summaryrefslogtreecommitdiffstats
path: root/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'src/main')
-rw-r--r--src/main/docker/elasticsearch/config/sg/sg_config.yml102
-rw-r--r--src/main/docker/elasticsearch/config/sg/sg_roles.yml14
2 files changed, 11 insertions, 105 deletions
diff --git a/src/main/docker/elasticsearch/config/sg/sg_config.yml b/src/main/docker/elasticsearch/config/sg/sg_config.yml
index 7d3a933fa..9a16a8239 100644
--- a/src/main/docker/elasticsearch/config/sg/sg_config.yml
+++ b/src/main/docker/elasticsearch/config/sg/sg_config.yml
@@ -37,20 +37,22 @@
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
-# kerberos (challenging) NOT FREE FOR COMMERCIAL
# clientcert (not challenging, needs https)
-# jwt (not challenging) NOT FREE FOR COMMERCIAL
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in sg_roles_mapping
# Authc
# internal
# noop
-# ldap NOT FREE FOR COMMERCIAL USE
# Authz
-# ldap NOT FREE FOR COMMERCIAL USE
# noop
+#
+# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free;
+# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration
+# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's
+# license details before enabling any additional features here.
+
searchguard:
dynamic:
@@ -59,7 +61,6 @@ searchguard:
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
- # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
@@ -80,20 +81,6 @@ searchguard:
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
- kerberos_auth_domain:
- http_enabled: false
- transport_enabled: false
- order: 6
- http_authenticator:
- type: kerberos # NOT FREE FOR COMMERCIAL USE
- challenge: true
- config:
- # If true a lot of kerberos/security related debugging output will be logged to standard out
- krb_debug: false
- # If true then the realm will be stripped from the user name
- strip_realm_from_principal: true
- authentication_backend:
- type: noop
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
@@ -141,84 +128,7 @@ searchguard:
challenge: false
authentication_backend:
type: noop
- ldap:
- http_enabled: false
- transport_enabled: false
- order: 5
- http_authenticator:
- type: basic
- challenge: false
- authentication_backend:
- # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
- type: ldap # NOT FREE FOR COMMERCIAL USE
- config:
- # enable ldaps
- enable_ssl: false
- # enable start tls, enable_ssl should be false
- enable_start_tls: false
- # send client certificate
- enable_ssl_client_auth: false
- # verify ldap hostname
- verify_hostnames: true
- hosts:
- - localhost:8389
- bind_dn: null
- password: null
- userbase: 'ou=people,dc=example,dc=com'
- # Filter to search for users (currently in the whole subtree beneath userbase)
- # {0} is substituted with the username
- usersearch: '(sAMAccountName={0})'
- # Use this attribute from the user as username (if not set then DN is used)
- username_attribute: null
authz:
- roles_from_myldap:
- http_enabled: false
- transport_enabled: false
- authorization_backend:
- # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
- type: ldap # NOT FREE FOR COMMERCIAL USE
- config:
- # enable ldaps
- enable_ssl: false
- # enable start tls, enable_ssl should be false
- enable_start_tls: false
- # send client certificate
- enable_ssl_client_auth: false
- # verify ldap hostname
- verify_hostnames: true
- hosts:
- - localhost:8389
- bind_dn: null
- password: null
- rolebase: 'ou=groups,dc=example,dc=com'
- # Filter to search for roles (currently in the whole subtree beneath rolebase)
- # {0} is substituted with the DN of the user
- # {1} is substituted with the username
- # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
- rolesearch: '(member={0})'
- # Specify the name of the attribute which value should be substituted with {2} above
- userroleattribute: null
- # Roles as an attribute of the user entry
- userrolename: disabled
- #userrolename: memberOf
- # The attribute in a role entry containing the name of that role, Default is "name".
- # Can also be "dn" to use the full DN as rolename.
- rolename: cn
- # Resolve nested roles transitive (roles which are members of other roles and so on ...)
- resolve_nested_roles: true
- userbase: 'ou=people,dc=example,dc=com'
- # Filter to search for users (currently in the whole subtree beneath userbase)
- # {0} is substituted with the username
- usersearch: '(uid={0})'
- # Skip users matching a user name, a wildcard or a regex pattern
- #skip_users:
- # - 'cn=Michael Jackson,ou*people,o=TEST'
- # - '/\S*/'
- roles_from_another_ldap:
- enabled: false
- authorization_backend:
- type: ldap # NOT FREE FOR COMMERCIAL USE
- #config goes here ...
# auth_failure_listeners:
# ip_rate_limiting:
# type: ip
diff --git a/src/main/docker/elasticsearch/config/sg/sg_roles.yml b/src/main/docker/elasticsearch/config/sg/sg_roles.yml
index 6902fba2c..1a3a80ce5 100644
--- a/src/main/docker/elasticsearch/config/sg/sg_roles.yml
+++ b/src/main/docker/elasticsearch/config/sg/sg_roles.yml
@@ -32,15 +32,11 @@
# Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
# Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index'
# This limitation will likely removed with Search Guard 6
-
-# DLS (Document level security) - NOT FREE FOR COMMERCIAL
-# http://docs.search-guard.com/v6/document-level-security
-
-# FLS (Field level security) - NOT FREE FOR COMMERCIAL
-# http://docs.search-guard.com/v6/field-level-security
-
-# Kibana multitenancy - NOT FREE FOR COMMERCIAL
-# http://docs.search-guard.com/v6/kibana-multi-tenancy
+#
+# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free;
+# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration
+# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's
+# license details before enabling any additional features here.
# Allows everything, but no changes to searchguard configuration index
sg_all_access: