Skip to content

Commit 1b19804

Browse files
finnegancarrollkolchfa-awsnatebower
authored and
sumobrian
committed
TLS settings for gRPC (opensearch-project#10653)
* Add gRPC tls settings. Signed-off-by: Finn Carroll <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Update _security/configuration/tls.md Co-authored-by: kolchfa-aws <[email protected]> Signed-off-by: Finn <[email protected]> * Fix gRPC heading level -> 2. Signed-off-by: Finn Carroll <[email protected]> * Clarify keystore/trusstore alias behavior. Signed-off-by: Finn Carroll <[email protected]> * Apply suggestions from code review Signed-off-by: kolchfa-aws <[email protected]> * Apply suggestions from code review Signed-off-by: Nathan Bower <[email protected]> --------- Signed-off-by: Finn Carroll <[email protected]> Signed-off-by: Finn <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> Signed-off-by: Nathan Bower <[email protected]> Co-authored-by: kolchfa-aws <[email protected]> Co-authored-by: Nathan Bower <[email protected]>
1 parent b8e91aa commit 1b19804

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

_security/configuration/tls.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -310,6 +310,37 @@ You should receive the following response:
310310
{ "message": "successfully updated http certs"}
311311
```
312312

313+
## Configuring TLS certificates for gRPC
313314

315+
gRPC supports encryption in transit only. Trust stores and certificates configured as root CAs in PEM format are used only for the purpose of TLS client authorization. Role-based access is not available for gRPC endpoints.
316+
{: .warning}
314317

318+
You can configure TLS on the optional gRPC transport in `opensearch.yml`. For more information about using the gRPC plugin, see [Enabling the plugin]({{site.url}}{{site.baseurl}}/api-reference/grpc-apis/index/#enabling-the-plugin).
315319

320+
### PEM key settings (X.509 PEM certificates and PKCS #8 keys)
321+
322+
The following table lists the available gRPC PEM key settings.
323+
324+
Name | Description
325+
:--- | :---
326+
`plugins.security.ssl.aux.secure-transport-grpc.enabled` | Whether to enable TLS for gRPC. If enabled, only HTTPS is allowed. Optional. Default is `false`.
327+
`plugins.security.ssl.aux.secure-transport-grpc.pemkey_filepath` | The path to the certificate's key file (PKCS #8), specified as a relative path from the `config` directory. The file must reside within the `config` directory. Required.
328+
`plugins.security.ssl.aux.secure-transport-grpc.pemkey_password` | The key password. Omit this setting if the key has no password. Optional.
329+
`plugins.security.ssl.aux.secure-transport-grpc.pemcert_filepath` | The path to the X.509 node certificate chain (in PEM format), specified as a relative path from the `config` directory. The file must reside within the `config` directory. Required.
330+
`plugins.security.ssl.aux.secure-transport-grpc.pemtrustedcas_filepath` | The path to the root CAs (in PEM format), specified as a relative path from the `config` directory. The file must reside within the `config` directory. Required.
331+
332+
### Keystore and truststore
333+
334+
The following table lists the available gRPC keystore and truststore settings.
335+
336+
Name | Description
337+
:--- | :---
338+
`plugins.security.ssl.aux.secure-transport-grpc.enabled` | Whether to enable TLS for gRPC. If enabled, only HTTPS is allowed. Optional. Default is `false`.
339+
`plugins.security.ssl.aux.secure-transport-grpc.keystore_type` | The type of the keystore file, JKS or PKCS12/PFX. Optional. Default is JKS.
340+
`plugins.security.ssl.aux.secure-transport-grpc.keystore_filepath` | The path to the keystore file, specified as a relative path from the `config` directory. The file must reside within the `config` directory. Required.
341+
`plugins.security.ssl.aux.secure-transport-grpc.keystore_alias` | The alias of the key pair to use from the provided keystore. Optional. Defaults to the first key pair added to the keystore.
342+
`plugins.security.ssl.aux.secure-transport-grpc.keystore_password` | The password for the keystore. Default is `changeit`.
343+
`plugins.security.ssl.aux.secure-transport-grpc.truststore_type` | The type of the truststore file, JKS or PKCS12/PFX. Default is JKS.
344+
`plugins.security.ssl.aux.secure-transport-grpc.truststore_filepath` | The path to the truststore file, specified as a relative path from the `config` directory. The file must reside within the `config` directory. Required.
345+
`plugins.security.ssl.aux.secure-transport-grpc.truststore_alias` | The alias of the certificate to use from the provided truststore. Optional. Default is all certificates.
346+
`plugins.security.ssl.aux.secure-transport-grpc.truststore_password` | The password for the truststore. Default is `changeit`.

0 commit comments

Comments
 (0)