9+di1ILzM/+oi/mbxqIEa/ZLebrZcz3m9ae70zfu9YZxZrHx+ycmOAwBo8C1
PNXOjK6drWgEWdeW0ohLa3UgIFzVcaJfcb8J4CqJFbeYO+zA6ONceJXooNIlxJdS
N4iwEAtCG5lnrscRjXFZZw9JyNPiL44y3Fyp0/x6hjuPL6Mts6CscMMTWq7cWs4M
k79e3y6ZC0eyr/bCde9Hfw5Yw2IT8EHRyPMnZlZq3RVkAkPUQEUSTcfjRkdaoIrg
rxTK93CaluJCMaigkoPt/8/R8I2UTEFCvoDuc2SwWbQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
-----END CERTIFICATE-----

28
opensearch/certs/oneunivrs_key.p8.pem Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY5fgocCi0pQQn
dodxndIDDSrfrgOMO5Drxiv9dt4aw/TpSHgeLiPtvFphIT+I49RFsi24925ikjXr
K5aiunjCeewkzRjzXKefNUfvBcUhARNzZOY7UGbqwf+cT/vTNNC+t6XbVvEOM1GO
vnaooz+mC1yPzuWM568T6ScyCUmQtjWJLXcrDPkSjUbKngYUgKMWqi8RNKzBTEoV
YKhXFRCLLc02yMtlhAZjlCxwE5HdxPkAeKEAnIVCK+GXQbsPh8G9fX36QrKu1Qcc
hyVUd9RElVnvycakkq65krB0HruHDsOY8lQmccsYkWyDqa/PN2oFBD0EzPKiIp+/
raDAPn5rAgMBAAECggEAd7yEgTZhkk/iejKZ1OPt8tdLCs5SkRC1ESOGV1dOh3IT
+tCR1v9bwDsRnbswCs7S+WLCkPCvFGVotJmMf+r3DU0nSq2aj4Zf1qkgO9hwmaax
aSuTWb0qA4DzLgSNnWvzrMVPH0XgrxkvdeC5OqFcWrq873qlCGNCKHi2tY2g+exI
B5yCnVZn/EU06ndy8pBPfJMikG8s580r9NJNbQgrXz2NxgfyuaHreQ0UatBUMirG
cWQ6Z6mGa6tbZcuaHwgLM9Ip4SLc8AKBwI006WOHLlG4gGx17sxaeprARr+KS4Ci
cf6tCTgrYwMcSH4bWHjQdOrefFGrwJbCEJDvG6PCKQKBgQD5w5t55KgE+Ak1lmXI
aBXG/0Wa+IE8t5D/T4xskPWxsTyZNtJt2uBE2OMI90/D3NYUA7ypfLGA4oKwHZWc
O7+MklWFkN58rH7JAlKGo0WwJapEmJaguY0M2t8aGS7iYvteabHbOvowSqTvTdgP
AWxOTVxYO08VzhrulQw1XpiwxQKBgQDeUEwObZhHr81t2faxk73o18+vk0sQt+Xg
cV5yIsqwpWsJToAD4NzEGnwsA1zkcBpxR84amTlh5RRAZ4eYVnO5/eVaRQezJAeA
2zOnf1tjxRNwSygmTF7fN/EFeNkgiWdPHgyl5SduHl3SeIyW5os6MDEkgvUrWRUK
Kk4Ye54FbwKBgQC5MZMM9MCovomFlHjv+k17ejhQSkb5kFsRFBjZPzsOgI6gRIgP
MKXuJqthMI+SeSK7QHIZcf3jxRCGKcmPSLYlMzP6j4qJAxYXUYODlXjMvYDc0A+Q
KUUu7PNUVKvw7NfaD6DzH233dMGLNzsnFTULck0wlvly/5n0oculnvi0yQKBgCE+
UKE3sjXGDCoJFeKn/RX8b4oJtIfjd/R//2eB3F1d3wudOXdbAKgyba8HMbTXLp0R
57gCgZop70VSNeyJwPRnCwzclbIsCRMztB2v5bKdnbKFCpPvh6BJdTkkQROkeFZU
X//OrH7C+7SlYiCOiPNCkZasHo1E3OiQOu1eTtrxAoGAE3AzTW14NBDnLYpNt9Zs
/xQy8cnX0M8OIBTbJJnv6mHpyFz64COAPoknGt/RoD125E4KTM6WxukNM6zP3UAP
44yZs4PdIZ6eGwRUuLnYvAc9s85V19Mk4YO6D9gw+tL50t2ioF8QNLc6pEgGar7M
yAWa3W8XnjQfjjI4fN8E44Y=
-----END PRIVATE KEY-----

27
opensearch/certs/oneunivrs_key.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2OX4KHAotKUEJ3aHcZ3SAw0q364DjDuQ68Yr/XbeGsP06Uh4
Hi4j7bxaYSE/iOPURbItuPduYpI16yuWorp4wnnsJM0Y81ynnzVH7wXFIQETc2Tm
O1Bm6sH/nE/70zTQvrel21bxDjNRjr52qKM/pgtcj87ljOevE+knMglJkLY1iS13
Kwz5Eo1Gyp4GFICjFqovETSswUxKFWCoVxUQiy3NNsjLZYQGY5QscBOR3cT5AHih
AJyFQivhl0G7D4fBvX19+kKyrtUHHIclVHfURJVZ78nGpJKuuZKwdB67hw7DmPJU
JnHLGJFsg6mvzzdqBQQ9BMzyoiKfv62gwD5+awIDAQABAoIBAHe8hIE2YZJP4noy
mdTj7fLXSwrOUpEQtREjhldXTodyE/rQkdb/W8A7EZ27MArO0vliwpDwrxRlaLSZ
jH/q9w1NJ0qtmo+GX9apIDvYcJmmsWkrk1m9KgOA8y4EjZ1r86zFTx9F4K8ZL3Xg
uTqhXFq6vO96pQhjQih4trWNoPnsSAecgp1WZ/xFNOp3cvKQT3yTIpBvLOfNK/TS
TW0IK189jcYH8rmh63kNFGrQVDIqxnFkOmephmurW2XLmh8ICzPSKeEi3PACgcCN
NOljhy5RuIBsde7MWnqawEa/ikuAonH+rQk4K2MDHEh+G1h40HTq3nxRq8CWwhCQ
7xujwikCgYEA+cObeeSoBPgJNZZlyGgVxv9FmviBPLeQ/0+MbJD1sbE8mTbSbdrg
RNjjCPdPw9zWFAO8qXyxgOKCsB2VnDu/jJJVhZDefKx+yQJShqNFsCWqRJiWoLmN
DNrfGhku4mL7Xmmx2zr6MEqk703YDwFsTk1cWDtPFc4a7pUMNV6YsMUCgYEA3lBM
Dm2YR6/Nbdn2sZO96NfPr5NLELfl4HFeciLKsKVrCU6AA+DcxBp8LANc5HAacUfO
Gpk5YeUUQGeHmFZzuf3lWkUHsyQHgNszp39bY8UTcEsoJkxe3zfxBXjZIIlnTx4M
peUnbh5d0niMluaLOjAxJIL1K1kVCipOGHueBW8CgYEAuTGTDPTAqL6JhZR47/pN
e3o4UEpG+ZBbERQY2T87DoCOoESIDzCl7iarYTCPknkiu0ByGXH948UQhinJj0i2
JTMz+o+KiQMWF1GDg5V4zL2A3NAPkClFLuzzVFSr8OzX2g+g8x9t93TBizc7JxU1
C3JNMJb5cv+Z9KHLpZ74tMkCgYAhPlChN7I1xgwqCRXip/0V/G+KCbSH43f0f/9n
gdxdXd8LnTl3WwCoMm2vBzG01y6dEee4AoGaKe9FUjXsicD0ZwsM3JWyLAkTM7Qd
r+WynZ2yhQqT74egSXU5JEETpHhWVF//zqx+wvu0pWIgjojzQpGWrB6NRNzokDrt
Xk7a8QKBgBNwM01teDQQ5y2KTbfWbP8UMvHJ19DPDiAU2ySZ7+ph6chc+uAjgD6J
Jxrf0aA9duROCkzOlsbpDTOsz91AD+OMmbOD3SGenhsEVLi52LwHPbPOVdfTJOGD
ug/YMPrS+dLdoqBfEDS3OqRIBmq+zMgFmt1vF540H44yOHzfBOOG
-----END RSA PRIVATE KEY-----

34
opensearch/certs/root.pem Normal file
View File

@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----

10
opensearch/fips_java.security Normal file
View File

@ -0,0 +1,10 @@
# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in approved-only mode
# Intended to be used complementary with a single equal sign e.g. 'java.security.properties=fips_java.security'
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
security.provider.4=SunJGSS
ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

98
opensearch/jvm.options Normal file
View File

@ -0,0 +1,98 @@
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://opensearch.org/docs/opensearch/install/important-settings/
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
#-Xms1g
#-Xmx1g
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
8-10:-XX:+UseConcMarkSweepGC
8-10:-XX:CMSInitiatingOccupancyFraction=75
8-10:-XX:+UseCMSInitiatingOccupancyOnly
## G1GC Configuration
# NOTE: G1GC is the default GC for all JDKs 11 and newer
11-:-XX:+UseG1GC
# See https://github.com/elastic/elasticsearch/pull/46169 for the history
# behind these settings, but the tl;dr is that default values can lead
# to situations where heap usage grows enough to trigger a circuit breaker
# before GC kicks in.
11-:-XX:G1ReservePercent=25
11-:-XX:InitiatingHeapOccupancyPercent=30
## JVM temporary directory
-Djava.io.tmpdir=${OPENSEARCH_TMPDIR}
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=/var/lib/opensearch
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=/var/log/opensearch/hs_err_pid%p.log
## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:/var/log/opensearch/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/opensearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
# JDK 20+ Incubating Vector Module for SIMD optimizations;
# disabling may reduce performance on vector optimized lucene
20-:--add-modules=jdk.incubator.vector
# See please https://bugs.openjdk.org/browse/JDK-8341127 (openjdk/jdk#21283)
23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
21-:-javaagent:agent/opensearch-agent.jar
21-:--add-opens=java.base/java.nio=org.apache.arrow.memory.core,ALL-UNNAMED
## OpenSearch Performance Analyzer
-Dclk.tck=100
-Djdk.attach.allowAttachSelf=true
-Djava.security.policy=file:///etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy
--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED
# Set heap size to 31GB
-Xms31g
-Xmx31g

