-
Notifications
You must be signed in to change notification settings - Fork 680
Add Security information to Security Analytics documentation #3184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 11 commits
Commits
Show all changes
23 commits
Select commit
Hold shift + click to select a range
de66602
sec permissions for SA
cwillum 5cb859f
sec permissions for SA
cwillum 36c155b
sec permissions for SA
cwillum 03dc102
sec permissions for SA
cwillum 8d03463
sec permissions for SA
cwillum 624c49d
sec permissions for SA
cwillum 08b8958
sec permissions for SA
cwillum 73fe70c
sec permissions for SA
cwillum 46a5fcc
sec permissions for SA
cwillum 246a7a2
sec permissions for SA
cwillum 89d7b5d
sec permissions for SA
cwillum 9c3bf8e
fix#3183-sec-for-sec-a
cwillum d84d722
fix#3183-sec-for-sec-a
cwillum 8d9c5e6
sec permissions for SA
cwillum 718ac6f
sec permissions for SA
cwillum 2173fca
sec permissions for SA
cwillum dd539b1
sec permissions for SA
cwillum 33f1577
sec permissions for SA
cwillum 79ff22e
fix#3183 for merge main
cwillum aa4a4a9
fix#3183 fixing links-breaking links
cwillum 7f3fa99
sec permissions for SA
cwillum 4b2335b
Merge branch 'main' into fix#3183-sec-for-sec-a
cwillum c07fea6
fix#3183-sec-for-sec-a
cwillum File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| --- | ||
| layout: default | ||
| title: OpenSearch Security for Security Analytics | ||
| nav_order: 2 | ||
| has_children: false | ||
| --- | ||
|
|
||
| # OpenSearch Security for Security Analytics | ||
|
|
||
| You can use OpenSearch Security with Security Analytics to assign user permissions and manage the actions that users can and cannot perform. For example, you might want one group of users to be able to create, update, or delete detectors and another group of users to only view detectors. | ||
|
|
||
| All Security Analytics indexes are protected as system indexes. Only a super admin user or an admin user with a TLS certificate can access system indexes. For more information, see [System indexes]({{site.url}}{{site.baseurl}}/security/configuration/system-indices/). | ||
|
|
||
| Security for Security Analytics works much the same as [Alerting security]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/security/). | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
|
|
||
| ## Basic permissions | ||
|
|
||
| As an admin user, you can use Security to assign specific permissions to users based on the specific APIs they need to access. For a list of supported APIs, see [API tools]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/index/). | ||
|
cwillum marked this conversation as resolved.
Outdated
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| OpenSearch Security has two built-in roles that cover most Security Analytics use cases: `security_analytics_full_access` and `security_analytics_read_access`. A third built-in role allows users to view and acknowledge alerts: `security_analytics_ack_alerts`. For descriptions of each, see [Predefined roles]({{site.url}}{{site.baseurl}}/security/access-control/users-roles#predefined-roles). | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| If these roles don't meet your needs, mix and match individual Security Analytics [permissions]({{site.url}}{{site.baseurl}}/security/access-control/permissions/#security-analytics-permissions) to suit your use case. Each action corresponds to an operation in the REST API. For example, the `cluster:admin/opensearch/securityanalytics/detector/delete` permission lets you delete detectors. | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
|
|
||
| ## (Advanced) Limit access by backend role | ||
|
|
||
| Use backend roles to configure fine-grained access to individual detectors based on roles. For example, users of different departments in an organization can view detectors owned by their own department. | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| First, make sure your users have the appropriate [backend roles]({{site.url}}{{site.baseurl}}/security/access-control/index/). Backend roles usually come from an [LDAP server]({{site.url}}{{site.baseurl}}/security/configuration/ldap/) or [SAML provider]({{site.url}}{{site.baseurl}}/security/configuration/saml/), but if you use the internal user database, you can use the REST API to [add them manually]({{site.url}}{{site.baseurl}}/security/access-control/api#create-user). | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| Next, enable the following setting: | ||
|
|
||
| ```json | ||
| PUT _cluster/settings | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
| { | ||
| "transient": { | ||
| "plugins.security_analytics.filter_by_backend_roles": "true" | ||
| } | ||
| } | ||
| ``` | ||
| {% include copy-curl.html %} | ||
|
|
||
| Now when users view Security Analytics resources in OpenSearch Dashboards (or make REST API calls), they only see detectors created by users who share at least one backend role. | ||
| For example, consider two users: `alice` and `bob`. | ||
|
|
||
| `alice` has an analyst backend role: | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| ```json | ||
| PUT _plugins/_security/api/internalusers/alice | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
| { | ||
| "password": "alice", | ||
| "backend_roles": [ | ||
| "analyst" | ||
| ], | ||
| "attributes": {} | ||
| } | ||
| ``` | ||
| {% include copy-curl.html %} | ||
|
|
||
| `bob` has a human-resources backend role: | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| ```json | ||
| PUT _plugins/_security/api/internalusers/bob | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
| { | ||
| "password": "bob", | ||
| "backend_roles": [ | ||
| "human-resources" | ||
| ], | ||
| "attributes": {} | ||
| } | ||
| ``` | ||
| {% include copy-curl.html %} | ||
|
|
||
| Both `alice` and `bob` are assigned the role that gives them full access to Security Analytics: | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| ```json | ||
| PUT _plugins/_security/api/rolesmapping/security_analytics_full_access | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
| { | ||
| "backend_roles": [], | ||
| "hosts": [], | ||
| "users": [ | ||
| "alice", | ||
| "bob" | ||
| ] | ||
| } | ||
| ``` | ||
| {% include copy-curl.html %} | ||
|
|
||
| However, because they have different backend roles, `alice` and `bob` cannot view each other's detectors or their results. | ||
|
|
||
|
|
||
| ## A note on using fine-grained access control with the plugin | ||
|
cwillum marked this conversation as resolved.
|
||
|
|
||
| When a trigger generates an alert, the detector configurations, the alert itself, and any notification that is sent to a channel may include metadata describing the index being queried. By design, the plugin must extract the data and store it as metadata outside of the index. [Document-level security]({{site.url}}{{site.baseurl}}/security/access-control/document-level-security) (DLS) and [field-level security]({{site.url}}{{site.baseurl}}/security/access-control/field-level-security) (FLS) access controls are designed to protect the data in the index. But once the data is stored outside the index as metadata, users with access to the detector and monitor configurations, alerts, and their notifications will be able to view this metadata and possibly infer the contents and quality of data in the index, which would otherwise be concealed by DLS and FLS access control. | ||
|
cwillum marked this conversation as resolved.
Outdated
|
||
|
|
||
| To reduce the chances of unintended users viewing metadata that could describe an index, we recommend that administrators enable role-based access control and keep these kinds of design elements in mind when assigning permissions to the intended group of users. See [Limit access by backend role](#advanced-limit-access-by-backend-role) for details. | ||
|
cwillum marked this conversation as resolved.
Outdated
cwillum marked this conversation as resolved.
Outdated
|
||
|
cwillum marked this conversation as resolved.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.