diff options
Diffstat (limited to 'src/main')
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_config.yml | 102 | ||||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_roles.yml | 14 |
2 files changed, 11 insertions, 105 deletions
diff --git a/src/main/docker/elasticsearch/config/sg/sg_config.yml b/src/main/docker/elasticsearch/config/sg/sg_config.yml index 7d3a933fa..9a16a8239 100644 --- a/src/main/docker/elasticsearch/config/sg/sg_config.yml +++ b/src/main/docker/elasticsearch/config/sg/sg_config.yml @@ -37,20 +37,22 @@ # HTTP # basic (challenging) # proxy (not challenging, needs xff) -# kerberos (challenging) NOT FREE FOR COMMERCIAL # clientcert (not challenging, needs https) -# jwt (not challenging) NOT FREE FOR COMMERCIAL # host (not challenging) #DEPRECATED, will be removed in a future version. # host based authentication is configurable in sg_roles_mapping # Authc # internal # noop -# ldap NOT FREE FOR COMMERCIAL USE # Authz -# ldap NOT FREE FOR COMMERCIAL USE # noop +# +# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; +# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration +# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's +# license details before enabling any additional features here. + searchguard: dynamic: @@ -59,7 +61,6 @@ searchguard: # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently #filtered_alias_mode: warn #kibana: - # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE # see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md # To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki #multitenancy_enabled: true @@ -80,20 +81,6 @@ searchguard: ###### and here https://tools.ietf.org/html/rfc7239 ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve authc: - kerberos_auth_domain: - http_enabled: false - transport_enabled: false - order: 6 - http_authenticator: - type: kerberos # NOT FREE FOR COMMERCIAL USE - challenge: true - config: - # If true a lot of kerberos/security related debugging output will be logged to standard out - krb_debug: false - # If true then the realm will be stripped from the user name - strip_realm_from_principal: true - authentication_backend: - type: noop basic_internal_auth_domain: http_enabled: true transport_enabled: true @@ -141,84 +128,7 @@ searchguard: challenge: false authentication_backend: type: noop - ldap: - http_enabled: false - transport_enabled: false - order: 5 - http_authenticator: - type: basic - challenge: false - authentication_backend: - # LDAP authentication backend (authenticate users against a LDAP or Active Directory) - type: ldap # NOT FREE FOR COMMERCIAL USE - config: - # enable ldaps - enable_ssl: false - # enable start tls, enable_ssl should be false - enable_start_tls: false - # send client certificate - enable_ssl_client_auth: false - # verify ldap hostname - verify_hostnames: true - hosts: - - localhost:8389 - bind_dn: null - password: null - userbase: 'ou=people,dc=example,dc=com' - # Filter to search for users (currently in the whole subtree beneath userbase) - # {0} is substituted with the username - usersearch: '(sAMAccountName={0})' - # Use this attribute from the user as username (if not set then DN is used) - username_attribute: null authz: - roles_from_myldap: - http_enabled: false - transport_enabled: false - authorization_backend: - # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) - type: ldap # NOT FREE FOR COMMERCIAL USE - config: - # enable ldaps - enable_ssl: false - # enable start tls, enable_ssl should be false - enable_start_tls: false - # send client certificate - enable_ssl_client_auth: false - # verify ldap hostname - verify_hostnames: true - hosts: - - localhost:8389 - bind_dn: null - password: null - rolebase: 'ou=groups,dc=example,dc=com' - # Filter to search for roles (currently in the whole subtree beneath rolebase) - # {0} is substituted with the DN of the user - # {1} is substituted with the username - # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute - rolesearch: '(member={0})' - # Specify the name of the attribute which value should be substituted with {2} above - userroleattribute: null - # Roles as an attribute of the user entry - userrolename: disabled - #userrolename: memberOf - # The attribute in a role entry containing the name of that role, Default is "name". - # Can also be "dn" to use the full DN as rolename. - rolename: cn - # Resolve nested roles transitive (roles which are members of other roles and so on ...) - resolve_nested_roles: true - userbase: 'ou=people,dc=example,dc=com' - # Filter to search for users (currently in the whole subtree beneath userbase) - # {0} is substituted with the username - usersearch: '(uid={0})' - # Skip users matching a user name, a wildcard or a regex pattern - #skip_users: - # - 'cn=Michael Jackson,ou*people,o=TEST' - # - '/\S*/' - roles_from_another_ldap: - enabled: false - authorization_backend: - type: ldap # NOT FREE FOR COMMERCIAL USE - #config goes here ... # auth_failure_listeners: # ip_rate_limiting: # type: ip diff --git a/src/main/docker/elasticsearch/config/sg/sg_roles.yml b/src/main/docker/elasticsearch/config/sg/sg_roles.yml index 6902fba2c..1a3a80ce5 100644 --- a/src/main/docker/elasticsearch/config/sg/sg_roles.yml +++ b/src/main/docker/elasticsearch/config/sg/sg_roles.yml @@ -32,15 +32,11 @@ # Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys. # Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index' # This limitation will likely removed with Search Guard 6 - -# DLS (Document level security) - NOT FREE FOR COMMERCIAL -# http://docs.search-guard.com/v6/document-level-security - -# FLS (Field level security) - NOT FREE FOR COMMERCIAL -# http://docs.search-guard.com/v6/field-level-security - -# Kibana multitenancy - NOT FREE FOR COMMERCIAL -# http://docs.search-guard.com/v6/kibana-multi-tenancy +# +# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; +# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration +# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's +# license details before enabling any additional features here. # Allows everything, but no changes to searchguard configuration index sg_all_access: |