275
opensearch/log4j2.properties Normal file
View File

@ -0,0 +1,275 @@
#
# SPDX-License-Identifier: Apache-2.0
#
# The OpenSearch Contributors require contributions made to
# this file be licensed under the Apache-2.0 license or a
# compatible open source license.
#
# Modifications Copyright OpenSearch Contributors. See
# GitHub history for details.
#
status = error
appender.console.type = Console
appender.console.name = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
######## Server JSON ############################
appender.rolling.type = RollingFile
appender.rolling.name = rolling
appender.rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_server.json
appender.rolling.filePermissions = rw-r-----
appender.rolling.layout.type = OpenSearchJsonLayout
appender.rolling.layout.type_name = server
appender.rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz
appender.rolling.policies.type = Policies
appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.rolling.policies.time.interval = 1
appender.rolling.policies.time.modulate = true
appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.rolling.policies.size.size = 128MB
appender.rolling.strategy.type = DefaultRolloverStrategy
appender.rolling.strategy.fileIndex = nomax
appender.rolling.strategy.action.type = Delete
appender.rolling.strategy.action.basepath = ${sys:opensearch.logs.base_path}
appender.rolling.strategy.action.condition.type = IfFileName
appender.rolling.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-*
appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
################################################
######## Server - old style pattern ###########
appender.rolling_old.type = RollingFile
appender.rolling_old.name = rolling_old
appender.rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}.log
appender.rolling_old.filePermissions = rw-r-----
appender.rolling_old.layout.type = PatternLayout
appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz
appender.rolling_old.policies.type = Policies
appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy
appender.rolling_old.policies.time.interval = 1
appender.rolling_old.policies.time.modulate = true
appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.rolling_old.policies.size.size = 128MB
appender.rolling_old.strategy.type = DefaultRolloverStrategy
appender.rolling_old.strategy.fileIndex = nomax
appender.rolling_old.strategy.action.type = Delete
appender.rolling_old.strategy.action.basepath = ${sys:opensearch.logs.base_path}
appender.rolling_old.strategy.action.condition.type = IfFileName
appender.rolling_old.strategy.action.condition.glob = ${sys:opensearch.logs.cluster_name}-*
appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB
################################################
rootLogger.level = info
rootLogger.appenderRef.console.ref = console
rootLogger.appenderRef.rolling.ref = rolling
rootLogger.appenderRef.rolling_old.ref = rolling_old
######## Deprecation JSON #######################
appender.deprecation_rolling.type = RollingFile
appender.deprecation_rolling.name = deprecation_rolling
appender.deprecation_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.json
appender.deprecation_rolling.filePermissions = rw-r-----
appender.deprecation_rolling.layout.type = OpenSearchJsonLayout
appender.deprecation_rolling.layout.type_name = deprecation
appender.deprecation_rolling.layout.opensearchmessagefields=x-opaque-id
appender.deprecation_rolling.filter.rate_limit.type = RateLimitingFilter
appender.deprecation_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation-%i.json.gz
appender.deprecation_rolling.policies.type = Policies
appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.deprecation_rolling.policies.size.size = 1GB
appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy
appender.deprecation_rolling.strategy.max = 4
appender.header_warning.type = HeaderWarningAppender
appender.header_warning.name = header_warning
#################################################
######## Deprecation - old style pattern #######
appender.deprecation_rolling_old.type = RollingFile
appender.deprecation_rolling_old.name = deprecation_rolling_old
appender.deprecation_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.log
appender.deprecation_rolling_old.filePermissions = rw-r-----
appender.deprecation_rolling_old.layout.type = PatternLayout
appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.deprecation_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_deprecation-%i.log.gz
appender.deprecation_rolling_old.policies.type = Policies
appender.deprecation_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.deprecation_rolling_old.policies.size.size = 1GB
appender.deprecation_rolling_old.strategy.type = DefaultRolloverStrategy
appender.deprecation_rolling_old.strategy.max = 4
#################################################
logger.deprecation.name = org.opensearch.deprecation
logger.deprecation.level = deprecation
logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling
logger.deprecation.appenderRef.deprecation_rolling_old.ref = deprecation_rolling_old
logger.deprecation.appenderRef.header_warning.ref = header_warning
logger.deprecation.additivity = false
######## Search Request Slowlog JSON ####################
appender.search_request_slowlog_json_appender.type = RollingFile
appender.search_request_slowlog_json_appender.name = search_request_slowlog_json_appender
appender.search_request_slowlog_json_appender.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
.cluster_name}_index_search_slowlog.json
appender.search_request_slowlog_json_appender.filePermissions = rw-r-----
appender.search_request_slowlog_json_appender.layout.type = OpenSearchJsonLayout
appender.search_request_slowlog_json_appender.layout.type_name = search_request_slowlog
appender.search_request_slowlog_json_appender.layout.opensearchmessagefields=message,took,took_millis,phase_took,total_hits,search_type,shards,source,id
appender.search_request_slowlog_json_appender.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
.cluster_name}_index_search_slowlog-%i.json.gz
appender.search_request_slowlog_json_appender.policies.type = Policies
appender.search_request_slowlog_json_appender.policies.size.type = SizeBasedTriggeringPolicy
appender.search_request_slowlog_json_appender.policies.size.size = 1GB
appender.search_request_slowlog_json_appender.strategy.type = DefaultRolloverStrategy
appender.search_request_slowlog_json_appender.strategy.max = 4
#################################################
######## Search Request Slowlog Log File - old style pattern ####
appender.search_request_slowlog_log_appender.type = RollingFile
appender.search_request_slowlog_log_appender.name = search_request_slowlog_log_appender
appender.search_request_slowlog_log_appender.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_search_slowlog.log
appender.search_request_slowlog_log_appender.filePermissions = rw-r-----
appender.search_request_slowlog_log_appender.layout.type = PatternLayout
appender.search_request_slowlog_log_appender.layout.pattern = [%d{ISO8601}][%-5p][%c{1.}] [%node_name]%marker %m%n
appender.search_request_slowlog_log_appender.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_search_slowlog-%i.log.gz
appender.search_request_slowlog_log_appender.policies.type = Policies
appender.search_request_slowlog_log_appender.policies.size.type = SizeBasedTriggeringPolicy
appender.search_request_slowlog_log_appender.policies.size.size = 1GB
appender.search_request_slowlog_log_appender.strategy.type = DefaultRolloverStrategy
appender.search_request_slowlog_log_appender.strategy.max = 4
#################################################
logger.search_request_slowlog_logger.name = cluster.search.request.slowlog
logger.search_request_slowlog_logger.level = trace
logger.search_request_slowlog_logger.appenderRef.search_request_slowlog_json_appender.ref = search_request_slowlog_json_appender
logger.search_request_slowlog_logger.appenderRef.search_request_slowlog_log_appender.ref = search_request_slowlog_log_appender
logger.search_request_slowlog_logger.additivity = false
######## Search slowlog JSON ####################
appender.index_search_slowlog_rolling.type = RollingFile
appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
appender.index_search_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
.cluster_name}_index_search_slowlog.json
appender.index_search_slowlog_rolling.filePermissions = rw-r-----
appender.index_search_slowlog_rolling.layout.type = OpenSearchJsonLayout
appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog
appender.index_search_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id
appender.index_search_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
.cluster_name}_index_search_slowlog-%i.json.gz
appender.index_search_slowlog_rolling.policies.type = Policies
appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.index_search_slowlog_rolling.policies.size.size = 1GB
appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy
appender.index_search_slowlog_rolling.strategy.max = 4
#################################################
######## Search slowlog - old style pattern ####
appender.index_search_slowlog_rolling_old.type = RollingFile
appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old
appender.index_search_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_search_slowlog.log
appender.index_search_slowlog_rolling_old.filePermissions = rw-r-----
appender.index_search_slowlog_rolling_old.layout.type = PatternLayout
appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.index_search_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_search_slowlog-%i.log.gz
appender.index_search_slowlog_rolling_old.policies.type = Policies
appender.index_search_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.index_search_slowlog_rolling_old.policies.size.size = 1GB
appender.index_search_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
appender.index_search_slowlog_rolling_old.strategy.max = 4
#################################################
logger.index_search_slowlog_rolling.name = index.search.slowlog
logger.index_search_slowlog_rolling.level = trace
logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling
logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling_old.ref = index_search_slowlog_rolling_old
logger.index_search_slowlog_rolling.additivity = false
######## Indexing slowlog JSON ##################
appender.index_indexing_slowlog_rolling.type = RollingFile
appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
appender.index_indexing_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_indexing_slowlog.json
appender.index_indexing_slowlog_rolling.filePermissions = rw-r-----
appender.index_indexing_slowlog_rolling.layout.type = OpenSearchJsonLayout
appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog
appender.index_indexing_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,doc_type,id,routing,source
appender.index_indexing_slowlog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_indexing_slowlog-%i.json.gz
appender.index_indexing_slowlog_rolling.policies.type = Policies
appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.index_indexing_slowlog_rolling.policies.size.size = 1GB
appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy
appender.index_indexing_slowlog_rolling.strategy.max = 4
#################################################
######## Indexing slowlog - old style pattern ##
appender.index_indexing_slowlog_rolling_old.type = RollingFile
appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old
appender.index_indexing_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_indexing_slowlog.log
appender.index_indexing_slowlog_rolling_old.filePermissions = rw-r-----
appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout
appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.index_indexing_slowlog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
_index_indexing_slowlog-%i.log.gz
appender.index_indexing_slowlog_rolling_old.policies.type = Policies
appender.index_indexing_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.index_indexing_slowlog_rolling_old.policies.size.size = 1GB
appender.index_indexing_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
appender.index_indexing_slowlog_rolling_old.strategy.max = 4
#################################################
logger.index_indexing_slowlog.name = index.indexing.slowlog.index
logger.index_indexing_slowlog.level = trace
logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling
logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling_old.ref = index_indexing_slowlog_rolling_old
logger.index_indexing_slowlog.additivity = false
######## Task details log JSON ####################
appender.task_detailslog_rolling.type = RollingFile
appender.task_detailslog_rolling.name = task_detailslog_rolling
appender.task_detailslog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.json
appender.task_detailslog_rolling.filePermissions = rw-r-----
appender.task_detailslog_rolling.layout.type = OpenSearchJsonLayout
appender.task_detailslog_rolling.layout.type_name = task_detailslog
appender.task_detailslog_rolling.layout.opensearchmessagefields=taskId,type,action,description,start_time_millis,resource_stats,metadata
appender.task_detailslog_rolling.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.json.gz
appender.task_detailslog_rolling.policies.type = Policies
appender.task_detailslog_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.task_detailslog_rolling.policies.size.size = 1GB
appender.task_detailslog_rolling.strategy.type = DefaultRolloverStrategy
appender.task_detailslog_rolling.strategy.max = 4
#################################################
######## Task details log - old style pattern ####
appender.task_detailslog_rolling_old.type = RollingFile
appender.task_detailslog_rolling_old.name = task_detailslog_rolling_old
appender.task_detailslog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog.log
appender.task_detailslog_rolling_old.filePermissions = rw-r-----
appender.task_detailslog_rolling_old.layout.type = PatternLayout
appender.task_detailslog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.task_detailslog_rolling_old.filePattern = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_task_detailslog-%i.log.gz
appender.task_detailslog_rolling_old.policies.type = Policies
appender.task_detailslog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.task_detailslog_rolling_old.policies.size.size = 1GB
appender.task_detailslog_rolling_old.strategy.type = DefaultRolloverStrategy
appender.task_detailslog_rolling_old.strategy.max = 4
#################################################
logger.task_detailslog_rolling.name = task.detailslog
logger.task_detailslog_rolling.level = trace
logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling.ref = task_detailslog_rolling
logger.task_detailslog_rolling.appenderRef.task_detailslog_rolling_old.ref = task_detailslog_rolling_old
logger.task_detailslog_rolling.additivity = false

19
opensearch/opensearch-notifications-core/notifications-core.yml Normal file
View File

@ -0,0 +1,19 @@
---
##
# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0
##
# configuration file for the notifications-core plugin
opensearch.notifications.core:
email:
size_limit: 10000000
minimum_header_length: 160
http:
max_connections: 60
max_connection_per_route: 20
connection_timeout: 5000 # in milliseconds
socket_timeout: 50000
host_deny_list: []
allowed_config_types: ["slack","chime","microsoft_teams","webhook","email","sns","ses_account","smtp_account","email_group"]
tooltip_support: true

12
opensearch/opensearch-notifications/notifications.yml Normal file
View File

@ -0,0 +1,12 @@
---
##
# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0
##
# configuration file for the notifications plugin
opensearch.notifications:
general:
operation_timeout_ms: 60000 # 60 seconds, Minimum 100ms
default_items_query_count: 100 # default number of items to query
filter_send_by_backend_roles: false # Does sendNotification needs to validate user's backend roles

28
opensearch/opensearch-observability/observability.yml Normal file
View File

@ -0,0 +1,28 @@
---
##
# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0
##
# configuration file for the observability plugin
opensearch.notebooks:
general:
operationTimeoutMs: 60000 # 60 seconds, Minimum 100ms
defaultItemsQueryCount: 100 # default number of items to query
polling:
jobLockDurationSeconds: 300 # 5 Minutes, Minimum 10 seconds
minPollingDurationSeconds: 300 # 5 Minutes, Minimum 60 seconds
maxPollingDurationSeconds: 900 # 15 Minutes, Minimum 5 Minutes
maxLockRetries: 1 # Max number of retries to retry locking
access:
adminAccess: "AllObservabilityObjects"
# adminAccess values:
## Standard -> Admin user access follows standard user
## AllObservabilityObjects -> Admin user with "all_access" role can see all observability objects of all users.
filterBy: "NoFilter" # Applied when tenant != __user__
# filterBy values:
## NoFilter -> everyone see each other's observability objects
## User -> observability objects are visible to only themselves
## Roles -> observability objects are visible to users having any one of the role of creator
## BackendRoles -> observability objects are visible to users having any one of the backend role of creator
ignoreRoles: ["own_index", "kibana_user", "observability_full_access", "observability_read_access"]

11
opensearch/opensearch-reports-scheduler/reports-scheduler.yml Normal file
View File

@ -0,0 +1,11 @@
---
##
# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0
##
# configuration file for the reports scheduler plugin
opensearch.reports:
general:
operationTimeoutMs: 60000 # 60 seconds, Minimum 100ms
defaultItemsQueryCount: 100 # default number of items to query

3
opensearch/opensearch-security/action_groups.yml Normal file
View File

@ -0,0 +1,3 @@
_meta:
type: "actiongroups"
config_version: 2

69
opensearch/opensearch-security/allowlist.yml Normal file
View File

@ -0,0 +1,69 @@
---
_meta:
type: "allowlist"
config_version: 2
# Description:
# enabled - feature flag.
# if enabled is false, the allowlisting feature is removed.
# This is like removing the check that checks if an API is allowlisted.
# This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting.
# if enabled is true, then all users except SuperAdmin can access only the APIs in requests
# SuperAdmin can access all APIs.
# SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn:
# Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin.
#
# requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints
# Examples showing how to configure this yml file (make sure the _meta data from above is also there):
# Example 1:
# To enable allowlisting and allowlist GET /_cluster/settings
#
#config:
# enabled: true
# requests:
# /_cluster/settings:
# - GET
#
# Example 2:
# If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT):
#
#config:
# enabled: true
# requests:
# /_cluster/settings:
# - GET
# - PUT
#
# Example 3:
# If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards:
#
#config:
# enabled: true
# requests:
# /_cluster/settings:
# - GET
# - PUT
# /_cat/nodes:
# - GET
# /_cat/shards:
# - GET
#
# Example 4:
# If you want to disable the allowlisting feature, set enabled to false.
# enabled: false
# requests:
# /_cluster/settings:
# - GET
#
#At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant.
#this name must be config
config:
enabled: false
requests:
/_cluster/settings:
- GET
/_cat/nodes:
- GET

85
opensearch/opensearch-security/audit.yml Normal file
View File

@ -0,0 +1,85 @@
_meta:
type: "audit"
config_version: 2
config:
# enable/disable audit logging
enabled: true
audit:
# Enable/disable REST API auditing
enable_rest: true
# Categories to exclude from REST API auditing
disabled_rest_categories:
- AUTHENTICATED
- GRANTED_PRIVILEGES
# Enable/disable Transport API auditing
enable_transport: true
# Categories to exclude from Transport API auditing
disabled_transport_categories:
- AUTHENTICATED
- GRANTED_PRIVILEGES
# Users to be excluded from auditing. Wildcard patterns are supported. Eg:
# ignore_users: ["test-user", "employee-*"]
ignore_users:
- kibanaserver
# Requests to be excluded from auditing. Wildcard patterns are supported. Eg:
# ignore_requests: ["indices:data/read/*", "SearchRequest"]
ignore_requests: []
# Log individual operations in a bulk request
resolve_bulk_requests: false
# Include the body of the request (if available) for both REST and the transport layer
log_request_body: true
# Logs all indices affected by a request. Resolves aliases and wildcards/date patterns
resolve_indices: true
# Exclude sensitive headers from being included in the logs. Eg: Authorization
exclude_sensitive_headers: true
compliance:
# enable/disable compliance
enabled: true
# Log updates to internal security changes
internal_config: true
# Log external config files for the node
external_config: false
# Log only metadata of the document for read events
read_metadata_only: true
# Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg:
# read_watched_fields: {
# "twitter": ["message"]
# "logs-*": ["id", "attr*"]
# }
read_watched_fields: {}
# List of users to ignore for read events. Wildcard patterns are supported. Eg:
# read_ignore_users: ["test-user", "employee-*"]
read_ignore_users:
- kibanaserver
# Log only metadata of the document for write events
write_metadata_only: true
# Log only diffs for document updates
write_log_diffs: false
# List of indices to watch for write events. Wildcard patterns are supported
# write_watched_indices: ["twitter", "logs-*"]
write_watched_indices: []
# List of users to ignore for write events. Wildcard patterns are supported. Eg:
# write_ignore_users: ["test-user", "employee-*"]
write_ignore_users:
- kibanaserver

49
opensearch/opensearch-security/config.yml Normal file
View File

@ -0,0 +1,49 @@
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
# 익명(로그인 안 한) 사용자의 요청을 차단
anonymous_auth_enabled: false
xff:
# X-Forwarded-For 헤더 처리 활성화 (LB/Proxy 환경)
enabled: true
# 프록시의 내부 IP. 필요시 로드밸런서 IP 추가
internalProxies: "10\\.0\\.20\\.\\d{1,3}" # 10.0.20.x 대역을 내부 프록시로 인식
# 원격 클라이언트 IP를 가져올 헤더
remoteIpHeader: "x-forwarded-for"
authc:
# 기본 내부 인증(internal_users.yml 사용)
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
# JWT 인증 설정
jwt_auth_domain:
http_enabled: true
transport_enabled: false # HTTP API에만 사용
order: 0
http_authenticator:
type: jwt
# challenge: false 이므로 JWT 토큰이 없으면 다음 인증(basic) 시도
challenge: false
config:
# 토큰 서명에 사용할 키
signing_key: "UGdiOTdLVjFBTWtndTRNRiZmVjdwMDdCRW1lSSUxTnA="
# JWT 헤더 파싱 설정 추가
jwt_header: "Authorization"
# JWT 토큰에서 사용자 이름을 가져올 필드
subject_key: sub
# JWT 토큰에서 역할(role)을 가져올 필드
roles_key: roles
authentication_backend:
# JWT 토큰 내 사용자 정보로 인증 처리
type: noop

250
opensearch/opensearch-security/config.yml.bak Normal file
View File

@ -0,0 +1,250 @@
---
# This is the main OpenSearch Security configuration file where authentication
# and authorization is defined.
#
# You need to configure at least one authentication domain in the authc of this file.
# An authentication domain is responsible for extracting the user credentials from
# the request and for validating them against an authentication backend like Active Directory for example.
#
# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
# http_enabled: true
# transport_enabled: true
#
# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous"
# and one role named "anonymous_backendrole".
# If you enable anonymous authentication all HTTP authenticators will not challenge.
#
#
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging)
# clientcert (not challenging, needs https)
# jwt (not challenging)
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in roles_mapping
# Authc
# internal
# noop
# ldap
# Authz
# ldap
# noop
_meta:
type: "config"
config_version: 2
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#private_tenant_enabled: true
#default_tenant: ""
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
jwt_header: "Authorization"
jwt_url_parameter: null
jwt_clock_skew_tolerance_seconds: 30
roles_key: null
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
#config goes here ...
# auth_failure_listeners:
# ip_rate_limiting:
# type: ip
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
# internal_authentication_backend_limiting:
# type: username
# authentication_backend: intern
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000

50
opensearch/opensearch-security/internal_users.yml Normal file
View File

@ -0,0 +1,50 @@
---
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2y$12$PH5uup5xBDwmAAHr9fRvTO2zRgKEDeVzEjFuhZYoohj338BvdaLKG"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
anomalyadmin:
hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
reserved: false
opendistro_security_roles:
- "anomaly_full_access"
description: "Demo anomaly admin user, using internal role"
kibanaserver:
# hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
hash: "$2y$12$xFMwJISLbh2vh8xEUg0kguyGDZVyHyM65opF3Emvdq1Cmnj1hlUNS"
reserved: true
description: "Demo OpenSearch Dashboards user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo OpenSearch Dashboards read only user, using external role mapping"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user, using external role mapping"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user, using external role mapping"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user, using external role mapping"

8
opensearch/opensearch-security/nodes_dn.yml Normal file
View File

@ -0,0 +1,8 @@
_meta:
type: "nodesdn"
config_version: 2
# Define nodesdn mapping name and corresponding values
# cluster1:
# nodes_dn:
# - CN=*.example.com

228
opensearch/opensearch-security/opensearch.yml.example Normal file
View File

@ -0,0 +1,228 @@
############## OpenSearch Security configuration ###############
###########################################################
# Add the following settings to your standard opensearch.yml
# alongside with the OpenSearch Security TLS settings.
# Settings must always be the same on all nodes in the cluster.
############## Common configuration settings ##############
# Specify a list of DNs which denote the other nodes in the cluster.
# This settings support wildcards and regular expressions
# The list of DNs are also read from security index **in addition** to the yml configuration if
# plugins.security.nodes_dn_dynamic_config_enabled is true.
# NOTE: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set.
plugins.security.nodes_dn:
- "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE"
- "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE"
# The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to
# manage the allowlisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured
# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs
# which provide means to update/retrieve nodesdn dynamically.
#
# NOTE: The overall allowlisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored
# in security index.
# (default: false)
# NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set.
plugins.security.nodes_dn_dynamic_config_enabled: false
# Defines the DNs (distinguished names) of certificates
# to which admin privileges should be assigned (mandatory)
plugins.security.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,l=tEst, C=De"
# Define how backend roles should be mapped to Security roles
# MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default)
# BACKENDROLES_ONLY - backend roles are mapped to Security roles directly. Settings in roles_mapping.yml have no effect.
# BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition
plugins.security.roles_mapping_resolution: MAPPING_ONLY
############## REST Management API configuration settings ##############
# Enable or disable role based access to the REST management API
# Default is that no role is allowed to access the REST management API.
#plugins.security.restapi.roles_enabled: ["all_access","xyz_role"]
# Disable particular endpoints and their HTTP methods for roles.
# By default all endpoints/methods are allowed.
#plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: <array of http methods>
# Example:
#plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"]
#plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"]
# The following endpoints exist:
# ACTIONGROUPS
# CACHE
# CONFIG
# ROLES
# ROLESMAPPING
# INTERNALUSERS
# SYSTEMINFO
# PERMISSIONSINFO
############## Auditlog configuration settings ##############
# General settings
# Enable/disable rest request logging (default: true)
#plugins.security.audit.enable_rest: true
# Enable/disable transport request logging (default: false)
#plugins.security.audit.enable_transport: false
# Enable/disable bulk request logging (default: false)
# If enabled all subrequests in bulk requests will be logged too
#plugins.security.audit.resolve_bulk_requests: false
# Disable some categories
#plugins.security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"]
# Disable some requests (wildcard or regex of actions or rest request paths)
#plugins.security.audit.ignore_requests: ["indices:data/read/*","*_bulk"]
# Tune threadpool size, default is 10
#plugins.security.audit.threadpool.size: 10
# Tune threadpool max size queue length, default is 100000
#plugins.security.audit.threadpool.max_queue_len: 100000
# Ignore users, e.g. do not log audit requests from that users (default: no ignored users)
#plugins.security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']"
# Destination of the auditlog events
plugins.security.audit.type: internal_opensearch
#plugins.security.audit.type: external_opensearch
#plugins.security.audit.type: debug
#plugins.security.audit.type: webhook
# external_opensearch settings
#plugins.security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']"
# Auditlog index can be a static one or one with a date pattern (default is 'auditlog6')
#plugins.security.audit.config.index: auditlog6 # make sure you secure this index properly
#plugins.security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly
#plugins.security.audit.config.type: auditlog
#plugins.security.audit.config.username: auditloguser
#plugins.security.audit.config.password: auditlogpassword
#plugins.security.audit.config.enable_ssl: false
#plugins.security.audit.config.verify_hostnames: false
#plugins.security.audit.config.enable_ssl_client_auth: false
#plugins.security.audit.config.cert_alias: mycert
#plugins.security.audit.config.pemkey_filepath: key.pem
#plugins.security.audit.config.pemkey_content: <...pem base 64 content>
#plugins.security.audit.config.pemkey_password: secret
#plugins.security.audit.config.pemcert_filepath: cert.pem
#plugins.security.audit.config.pemcert_content: <...pem base 64 content>
#plugins.security.audit.config.pemtrustedcas_filepath: ca.pem
#plugins.security.audit.config.pemtrustedcas_content: <...pem base 64 content>
# webhook settings
#plugins.security.audit.config.webhook.url: "http://mywebhook/endpoint"
# One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK
#plugins.security.audit.config.webhook.format: JSON
#plugins.security.audit.config.webhook.ssl.verify: false
#plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem
#plugins.security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content>
# log4j settings
#plugins.security.audit.config.log4j.logger_name: auditlogger
#plugins.security.audit.config.log4j.level: INFO
############## Kerberos configuration settings ##############
# If Kerberos authentication should be used you have to configure:
# The Path to the krb5.conf file
# Can be absolute or relative to the OpenSearch config directory
#plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf'
# The Path to the keytab where the acceptor_principal credentials are stored.
# Must be relative to the OpenSearch config directory
#plugins.security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab'
# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
#plugins.security.kerberos.acceptor_principal: 'HTTP/localhost'
############## Advanced configuration settings ##############
# Enable transport layer impersonation
# Allow DNs (distinguished names) to impersonate as other users
#plugins.security.authcz.impersonation_dn:
# "CN=spock,OU=client,O=client,L=Test,C=DE":
# - worf
# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
# - user2
# - user1
# Enable rest layer impersonation
# Allow users to impersonate as other users
#plugins.security.authcz.rest_impersonation_user:
# "picard":
# - worf
# "john":
# - steve
# - martin
# If this is set to true OpenSearch Security will automatically initialize the configuration index
# with the files in the config directory if the index does not exist.
# WARNING: This will use well-known default passwords.
# Use only in a private network/environment.
#plugins.security.allow_default_init_securityindex: false
# If this is set to true then allow to startup with demo certificates.
# These are certificates issued by floragunn GmbH for demo purposes.
# WARNING: This certificates are well known and therefore unsafe
# Use only in a private network/environment.
#plugins.security.allow_unsafe_democertificates: false
# Password strength rules for password complexity.
# If you want to set up password strength rules for internal users, you can use the below settings for it.
# Password validation rules can be configured through regex. In the below regex example, a user must need
# a password with minimum 8 characters length and must include minimum one uppercase, one lower case, one digit, and one special character. 
# And a custom error message can be configured, in case if a password is not created according to the password strength rule.   
# plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}'
# plugins.security.restapi.password_validation_error_message: "A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character."
############## Expert settings ##############
# WARNING: Expert settings, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
# or make OpenSearch Security stop working
# Name of the index where .opendistro_security stores its configuration.
#plugins.security.config_index_name: .opendistro_security
# This defines the OID of server node certificates
#plugins.security.cert.oid: '1.2.3.4.5.5'
# This specifies the implementation of org.opensearch.security.transport.InterClusterRequestEvaluator
# that is used to determine inter-cluster request.
# Instances of org.opensearch.security.transport.InterClusterRequestEvaluator must implement a single argument
# constructor that takes an org.opensearch.common.settings.Settings
#plugins.security.cert.intercluster_request_evaluator_class: org.opensearch.security.transport.DefaultInterClusterRequestEvaluator
# By default, normal users can restore snapshots if they have the priviliges 'cluster:admin/snapshot/restore',
# 'indices:admin/create', and 'indices:data/write/index' for the indices to be restored.
# To disable snapshot restore for normal users set 'plugins.security.enable_snapshot_restore_privilege: false'.
# This makes it so that only snapshot restore requests signed by an admin TLS certificate are accepted.
# A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index
# If 'plugins.security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted.
#plugins.security.enable_snapshot_restore_privilege: true
#plugins.security.check_snapshot_restore_write_privileges: true
# Authentication cache timeout in minutes (A value of 0 disables caching, default is 60)
#plugins.security.cache.ttl_minutes: 60
# Disable OpenSearch Security
# WARNING: This can expose your configuration (including passwords) to the public.
#plugins.security.disabled: false
# Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role
# to be visible, listed in the plugins.security.protected_indices.roles setting.
# Enable protected indices
# plugins.security.protected_indices.enabled: true
# Specify a list of roles a user must be member of to touch any protected index.
# plugins.security.protected_indices.roles: ['all_access']
# Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role.
# plugins.security.protected_indices.indices: []
# System indices are similar to security index, except the contents are not encrypted.
# Indices configured as system indices can be accessed by only super-admin and no role will provide access to these indices.
# Enable system indices
# plugins.security.system_indices.enabled: true
# Specify a list of indices to mark as system. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role.
# plugins.security.system_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*', '.opendistro-reports-*', '.opensearch-notifications-*', '.opensearch-notebooks', '.opensearch-observability', '.opendistro-asynchronous-search-response*', '.replication-metadata-store']

