From 15f4526ce3bd81e8e6741bef96dfb26671e0f67a Mon Sep 17 00:00:00 2001 From: rajeevme Date: Sat, 28 Sep 2019 00:05:44 +0530 Subject: [AAI-2617] Search guard is no longer available Change-Id: I5cc786073ac27d3d36d05f0aa89ac5b7f1aadc02 Signed-off-by: rajeevme Change-Id: I6b8ce9867d8b1d8108fcd7002e84f798a5b4e8e2 (cherry picked from commit 360d63a7609c566a6b8043a7de70ae35bd1f258a) --- .../resources/config/sg/auth/esaai-keystore.jks | Bin 3979 -> 0 bytes .../resources/config/sg/auth/sgadmin-keystore.p12 | Bin 4575 -> 0 bytes .../resources/config/sg/auth/truststore.jks | Bin 930 -> 0 bytes .../resources/config/sg/sg_action_groups.yml | 137 ----------- .../resources/config/sg/sg_config.yml | 123 ---------- .../resources/config/sg/sg_internal_users.yml | 45 ---- .../resources/config/sg/sg_roles.yml | 262 --------------------- .../resources/config/sg/sg_roles_mapping.yml | 38 --- 8 files changed, 605 deletions(-) delete mode 100644 components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks delete mode 100644 components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 delete mode 100644 components/aai-elasticsearch/resources/config/sg/auth/truststore.jks delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_config.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_roles.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml (limited to 'components/aai-elasticsearch/resources/config/sg') diff --git a/components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks b/components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks deleted file mode 100644 index 21ec9bb..0000000 Binary files a/components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks and /dev/null differ diff --git a/components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 b/components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 deleted file mode 100644 index db7cbf4..0000000 Binary files a/components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 and /dev/null differ diff --git a/components/aai-elasticsearch/resources/config/sg/auth/truststore.jks b/components/aai-elasticsearch/resources/config/sg/auth/truststore.jks deleted file mode 100644 index b3bd666..0000000 Binary files a/components/aai-elasticsearch/resources/config/sg/auth/truststore.jks and /dev/null differ diff --git a/components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml b/components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml deleted file mode 100644 index be5901a..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml +++ /dev/null @@ -1,137 +0,0 @@ -UNLIMITED: - readonly: true - permissions: - - "*" - -###### INDEX LEVEL ###### - -INDICES_ALL: - readonly: true - permissions: - - "indices:*" - -# for backward compatibility -ALL: - readonly: true - permissions: - - INDICES_ALL - -MANAGE: - readonly: true - permissions: - - "indices:monitor/*" - - "indices:admin/*" - -CREATE_INDEX: - readonly: true - permissions: - - "indices:admin/create" - - "indices:admin/mapping/put" - -MANAGE_ALIASES: - readonly: true - permissions: - - "indices:admin/aliases*" - -# for backward compatibility -MONITOR: - readonly: true - permissions: - - INDICES_MONITOR - -INDICES_MONITOR: - readonly: true - permissions: - - "indices:monitor/*" - -DATA_ACCESS: - readonly: true - permissions: - - "indices:data/*" - - CRUD - -WRITE: - readonly: true - permissions: - - "indices:data/write*" - - "indices:admin/mapping/put" - -READ: - readonly: true - permissions: - - "indices:data/read*" - - "indices:admin/mappings/fields/get*" - -DELETE: - readonly: true - permissions: - - "indices:data/write/delete*" - -CRUD: - readonly: true - permissions: - - READ - - WRITE - -SEARCH: - readonly: true - permissions: - - "indices:data/read/search*" - - "indices:data/read/msearch*" - - SUGGEST - -SUGGEST: - readonly: true - permissions: - - "indices:data/read/suggest*" - -INDEX: - readonly: true - permissions: - - "indices:data/write/index*" - - "indices:data/write/update*" - - "indices:admin/mapping/put" - - "indices:data/write/bulk*" - -GET: - readonly: true - permissions: - - "indices:data/read/get*" - - "indices:data/read/mget*" - -###### CLUSTER LEVEL ###### - -CLUSTER_ALL: - readonly: true - permissions: - - "cluster:*" - -CLUSTER_MONITOR: - readonly: true - permissions: - - "cluster:monitor/*" - -CLUSTER_COMPOSITE_OPS_RO: - readonly: true - permissions: - - "indices:data/read/mget" - - "indices:data/read/msearch" - - "indices:data/read/mtv" - - "indices:data/read/coordinate-msearch*" - - "indices:admin/aliases/exists*" - - "indices:admin/aliases/get*" - - "indices:data/read/scroll" - -CLUSTER_COMPOSITE_OPS: - readonly: true - permissions: - - "indices:data/write/bulk" - - "indices:admin/aliases*" - - "indices:data/write/reindex" - - CLUSTER_COMPOSITE_OPS_RO - -MANAGE_SNAPSHOTS: - readonly: true - permissions: - - "cluster:admin/snapshot/*" - - "cluster:admin/repository/*" \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/config/sg/sg_config.yml b/components/aai-elasticsearch/resources/config/sg/sg_config.yml deleted file mode 100644 index d0050e0..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_config.yml +++ /dev/null @@ -1,123 +0,0 @@ -# This is the main Search Guard configuration file where authentication -# and authorization is defined. -# -# You need to configure at least one authentication domain in the authc of this file. -# An authentication domain is responsible for extracting the user credentials from -# the request and for validating them against an authentication backend like Active Directory for example. -# -# If more than one authentication domain is configured the first one which succeeds wins. -# If all authentication domains fail then the request is unauthenticated. -# In this case an exception is thrown and/or the HTTP status is set to 401. -# -# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect -# the roles from a given backend for the authenticated user. -# -# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. -# http_enabled: true -# transport_enabled: true -# -# 5.x Migration: "enabled: true/false" will also be respected currently but only to provide backward compatibility. -# -# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to -# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. -# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous" -# and one role named "sg_anonymous_backendrole". -# If you enable anonymous authentication all HTTP authenticators will not challenge. -# -# -# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" -# first and the challenging one last. -# Because it's not possible to challenge a client with two different authentication methods (for example -# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation -# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. -# -# Default value of the challenge flag is true. -# -# -# HTTP -# basic (challenging) -# proxy (not challenging, needs xff) -# clientcert (not challenging, needs https) -# host (not challenging) #DEPRECATED, will be removed in a future version. -# host based authentication is configurable in sg_roles_mapping - -# Authc -# internal -# noop - -# Authz -# noop - -# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; -# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration -# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's -# license details before enabling any additional features here. - -searchguard: - dynamic: - # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index - # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) - # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently - #filtered_alias_mode: warn - http: - anonymous_auth_enabled: false - xff: - enabled: false - internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern - #internalProxies: '.*' # trust all internal proxies, regex pattern - remoteIpHeader: 'x-forwarded-for' - proxiesHeader: 'x-forwarded-by' - #trustedProxies: '.*' # trust all external proxies, regex pattern - ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help - ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For - ###### and here https://tools.ietf.org/html/rfc7239 - ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve - authc: - basic_internal_auth_domain: - http_enabled: true - transport_enabled: true - order: 2 - http_authenticator: - type: basic - challenge: true - authentication_backend: - type: intern - proxy_auth_domain: - http_enabled: false - transport_enabled: false - order: 3 - http_authenticator: - type: proxy - challenge: false - config: - user_header: "x-proxy-user" - roles_header: "x-proxy-roles" - authentication_backend: - type: noop - jwt_auth_domain: - http_enabled: false - transport_enabled: false - order: 0 - http_authenticator: - type: jwt - challenge: false - config: - signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" - jwt_header: "Authorization" - jwt_url_parameter: null - roles_key: null - subject_key: null - authentication_backend: - type: noop - clientcert_auth_domain: - http_enabled: true - transport_enabled: true - order: 1 - http_authenticator: - type: clientcert - config: - username_attribute: cn #optional, if omitted DN becomes username - challenge: false - authentication_backend: - type: noop - authz: \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml b/components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml deleted file mode 100644 index 942a716..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml +++ /dev/null @@ -1,45 +0,0 @@ -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -#password is: admin -admin: - readonly: true - hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG - roles: - - admin - attributes: - #no dots allowed in attribute names - attribute1: value1 - attribute2: value2 - attribute3: value3 - -#password is: logstash -logstash: - hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2 - roles: - - logstash - -#password is: kibanaserver -kibanaserver: - readonly: true - hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. - -#password is: kibanaro -kibanaro: - hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC - roles: - - kibanauser - - readall - -#password is: readall -readall: - hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2 - #password is: readall - roles: - - readall - -#password is: snapshotrestore -snapshotrestore: - hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W - roles: - - snapshotrestore \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/config/sg/sg_roles.yml b/components/aai-elasticsearch/resources/config/sg/sg_roles.yml deleted file mode 100644 index c918e85..