[DOC] Missing documentation for security features

[hardik-k-shah]

Add documentation for below security features.

1. Audit logging configuration is hot reloadable and there are APIs and UI both available.
2. SSL certificates (for rest endpoint and N2N communication) are also hot reloadable and there are APIs available for same.
3. CRUD APIs for default configurations. (Default roles, users and role-mapping can be updated by super admin now).
4. Hot reloadable certificate domain names. (Now super admin can hot update certificate domain names for cross cluster use-case)
5. Separate certificate for a client and server for inter node communication. (Initiative and PR from twitter)

[Naarcha-AWS]

@hardik-k-shah: Do you have more information on the following:

• Any internal notes about how to perform each tasks.
• A way to list or a list of API endpoints for audit logging, and CRUD configurations.
• Example certificates for domains and inter-node communication.

[hardik-k-shah]

Below PRs has a description about how to use these APIs.

1. Hot reloading SSL certificates: Adding capability to hot reload ssl certificates security#238
2. Hot re-loadable Audit logging: Provide default audit.yml to enable hot reloading of audit configuration security#710 , Hot reloading audit configuration security#409
3. Hot re-loadable nodes_dn/ certificate domain name: Implement APIs and datamodel to configure nodes_dn dynamically. security#362
4. CRUD for default/reserved configuration: Added SuperAdmin check to allow update/delete/add of reserved config … security#242
5. Separate Client and Server Cert configuration: Support certs with separate Extended Key Usage security#493 Adding ssl settings to support certs with separate clientAuth and serverAuth extended key usage security#474

Let me know if these helps.

[hdhalter]

Hi Chris, with all of the progress we've mad with security, can you check to see if we've covered any of these points? Thanks.

[hdhalter]

Hi @hardik-k-shah, Do you now if these items have been documented?

[hdhalter]

Security has been moved to a new team. I'll follow up with them and get this prioritized.

[AntonEliatra]

I can pick this one up with @leanneeliatra

[AntonEliatra]

Two PRs submitted:
Hot reloading TLS certs: #6875
Separate client and server certificates: #6881

[leanneeliatra]

I'm taking care of
3) Hot re-loadable Audit logging
4) CRUD for default/reserved configuration - PR in Draft

[hdhalter]

Thanks, @AntonEliatra! Here are the doc PRs:

• 1) Hot reloading SSL certificates: Add hot reload TLS certificate section #433 #6875
• 2) Hot re-loadable Audit logging: Nothing to do; already complete
• 3) Hot re-loadable nodes_dn/ certificate domain name: done: https://github.com/opensearch-project/documentation-website/blob/main/_security/access-control/api.md
• 4) CRUD for default/reserved configuration: [DRAFT] Security feature SuperAdmin documentation updates  #6927
• 5) Separate Client and Server Cert configuration: Add separate certificates section #433 #6881

Please let me know if something is missing.

[AntonEliatra]

"Hot re-loadable nodes_dn/ certificate domain name" is already documented here

I spoke with @natebower and we don't think there is anything further needed here, but we can discuss further if you feel additional details are necessary

[leanneeliatra]

For this part of this ticket: Audit logging configuration is hot reloadable and there are APIs and UI both available. The original work that was done is contained in these two PRs:

1. Provide default audit.yml to enable hot reloading of audit configuration #710
2. Hot reloading audit configuration #409

This comment is to log that the supporting updates to the documentation, to support the above 2 PR code changes, has already been completed. The information below points to the locations in the security docs where these updates have been added.

• The documentation to record audit logging via the UI was added 8 months ago to the docs: After this initial setup, you can use OpenSearch Dashboards to manage your audit log categories and other settings. In OpenSearch Dashboards, select Security and then Audit logs.
• The documentation to cover the ability to update audit logs via the API was added 11 months ago to the docs and details the steps with examples given. See this section on audit logs examples

[leanneeliatra]

Hi Heather, I have some updates for this issue and the final 2 remaining items in my name. * 2) Hot re-loadable Audit logging. After investigation, I have found this is already documented in the docs with new additions to the documentation 8 months and 11 months ago. I have added a comment #433 (comment) on the ticket showing where the updates to the docs can be found. * 4) CRUD for default/reserved configuration: #6927 #6927 The changes related to this PR were quite heavy, I have an idea of what was carried out but I had been hoping to speak to an original reviewer of the work to discuss and ensure I had the right picture. I will proceed with what I understand of the changes and we can hopefully get the opinion of Hardik Shaw or another original contributor once my updates to the documentation is ready.

[hdhalter]

Everything has been addressed except admin/superadmin roles which is being addressed in #7069 and has a separate issue assigned #4646. Thanks, @leanneeliatra !