538
opensearch/opensearch-security/roles.yml Normal file
View File

@ -0,0 +1,538 @@
_meta:
type: "roles"
config_version: 2
# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
kibana_read_only:
reserved: true
# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security_rest_api_access:
reserved: true
security_rest_api_full_access:
reserved: true
cluster_permissions:
- 'restapi:admin/actiongroups'
- 'restapi:admin/allowlist'
- 'restapi:admin/config/update'
- 'restapi:admin/internalusers'
- 'restapi:admin/nodesdn'
- 'restapi:admin/roles'
- 'restapi:admin/rolesmapping'
- 'restapi:admin/ssl/certs/info'
- 'restapi:admin/ssl/certs/reload'
- 'restapi:admin/tenants'
# Allows users to view monitors, destinations and alerts
alerting_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/get'
- 'cluster:admin/opendistro/alerting/destination/get'
- 'cluster:admin/opendistro/alerting/monitor/get'
- 'cluster:admin/opendistro/alerting/monitor/search'
- 'cluster:admin/opensearch/alerting/comments/search'
- 'cluster:admin/opensearch/alerting/findings/get'
- 'cluster:admin/opensearch/alerting/remote/indexes/get'
- 'cluster:admin/opensearch/alerting/workflow/get'
- 'cluster:admin/opensearch/alerting/workflow_alerts/get'
# Allows users to view and acknowledge alerts
alerting_ack_alerts:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/*'
- 'cluster:admin/opendistro/alerting/chained_alerts/*'
- 'cluster:admin/opendistro/alerting/workflow_alerts/*'
- 'cluster:admin/opensearch/alerting/comments/*'
# Allows users to use all alerting functionality
alerting_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/*'
- 'cluster:admin/opensearch/alerting/*'
- 'cluster:admin/opensearch/notifications/feature/publish'
- 'cluster_monitor'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
- 'indices_monitor'
# Allow users to read Anomaly Detection detectors and results
anomaly_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/ad/detector/info'
- 'cluster:admin/opendistro/ad/detector/search'
- 'cluster:admin/opendistro/ad/detector/validate'
- 'cluster:admin/opendistro/ad/detectors/get'
- 'cluster:admin/opendistro/ad/result/search'
- 'cluster:admin/opendistro/ad/result/topAnomalies'
- 'cluster:admin/opendistro/ad/tasks/search'
# Allows users to use all Anomaly Detection functionality
anomaly_full_access:
reserved: true
cluster_permissions:
- "cluster:admin/ingest/pipeline/delete"
- "cluster:admin/ingest/pipeline/put"
- 'cluster:admin/opendistro/ad/*'
- 'cluster_monitor'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/fields/get'
- 'indices:admin/mappings/fields/get*'
- 'indices:admin/mappings/get'
- 'indices:admin/resolve/index'
- 'indices:admin/setting/put'
- 'indices:data/read/field_caps*'
- 'indices:data/read/search'
- 'indices_monitor'
# Allow users to execute read only k-NN actions
knn_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/knn_get_model_action'
- 'cluster:admin/knn_search_model_action'
- 'cluster:admin/knn_stats_action'
# Allow users to use all k-NN functionality
knn_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/knn_delete_model_action'
- 'cluster:admin/knn_get_model_action'
- 'cluster:admin/knn_remove_model_from_cache_action'
- 'cluster:admin/knn_search_model_action'
- 'cluster:admin/knn_stats_action'
- 'cluster:admin/knn_training_job_route_decision_info_action'
- 'cluster:admin/knn_training_job_router_action'
- 'cluster:admin/knn_training_model_action'
- 'cluster:admin/knn_update_model_graveyard_action'
- 'cluster:admin/knn_warmup_action'
# Allow users to execute read only ip2geo datasource action
ip2geo_datasource_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/geospatial/datasource/get'
# Allow users to use all ip2geo datasource action
ip2geo_datasource_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/geospatial/datasource/*'
# Allows users to read Notebooks
notebooks_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/get'
- 'cluster:admin/opendistro/notebooks/list'
# Allows users to all Notebooks functionality
notebooks_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/create'
- 'cluster:admin/opendistro/notebooks/delete'
- 'cluster:admin/opendistro/notebooks/get'
- 'cluster:admin/opendistro/notebooks/list'
- 'cluster:admin/opendistro/notebooks/update'
# Allows users to read observability objects
observability_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/observability/get'
# Allows users to all Observability functionality
observability_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/observability/create'
- 'cluster:admin/opensearch/observability/delete'
- 'cluster:admin/opensearch/observability/get'
- 'cluster:admin/opensearch/observability/update'
# Allows users to all PPL functionality
ppl_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/ppl'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/mappings/get'
- 'indices:data/read/search*'
- 'indices:monitor/settings/get'
# Allows users to read and download Reports
reports_instances_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to read and download Reports and Report-definitions
reports_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to all Reports functionality
reports_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/create'
- 'cluster:admin/opendistro/reports/definition/delete'
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/definition/on_demand'
- 'cluster:admin/opendistro/reports/definition/update'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to use all asynchronous-search functionality
asynchronous_search_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:data/read/search*'
# Allows users to read stored asynchronous-search results
asynchronous_search_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/get'
# Allows user to use all index_management actions - ism policies, rollups, transforms
index_management_full_access:
reserved: true
cluster_permissions:
- "cluster:admin/opendistro/ism/*"
- "cluster:admin/opendistro/rollup/*"
- "cluster:admin/opendistro/transform/*"
- "cluster:admin/opensearch/controlcenter/lron/*"
- "cluster:admin/opensearch/notifications/channels/get"
- "cluster:admin/opensearch/notifications/feature/publish"
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/opensearch/ism/*'
- 'indices:internal/plugins/replication/index/stop'
# Allows users to use all cross cluster replication functionality at leader cluster
cross_cluster_replication_leader_full_access:
reserved: true
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/read/plugins/replication/changes"
- "indices:data/read/plugins/replication/file_chunk"
# Allows users to use all cross cluster replication functionality at follower cluster
cross_cluster_replication_follower_full_access:
reserved: true
cluster_permissions:
- "cluster:admin/plugins/replication/autofollow/update"
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/status_check"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:data/write/plugins/replication/changes"
# Allows users to use all cross cluster search functionality at remote cluster
cross_cluster_search_remote_full_access:
reserved: true
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/shards/search_shards'
- 'indices:data/read/search'
# Allow users to operate query assistant
query_assistant_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/ml/config/get'
- 'cluster:admin/opensearch/ml/execute'
- 'cluster:admin/opensearch/ml/predict'
- 'cluster:admin/opensearch/ppl'
# Allow users to read ML stats/models/tasks
ml_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/ml/config/get'
- 'cluster:admin/opensearch/ml/connectors/get'
- 'cluster:admin/opensearch/ml/connectors/search'
