-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Support configuring auth_failure_listeners through Dashboards #2070
Comments
[Triage] Hi @cwperks, thanks for filing this issue. This seems like a nice feature request. |
Thanks for this request @cwperks ! I had a few questions:
|
@derek-ho There are APIs to update the securityconfig, but we do not allow usage of those by default and they allow you to update any portion of the securityconfig. To build UX for these rate limiters, I think it makes sense to add APIs where the purpose of the API is to enable or disable a rate limiter and allow any user with security REST Api privileges to ability to use those APIs. For the second question, the answer is yes and no. In general, the way that permission to granted to use security apis is through a role that has security API privileges: That being said, there is a feature where security APIs can be granted individually through |
Cool, I will create an issue in the |
When using roles based access for the security APIs, anyone mapped to one of the security API roles should be regarded as an administrator. |
Is your feature request related to a problem?
The OpenSearch Security plugin has a useful feature called auth_failure_listeners that allows cluster administrators to block requests after a certain number of requests fail authentication in a window of time. Currently, there are 2 types of auth_failure_listeners: 1) IP-based and 2) username-based.
See example below, for configuring an auth_failure_listener based on username that will block requests for 60 seconds if 3 requests fail authentication within a 60 second window:
Currently, cluster administrators can only configure these rate limiters through the config.yml file meaning they either need to configure it 1) Before cluster initialization, 2) Using securityadmin.sh or 3) through the security API using an admin cert
This feature of the Security plugin should have associated UX to make the feature more discoverable and to make it easy to configure for administrators.
The text was updated successfully, but these errors were encountered: