Open 10000-ki opened 1 month ago
10000-ki
commented
1 month ago I understand that this specification has existed since the opendistro days, so making immediate changes might be difficult. However, I'm curious if there is any possibility of easing the restrictions in the future to improve usability.
cwperks
commented
4 weeks ago [Triage] @10000-ki , the admin certificate should work when https is disabled. Are you experiencing an issue using the admin certificate when https is disabled?
I'm hesitant to open up /configupdate to user other than superadmin connecting with admin cert because this endpoint allows a user to re-configure what authentication mechanisms are configured (including removing all of them). The admin user exists outside of what's configured in the authc and can always be authenticated.
One thing that is possible is exposing dedicated APIs to update portions of the securityconfig. f.e. see this PR which creates APIs to update auth_failure_listeners.
Super admin users
https://opensearch.org/docs/latest/security/access-control/users-roles/#super-admin-users
Super admin users API
Current possible scenarios
Call by sending admin certificate information to the server
curl -k --cert ./ca.crt --key ./ca.key -X PUT "https://{IP:PORT}/_plugins/_security/configupdate"Proposal
It would be beneficial if some Admin APIs could also be called using basic auth or JWT token-based authentication, rather than just being restricted to certificate-based authentication.
The current requirement to use HTTPS in order to send certificates adds additional constraints.
In certain situations, information like roles and role mappings might change frequently at runtime, so it would be helpful to have an easier way to call these APIs. The existing method seems to be somewhat less user-friendly.
What do you think about this?