- 'cluster:admin/opensearch/ml/controllers/get'
- 'cluster:admin/opensearch/ml/memory/conversation/get'
- 'cluster:admin/opensearch/ml/memory/conversation/interaction/search'
- 'cluster:admin/opensearch/ml/memory/conversation/list'
- 'cluster:admin/opensearch/ml/memory/conversation/search'
- 'cluster:admin/opensearch/ml/memory/interaction/get'
- 'cluster:admin/opensearch/ml/memory/interaction/list'
- 'cluster:admin/opensearch/ml/memory/trace/get'
- 'cluster:admin/opensearch/ml/model_groups/get'
- 'cluster:admin/opensearch/ml/model_groups/search'
- 'cluster:admin/opensearch/ml/models/get'
- 'cluster:admin/opensearch/ml/models/search'
- 'cluster:admin/opensearch/ml/profile/nodes'
- 'cluster:admin/opensearch/ml/stats/nodes'
- 'cluster:admin/opensearch/ml/tasks/get'
- 'cluster:admin/opensearch/ml/tasks/search'
- 'cluster:admin/opensearch/ml/tools/get'
- 'cluster:admin/opensearch/ml/tools/list'
# Allows users to use all ML functionality
ml_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/ml/*'
- 'cluster_monitor'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
# Allows users to use all Notifications functionality
notifications_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/notifications/*'
# Allows users to read Notifications config/channels
notifications_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/notifications/channels/get'
- 'cluster:admin/opensearch/notifications/configs/get'
- 'cluster:admin/opensearch/notifications/features'
# Allows users to use all snapshot management functionality
snapshot_management_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/notifications/feature/publish'
- 'cluster:admin/opensearch/snapshot_management/*'
- 'cluster:admin/repository/*'
- 'cluster:admin/snapshot/*'
# Allows users to see snapshots, repositories, and snapshot management policies
snapshot_management_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/snapshot_management/policy/explain'
- 'cluster:admin/opensearch/snapshot_management/policy/get'
- 'cluster:admin/opensearch/snapshot_management/policy/search'
- 'cluster:admin/repository/get'
- 'cluster:admin/snapshot/get'
# Allows user to use point in time functionality
point_in_time_full_access:
reserved: true
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'manage_point_in_time'
# Allows users to see security analytics detectors and others
security_analytics_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/get'
- 'cluster:admin/opensearch/securityanalytics/correlationAlerts/get'
- 'cluster:admin/opensearch/securityanalytics/correlations/findings'
- 'cluster:admin/opensearch/securityanalytics/correlations/list'
- 'cluster:admin/opensearch/securityanalytics/detector/get'
- 'cluster:admin/opensearch/securityanalytics/detector/search'
- 'cluster:admin/opensearch/securityanalytics/findings/get'
- 'cluster:admin/opensearch/securityanalytics/logtype/search'
- 'cluster:admin/opensearch/securityanalytics/mapping/get'
- 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
- 'cluster:admin/opensearch/securityanalytics/rule/get'
- 'cluster:admin/opensearch/securityanalytics/rule/search'
- 'cluster:admin/opensearch/securityanalytics/threatintel/alerts/get'
- 'cluster:admin/opensearch/securityanalytics/threatintel/iocs/findings/get'
- 'cluster:admin/opensearch/securityanalytics/threatintel/iocs/list'
- 'cluster:admin/opensearch/securityanalytics/threatintel/monitors/search'
- 'cluster:admin/opensearch/securityanalytics/threatintel/sources/get'
- 'cluster:admin/opensearch/securityanalytics/threatintel/sources/search'
# Allows users to use all security analytics functionality
security_analytics_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/*'
- 'cluster:admin/opensearch/securityanalytics/connections/*'
- 'cluster:admin/opensearch/securityanalytics/correlationAlerts/*'
- 'cluster:admin/opensearch/securityanalytics/correlations/*'
- 'cluster:admin/opensearch/securityanalytics/detector/*'
- 'cluster:admin/opensearch/securityanalytics/findings/*'
- 'cluster:admin/opensearch/securityanalytics/logtype/*'
- 'cluster:admin/opensearch/securityanalytics/mapping/*'
- 'cluster:admin/opensearch/securityanalytics/rule/*'
- 'cluster:admin/opensearch/securityanalytics/threatintel/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/mapping/put'
- 'indices:admin/mappings/get'
# Allows users to view and acknowledge alerts
security_analytics_ack_alerts:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/*'
- 'cluster:admin/opensearch/securityanalytics/correlationAlerts/*'
- 'cluster:admin/opensearch/securityanalytics/threatintel/alerts/*'
# Allows users to use all Flow Framework functionality
flow_framework_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/flow_framework/*'
- 'cluster_monitor'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
- 'indices_monitor'
# Allow users to read flow framework's workflows and their state
flow_framework_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/flow_framework/workflow/get'
- 'cluster:admin/opensearch/flow_framework/workflow/search'
- 'cluster:admin/opensearch/flow_framework/workflow_state/get'
- 'cluster:admin/opensearch/flow_framework/workflow_state/search'
- 'cluster:admin/opensearch/flow_framework/workflow_step/get'
# Allows users to use all query insights APIs
query_insights_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/insights/top_queries/*'
index_permissions:
- index_patterns:
- 'top_queries_by_*'
allowed_actions:
- "indices_all"
# Allow users to execute read only LTR actions
ltr_read_access:
reserved: true
cluster_permissions:
- cluster:admin/ltr/caches/stats
- cluster:admin/ltr/featurestore/list
- cluster:admin/ltr/stats
# Allow users to execute all LTR actions
ltr_full_access:
reserved: true
cluster_permissions:
- cluster:admin/ltr/*
# Allow users to use all Search Relevance functionalities
search_relevance_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/search_relevance/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/mappings/get'
- 'indices:data/read/search*'
# Allow users to read Search Relevance resources
search_relevance_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/search_relevance/experiment/get'
- 'cluster:admin/opensearch/search_relevance/judgment/get'
- 'cluster:admin/opensearch/search_relevance/queryset/get'
- 'cluster:admin/opensearch/search_relevance/search_configuration/get'
# Allow users to read Forecast resources
forecast_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/plugin/forecast/forecaster/info'
- 'cluster:admin/plugin/forecast/forecaster/stats'
- 'cluster:admin/plugin/forecast/forecaster/suggest'
- 'cluster:admin/plugin/forecast/forecaster/validate'
- 'cluster:admin/plugin/forecast/forecasters/get'
- 'cluster:admin/plugin/forecast/forecasters/info'
- 'cluster:admin/plugin/forecast/forecasters/search'
- 'cluster:admin/plugin/forecast/result/topForecasts'
- 'cluster:admin/plugin/forecast/tasks/search'
index_permissions:
- index_patterns:
- 'opensearch-forecast-result*'
allowed_actions:
- 'indices:admin/mappings/fields/get*'
- 'indices:admin/resolve/index'
- 'indices:data/read*'
# Allows users to use all Forecasting functionality
forecast_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/plugin/forecast/*'
- 'cluster:admin/settings/update'
- 'cluster_monitor'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/aliases/get'
- 'indices:admin/mapping/get'
- 'indices:admin/mapping/put'
- 'indices:admin/mappings/fields/get*'
- 'indices:admin/mappings/get'
- 'indices:admin/resolve/index'
- 'indices:data/read*'
- 'indices:data/read/field_caps*'
- 'indices:data/read/search'
- 'indices:data/write*'
- 'indices_monitor'

