[DOC-META] Create repository with different cluster security config examples

[cwperks]

What do you want to do?

There are currently 2 zip files on the documentation website with examples for an LDAP authentication and authorization backend and one with a SAML authentication backend as well. See https://github.com/opensearch-project/documentation-website/tree/main/assets/examples

The example zips can be located on:

• https://opensearch.org/docs/latest/security-plugin/configuration/ldap/
• https://opensearch.org/docs/latest/security-plugin/configuration/saml/

Its been reported that the LDAP example is outdated and needs updating: https://github.com/opensearch-project/documentation-website/issues/905

There currently is no example for OpenID Connect and setup-related questions are commonly asked on the forum.

As a new maintainer for the security plugin, I have created different cluster configs for the different types of authentication backends to go through the same setup as new users of OpenSearch to understand the steps required to setup the backends and for debugging purposes.

See:

• https://github.com/cwperks/osd-ldap-example (using OpenLDAP + PhpLDAPAdmin for UI on OpenLDAP)
• https://github.com/cwperks/osd-saml-example (using SimpleSAMLPhp)
  • https://github.com/cwperks/osd-oidc-example (using keycloak)

Advantages:

• Use git workflow to make updates to examples without having to unzip, re-zip and add the zip to a PR for the documentation-website
• Use of git allows better version history of changes to the examples then the current zip files
• Use github issues to track issues with the examples
• Addition of an example for OpenID connect and possibly other cluster configs like multi-auth being introduced in 2.4.0

Disadvantages:

• Another Repo to maintain in opensearch-project

[cwperks]

@cwillum @davidlago @dblock Any ideas on the suggestion above?

[hdhalter]

Sorry this has been neglected for so long. @davidlago , @scrawfor99 - do you think this is worth doing?

[davidlago]

There is a sweet spot between how useful is to have examples and the cost of maintaining them. @cwperks do you have some data points around how F are these FAQs that would be answered by those examples?

I'm in support of creating an examples repo for security use cases, but being judicious with how many we put in there as we (someone) will have to keep them up to date.

[cwperks]

I have started adding examples into the demos repo. Here's the ldap-example for a cluster running with OpenLDAP as an Identity provider. I think this is worth doing and as soon as more examples are added to the demos repo I think we can remove the zips on the documentation-website and instead maintain the demos repo.

I was thinking of having some OSCI contributors help with creating the demos of different cluster configurations. i.e. SAML, OIDC, an example using multiauth, JWT backend and possibly others.

[DarshitChanpura]

Another example in queue to be added to demos repository: SAML demo (PR: https://github.com/opensearch-project/demos/pull/126)

In this example, an OpenSearch node, an OpenSearch Dashboards node, and a test SAML IdP server are spun up via docker with 1 default user shipped as part of the SAML auth realm. It is configurable, and ready to be tested.

[hdhalter]

Hi @cwperks, with the updated SAML example, do you want to test the existing sample, or should we remove it?

[hdhalter]

@AntonEliatra - Can you please respond to this comment so I can assign you to the issue? Thanks!

[AntonEliatra]

@hdhalter Please assign to me

[hdhalter]

@AntonEliatra , has everything in this issue been addressed? Thanks!

[AntonEliatra]

@hdhalter ldap, saml and oidc are available, I believe this was the requirement in this issue. In which case, yes, I believe this can be closed