-
Notifications
You must be signed in to change notification settings - Fork 97
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* Update dashboards.yml. Fix owner and permissions for home folder Signed-off-by: Sergey Shubin <[email protected]> * The validity period of certificates is set to a variable Signed-off-by: Sergey Shubin <[email protected]> * change HOME directory for {{ os_user }} and {{ os_dashboards_user }} and set them /bin/false shell Signed-off-by: Sergey Shubin <[email protected]> * auth_type (internal, openid). Custom configs, IaC 1. Added the ability to log in via OpenID 2. Added the ability to install custom configuration files for the cluster 3. Added the ability to reconfigure the cluster (in particular, update certificates) when expanding it 4. Added the ability not to change certificates if the cluster composition has not changed, but only the settings have changed. Signed-off-by: Sergey Shubin <[email protected]> * readme. description for OpenID, IaC, custom configuration files Signed-off-by: Sergey Shubin <[email protected]> * refactoring. see #63 Signed-off-by: Sergey Shubin <[email protected]> Co-authored-by: ssi444 <[email protected]>
- Loading branch information
1 parent
d45969a
commit 690f3c5
Showing
14 changed files
with
712 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
--- | ||
# This is the internal user database | ||
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh | ||
|
||
_meta: | ||
type: "internalusers" | ||
config_version: 2 | ||
|
||
# Define your internal users here | ||
|
||
admin: | ||
hash: "{{ admin_password }}" | ||
reserved: true | ||
backend_roles: | ||
- "admin" | ||
description: "admin user" | ||
|
||
kibanaserver: | ||
hash: "{{ kibanaserver_password }}" | ||
reserved: true | ||
description: "kibanaserver user" | ||
|
||
logstash: | ||
hash: "{{ logstash_password }}" | ||
reserved: true | ||
description: "logstash user" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
--- | ||
_meta: | ||
type: "roles" | ||
config_version: 2 | ||
|
||
|
||
indexes_full_access: | ||
reserved: false | ||
index_permissions: | ||
- index_patterns: | ||
- "*" | ||
allowed_actions: | ||
- "*" | ||
tenant_permissions: | ||
- tenant_patterns: | ||
- "*" | ||
allowed_actions: | ||
- "kibana_all_write" | ||
# ---------------------------------------------------- | ||
indexes_security_search_full_access: | ||
reserved: true | ||
index_permissions: | ||
- index_patterns: | ||
- "kube-apiserver-audit-*" | ||
- "syslog-*" | ||
allowed_actions: | ||
- "indices:data/read/search*" | ||
- "read" | ||
- "view_index_metadata" | ||
tenant_permissions: | ||
- tenant_patterns: | ||
- "SECURITY" | ||
allowed_actions: | ||
- "kibana_all_write" | ||
# ---------------------------------------------------- | ||
indexes_web_search_full_access: | ||
reserved: true | ||
index_permissions: | ||
- index_patterns: | ||
- "ingress-nginx-*" | ||
- "mywebapp-*" | ||
allowed_actions: | ||
- "indices:data/read/search*" | ||
- "read" | ||
- "view_index_metadata" | ||
tenant_permissions: | ||
- tenant_patterns: | ||
- "WEB" | ||
allowed_actions: | ||
- "kibana_all_write" | ||
# ---------------------------------------------------- | ||
# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards | ||
kibana_read_only: | ||
reserved: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
# In this file users, backendroles and hosts can be mapped to Security roles. | ||
# Permissions for OpenSearch roles are configured in roles.yml | ||
|
||
_meta: | ||
type: "rolesmapping" | ||
config_version: 2 | ||
|
||
kibana_server: | ||
reserved: true | ||
users: | ||
- "kibanaserver" | ||
|
||
logstash: | ||
reserved: true | ||
users: | ||
- "logstash" | ||
|
||
# Define your roles mapping here | ||
all_access: | ||
reserved: false | ||
backend_roles: | ||
- "admin" | ||
- "opensearch_admin" | ||
description: "Maps admin to all_access" | ||
# ---------------------------------------------------- | ||
indexes_full_access: | ||
reserved: false | ||
backend_roles: | ||
- "opensearch_admin" | ||
description: "Maps admin to indexes_full_access" | ||
# ---------------------------------------------------- | ||
own_index: | ||
reserved: false | ||
users: | ||
- "*" | ||
description: "Allow full access to an index named like the username" | ||
# ---------------------------------------------------- | ||
readall: | ||
reserved: false | ||
backend_roles: | ||
- "opensearch_index_read_all" | ||
# ---------------------------------------------------- | ||
indexes_security_search_full_access: | ||
reserved: true | ||
backend_roles: | ||
- "opensearch_index_read_all" | ||
- "opensearch_index_read_security" | ||
description: "Maps users to indexes_security_search_full_access" | ||
# ---------------------------------------------------- | ||
indexes_web_search_full_access: | ||
reserved: true | ||
backend_roles: | ||
- "opensearch_index_read_all" | ||
- "opensearch_index_read_web" | ||
description: "Maps users to indexes_web_search_full_access" | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
_meta: | ||
type: "tenants" | ||
config_version: 2 | ||
|
||
# Define your tenants here | ||
SECURITY: | ||
reserved: false | ||
description: "Tenant for security logs (e.g. kubernetes audit or opensearch audit)" | ||
WEB: | ||
reserved: false | ||
description: "Tenant for web-app logs" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.