Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to call the Admin API using the HTTP protocol? #4693

Open
10000-ki opened this issue Aug 29, 2024 · 2 comments
Open

Is it possible to call the Admin API using the HTTP protocol? #4693

10000-ki opened this issue Aug 29, 2024 · 2 comments

Comments

@10000-ki
Copy link
Contributor

10000-ki commented Aug 29, 2024
edited
Loading

Super admin users

https://opensearch.org/docs/latest/security/access-control/users-roles/#super-admin-users

Super admin users API

  • System index search
  • Security config update
  • ...

Current possible scenarios

Call by sending admin certificate information to the server

curl -k --cert ./ca.crt --key ./ca.key -X PUT "https://{IP:PORT}/_plugins/_security/configupdate"

Proposal

It would be beneficial if some Admin APIs could also be called using basic auth or JWT token-based authentication, rather than just being restricted to certificate-based authentication.

The current requirement to use HTTPS in order to send certificates adds additional constraints.

In certain situations, information like roles and role mappings might change frequently at runtime, so it would be helpful to have an easier way to call these APIs. The existing method seems to be somewhat less user-friendly.

What do you think about this?
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Aug 29, 2024
@10000-ki
Copy link
Contributor Author

https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/security-admin/#configure-the-admin-certificate

I understand that this specification has existed since the opendistro days, so making immediate changes might be difficult. However, I'm curious if there is any possibility of easing the restrictions in the future to improve usability.

@10000-ki 10000-ki changed the title Proposal regarding the specification for calling the Super admin users API Is it possible to call the Admin API using the HTTP protocol? Aug 29, 2024
@10000-ki 10000-ki changed the title Is it possible to call the Admin API using the HTTP protocol? Is it possible to call the Admin API using the HTTP protocol? Aug 29, 2024
@cwperks
Copy link
Member

cwperks commented Sep 9, 2024

[Triage] @10000-ki , the admin certificate should work when https is disabled. Are you experiencing an issue using the admin certificate when https is disabled?

I'm hesitant to open up /configupdate to user other than superadmin connecting with admin cert because this endpoint allows a user to re-configure what authentication mechanisms are configured (including removing all of them). The admin user exists outside of what's configured in the authc and can always be authenticated.

One thing that is possible is exposing dedicated APIs to update portions of the securityconfig. f.e. see this PR which creates APIs to update auth_failure_listeners.

@cwperks cwperks removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @10000-ki