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_roles.yml +++ /dev/null @@ -1,262 +0,0 @@ -# Allows everything, but no changes to searchguard configuration index -sg_all_access: - readonly: true - cluster: - - UNLIMITED - indices: - '*': - '*': - - UNLIMITED - tenants: - admin_tenant: RW - -# Read all, but no write permissions -sg_readall: - readonly: true - cluster: - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# Read all and monitor, but no write permissions -sg_readall_and_monitor: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# For users which use kibana, access to indices must be granted separately -sg_kibana_user: - readonly: true - cluster: - - INDICES_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?kibana': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?kibana-6': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?kibana_*': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?tasks': - '*': - - INDICES_ALL - '?management-beats': - '*': - - INDICES_ALL - '*': - '*': - - indices:data/read/field_caps* - - indices:data/read/xpack/rollup* - - indices:admin/mappings/get* - - indices:admin/get - -# For the kibana server -sg_kibana_server: - readonly: true - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - - cluster:admin/xpack/monitoring* - - indices:admin/template* - - indices:data/read/scroll* - indices: - '?kibana': - '*': - - INDICES_ALL - '?kibana-6': - '*': - - INDICES_ALL - '?kibana_*': - '*': - - INDICES_ALL - '?reporting*': - '*': - - INDICES_ALL - '?monitoring*': - '*': - - INDICES_ALL - '?tasks': - '*': - - INDICES_ALL - '?management-beats*': - '*': - - INDICES_ALL - '*': - '*': - - "indices:admin/aliases*" - -# For logstash and beats -sg_logstash: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - - indices:admin/template/get - - indices:admin/template/put - indices: - 'logstash-*': - '*': - - CRUD - - CREATE_INDEX - '*beat*': - '*': - - CRUD - - CREATE_INDEX - -# Allows adding and modifying repositories and creating and restoring snapshots -sg_manage_snapshots: - cluster: - - MANAGE_SNAPSHOTS - indices: - '*': - '*': - - "indices:data/write/index" - - "indices:admin/create" - -# Allows each user to access own named index -sg_own_index: - cluster: - - CLUSTER_COMPOSITE_OPS - indices: - '${user_name}': - '*': - - INDICES_ALL - -### X-Pack COMPATIBILITY -sg_xp_monitoring: - readonly: true - cluster: - - cluster:monitor/xpack/info - - cluster:monitor/main - - cluster:admin/xpack/monitoring/bulk - indices: - '?monitor*': - '*': - - INDICES_ALL - -sg_xp_alerting: - readonly: true - cluster: - - indices:data/read/scroll - - cluster:admin/xpack/watcher* - - cluster:monitor/xpack/watcher* - indices: - '?watches*': - '*': - - INDICES_ALL - '?watcher-history-*': - '*': - - INDICES_ALL - '?triggered_watches': - '*': - - INDICES_ALL - '*': - '*': - - READ - - indices:admin/aliases/get - -sg_xp_machine_learning: - readonly: true - cluster: - - cluster:admin/persistent* - - cluster:internal/xpack/ml* - - indices:data/read/scroll* - - cluster:admin/xpack/ml* - - cluster:monitor/xpack/ml* - indices: - '*': - '*': - - READ - - indices:admin/get* - '?ml-*': - '*': - - "*" - -### LEGACY ROLES, FOR COMPATIBILITY ONLY -### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE - -sg_readonly_and_monitor: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# Make xpack monitoring work -sg_monitor: - cluster: - - cluster:admin/xpack/monitoring/* - - cluster:admin/ingest/pipeline/put - - cluster:admin/ingest/pipeline/get - - indices:admin/template/get - - indices:admin/template/put - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?monitor*': - '*': - - INDICES_ALL - '?marvel*': - '*': - - INDICES_ALL - '?kibana*': - '*': - - READ - '*': - '*': - - indices:data/read/field_caps - -# Make xpack alerting work -sg_alerting: - cluster: - - indices:data/read/scroll - - cluster:admin/xpack/watcher/watch/put - - cluster:admin/xpack/watcher* - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?kibana*': - '*': - - READ - '?watches*': - '*': - - INDICES_ALL - '?watcher-history-*': - '*': - - INDICES_ALL - '?triggered_watches': - '*': - - INDICES_ALL - '*': - '*': - - READ - - -sg_role_test: - cluster: - - indices:admin/template/get - - indices:admin/template/put - - CLUSTER_COMPOSITE_OPS - indices: - '*': - '*': - - UNLIMITED diff --git a/components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml b/components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml deleted file mode 100644 index 970e027..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml +++ /dev/null @@ -1,38 +0,0 @@ -# In this file users, backendroles and hosts can be mapped to Search Guard roles. -# Permissions for Search Guard roles are configured in sg_roles.yml - -sg_all_access: - readonly: true - backendroles: - - admin - -sg_logstash: - backendroles: - - logstash - -sg_kibana_server: - readonly: true - users: - - kibanaserver - -sg_kibana_user: - backendroles: - - kibanauser - -sg_readall: - readonly: true - backendroles: - - readall - -sg_manage_snapshots: - readonly: true - backendroles: - - snapshotrestore - -sg_own_index: - users: - - '*' - -sg_role_test: - users: - - test -- cgit 1.2.3-korg