Resolve license issues in SearchGuard config

Remove all comments and config sections from SearchGuard config marked as not free for commercial use. Change-Id: I9b4615ef2aa9741430349c0eda2ae9ebf96b3b7d Issue-ID: AAI-2289 Signed-off-by: Lee, Tian (tl5884) <TianL@amdocs.com>
author: Lee, Tian (tl5884) <TianL@amdocs.com> 2019-04-18 10:52:30 +0100
committer: Alexis de Talhouët <adetalhouet89@gmail.com> 2019-04-19 15:48:22 +0000
commit: bd82b01482e9295af8ad8325026c4cc41e3457a4 (patch)
tree: 4598d16a12674fbfa3cea672dc6903d2c0d3595c /kubernetes/aai
parent: 70b07469dada287b97c41c4eda6c18f514a3f5a6 (diff)
1 files changed, 6 insertions, 104 deletions
diff --git a/kubernetes/aai/charts/aai-elasticsearch/resources/config/sg/sg_config.yml b/kubernetes/aai/charts/aai-elasticsearch/resources/config/sg/sg_config.yml
index 9172b71e8d..d0050e095c 100644
--- a/kubernetes/aai/charts/aai-elasticsearch/resources/config/sg/sg_config.yml
+++ b/kubernetes/aai/charts/aai-elasticsearch/resources/config/sg/sg_config.yml
@@ -37,35 +37,28 @@
 # HTTP
 #   basic (challenging)
 #   proxy (not challenging, needs xff)
-#   kerberos (challenging)
 #   clientcert (not challenging, needs https)
-#   jwt (not challenging)
 #   host (not challenging) #DEPRECATED, will be removed in a future version.
 #                           host based authentication is configurable in sg_roles_mapping
 
 # Authc
 #   internal
 #   noop
-#   ldap
 
 # Authz
-#   ldap
 #   noop
 
+# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free;
+# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration
+# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's
+# license details before enabling any additional features here.
+
 searchguard:
   dynamic:
     # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
     # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
     # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
     #filtered_alias_mode: warn
-    #kibana:
-      # Kibana multitenancy
-      # see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
-      # To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
-      #multitenancy_enabled: true
-      #server_username: kibanaserver
-      #index: '.kibana'
-      #do_not_fail_on_forbidden: false
     http:
       anonymous_auth_enabled: false
       xff:
@@ -80,20 +73,6 @@ searchguard:
         ###### and here https://tools.ietf.org/html/rfc7239
         ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
     authc:
-      kerberos_auth_domain: 
-        http_enabled: false
-        transport_enabled: false
-        order: 6
-        http_authenticator:
-          type: kerberos
-          challenge: true
-          config:
-            # If true a lot of kerberos/security related debugging output will be logged to standard out
-            krb_debug: false
-            # If true then the realm will be stripped from the user name
-            strip_realm_from_principal: true
-        authentication_backend:
-          type: noop
       basic_internal_auth_domain:
         http_enabled: true
         transport_enabled: true
@@ -141,81 +120,4 @@ searchguard:
           challenge: false
         authentication_backend:
           type: noop
-      ldap:
-        http_enabled: false
-        transport_enabled: false
-        order: 5
-        http_authenticator:
-          type: basic
-          challenge: false
-        authentication_backend:
-          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
-          type: ldap
-          config:
-            # enable ldaps
-            enable_ssl: false
-            # enable start tls, enable_ssl should be false
-            enable_start_tls: false
-            # send client certificate
-            enable_ssl_client_auth: false
-            # verify ldap hostname
-            verify_hostnames: true
-            hosts:
-              - localhost:8389
-            bind_dn: null
-            password: null
-            userbase: 'ou=people,dc=example,dc=com'
-            # Filter to search for users (currently in the whole subtree beneath userbase)
-            # {0} is substituted with the username 
-            usersearch: '(sAMAccountName={0})'
-            # Use this attribute from the user as username (if not set then DN is used)
-            username_attribute: null
-    authz:    
-      roles_from_myldap:
-        http_enabled: false
-        transport_enabled: false
-        authorization_backend:
-          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
-          type: ldap
-          config:
-            # enable ldaps
-            enable_ssl: false
-            # enable start tls, enable_ssl should be false
-            enable_start_tls: false
-            # send client certificate
-            enable_ssl_client_auth: false
-            # verify ldap hostname
-            verify_hostnames: true
-            hosts:
-              - localhost:8389
-            bind_dn: null
-            password: null
-            rolebase: 'ou=groups,dc=example,dc=com'
-            # Filter to search for roles (currently in the whole subtree beneath rolebase)
-            # {0} is substituted with the DN of the user
-            # {1} is substituted with the username 
-            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute            
-            rolesearch: '(member={0})'
-            # Specify the name of the attribute which value should be substituted with {2} above
-            userroleattribute: null
-            # Roles as an attribute of the user entry
-            userrolename: disabled
-            #userrolename: memberOf
-            # The attribute in a role entry containing the name of that role, Default is "name".
-            # Can also be "dn" to use the full DN as rolename.
-            rolename: cn
-            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
-            resolve_nested_roles: true
-            userbase: 'ou=people,dc=example,dc=com'
-            # Filter to search for users (currently in the whole subtree beneath userbase)
-            # {0} is substituted with the username 
-            usersearch: '(uid={0})'
-            # Skip users matching a user name, a wildcard or a regex pattern
-            #skip_users: 
-            #  - 'cn=Michael Jackson,ou*people,o=TEST'
-            #  - '/\S*/'    
-      roles_from_another_ldap:
-        enabled: false
-        authorization_backend:
-          type: ldap
-          #config goes here ...
+    authz:
+\ No newline at end of file
author	Lee, Tian (tl5884) <TianL@amdocs.com>	2019-04-18 10:52:30 +0100
committer	Alexis de Talhouët <adetalhouet89@gmail.com>	2019-04-19 15:48:22 +0000
commit	bd82b01482e9295af8ad8325026c4cc41e3457a4 (patch)
tree	4598d16a12674fbfa3cea672dc6903d2c0d3595c /kubernetes/aai
parent	70b07469dada287b97c41c4eda6c18f514a3f5a6 (diff)