49
opensearch/opensearch-security/roles_mapping.yml Normal file
View File

@ -0,0 +1,49 @@
---
# In this file users, backendroles and hosts can be mapped to Security roles.
# Permissions for OpenSearch roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Demo roles mapping
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "kibanaserver"

11
opensearch/opensearch-security/tenants.yml Normal file
View File

@ -0,0 +1,11 @@
---
_meta:
type: "tenants"
config_version: 2
# Define your tenants here
## Demo tenants
admin_tenant:
reserved: false
description: "Demo tenant for admin user"

BIN
opensearch/opensearch.keystore Normal file
View File

Binary file not shown.

73
opensearch/opensearch.yml Normal file
View File

@ -0,0 +1,73 @@
# ======================== OpenSearch Configuration =========================
# 클러스터 이름. 모든 노드가 동일해야 함.
cluster.name: ds-cluster
# 노드 이름. 각 노드마다 고유해야 함.
node.name: ds-osnode001.oneunivrs.com
# 마스터 노드 및 데이터 노드 역할 부여
node.roles: [ cluster_manager, data ]
# 데이터와 로그 파일 경로 지정
path.data: /data/opensearch/data
path.logs: /data/opensearch/logs
# 스와핑 방지를 위한 메모리 잠금 (성능 향상)
bootstrap.memory_lock: true
# 네트워크 설정
# 모든 네트워크 인터페이스에서 접속 허용. 외부/내부 통신 모두 처리.
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
# 클러스터 구성을 위한 노드 탐색 설정 (내부 DNS 사용)
discovery.seed_hosts:
- ds-osnode001.oneunivrs.com
- ds-osnode002.oneunivrs.com
- ds-osnode003.oneunivrs.com
# 클러스터 최초 구동 시 마스터 후보 노드 목록 (내부 DNS 사용)
cluster.initial_cluster_manager_nodes:
- ds-osnode001.oneunivrs.com
- ds-osnode002.oneunivrs.com
- ds-osnode003.oneunivrs.com
# ======================== Security Plugin Configuration ========================
plugins.security.ssl.transport.enabled: true # 노드 간 통신(9300) TLS 활성화
plugins.security.ssl.transport.pemcert_filepath: certs/oneunivrs.pem
plugins.security.ssl.transport.pemkey_filepath: certs/oneunivrs_key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root.pem
plugins.security.ssl.transport.enforce_hostname_verification: false # 호스트 이름 검증 비활성화 (권장사항은 true 이나, 초기 설정 편의를 위해 false)
plugins.security.ssl.http.enabled: true # HTTP API(9200) TLS(HTTPS) 활성화
plugins.security.ssl.http.pemcert_filepath: certs/oneunivrs.pem
plugins.security.ssl.http.pemkey_filepath: certs/oneunivrs_key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root.pem
# 클러스터에 참여할 수 있는 노드의 DN(Distinguished Name) 목록
# O 필드의 쉼표(,)는 백슬래시 두 개(\\)로 이스케이프 처리
plugins.security.nodes_dn:
- "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
# 관리자 권한을 가질 사용자의 DN 목록
plugins.security.authcz.admin_dn:
- "CN=*.oneunivrs.com,O=ONEUNIVERSE Co.\\,Ltd.,ST=Seoul,C=KR"
# 보안 플러그인 초기화 시 데모 설정 비활성화
plugins.security.allow_unsafe_democertificates: false
# 최초 구동 시 .opensearch-observability, .opensearch-notifications-config 인덱스 생성 허용
plugins.security.unsupported.allow_now_in_dls: true
# 최초 구동 시 보안 인덱스 자동 생성 허용
plugins.security.allow_default_init_securityindex: true
# 감사 로그를 내부 OpenSearch 인덱스에 기록
plugins.security.audit.type: internal_opensearch
#plugins.security.audit.config.log_external_config: false
#plugins.security.audit.config.log_internal_config: false
#plugins.security.audit.config.log_security_config: false
# REST API를 통해 역할(Role)을 관리할 수 있도록 허용
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

155
opensearch/opensearch.yml.bak Normal file
View File

@ -0,0 +1,155 @@
# ======================== OpenSearch Configuration =========================
#
# NOTE: OpenSearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.opensearch.org
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/opensearch
#
# Path to log files:
#
path.logs: /var/log/opensearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# OpenSearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
#network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
#
#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_data_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# ---------------------------------- Remote Store -----------------------------------
# Controls whether cluster imposes index creation only with remote store enabled
# cluster.remote_store.enabled: true
#
# Repository to use for segment upload while enforcing remote store for an index
# node.attr.remote_store.segment.repository: my-repo-1
#
# Repository to use for translog upload while enforcing remote store for an index
# node.attr.remote_store.translog.repository: my-repo-1
#
# ---------------------------------- Experimental Features -----------------------------------
# Gates the visibility of the experimental segment replication features until they are production ready.
#
#opensearch.experimental.feature.segment_replication_experimental.enabled: false
#
# Gates the functionality of a new parameter to the snapshot restore API
# that allows for creation of a new index type that searches a snapshot
# directly in a remote repository without restoring all index data to disk
# ahead of time.
#
#opensearch.experimental.feature.searchable_snapshot.enabled: false
#
#
# Gates the functionality of enabling extensions to work with OpenSearch.
# This feature enables applications to extend features of OpenSearch outside of
# the core.
#
#opensearch.experimental.feature.extensions.enabled: false
#
#
# Gates the optimization of datetime formatters caching along with change in default datetime formatter
# Once there is no observed impact on performance, this feature flag can be removed.
#
#opensearch.experimental.optimization.datetime_formatter_caching.enabled: false
######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
.plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
.plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
.plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
.opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
.opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
.opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
.opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
.geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
.plugins-flow-framework-state, .plugins-search-relevance-experiment, .plugins-search-relevance-judgment-cache]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

2
opensearch/securityadmin_demo.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/bash
sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/etc/opensearch/opensearch-security" -icl -key "/etc/opensearch/kirk-key.pem" -cert "/etc/opensearch/kirk.pem" -cacert "/etc/opensearch/root-ca.pem" -nhnv