Die Implementierung von Sicherheit und Zugriffskontrolle ist ein kritischer Aspekt beim Betrieb von OpenSearch Dashboards. Dieses Kapitel behandelt die verschiedenen Sicherheitsaspekte und deren praktische Umsetzung.
Die Basiskonfiguration in opensearch_dashboards.yml:
opensearch_security.enabled: true
opensearch_security.cookie.secure: true
opensearch_security.session.ttl: 1800000
opensearch_security.multitenancy.enabled: true
opensearch_security.readonly_mode.roles: ["kibana_read_only"]server.ssl.enabled: true
server.ssl.certificate: /path/to/cert.pem
server.ssl.key: /path/to/key.pem
opensearch.ssl.certificateAuthorities: ["/path/to/ca.pem"]
opensearch.ssl.verificationMode: fullPUT _plugins/_security/api/internalusers/analyst
{
"password": "secure-password123",
"backend_roles": ["analyst_role"],
"attributes": {
"department": "Analytics"
}
}PUT _plugins/_security/api/roles/analyst_role
{
"cluster_permissions": [
"cluster:monitor/*"
],
"index_permissions": [
{
"index_patterns": ["logs-*"],
"allowed_actions": [
"read",
"search"
],
"field_level_security": {
"grant": ["timestamp", "message", "level"],
"except": ["sensitive_data"]
}
}
],
"tenant_permissions": [
{
"tenant_patterns": ["analytics"],
"allowed_actions": [
"kibana_all_write"
]
}
]
}PUT _plugins/_security/api/rolesmapping/analyst_role
{
"backend_roles": ["analyst"],
"hosts": [],
"users": ["analyst1", "analyst2"],
"and_backend_roles": []
}PUT _plugins/_security/api/tenants/analytics
{
"description": "Analytics Department Tenant",
"reserved": false
}PUT _plugins/_security/api/roles/analytics_admin
{
"tenant_permissions": [
{
"tenant_patterns": ["analytics"],
"allowed_actions": [
"kibana_all_write"
]
}
]
}PUT _plugins/_security/api/roles/log_viewer
{
"index_permissions": [
{
"index_patterns": ["logs-*"],
"dls": "level:INFO",
"fls": ["timestamp", "message", "level", "host"],
"masked_fields": ["ip"],
"allowed_actions": [
"read"
]
}
]
}PUT _plugins/_security/api/roles/restricted_viewer
{
"index_permissions": [
{
"index_patterns": ["customer-*"],
"field_level_security": {
"grant": [
"name",
"public_info",
"timestamp"
]
},
"allowed_actions": [
"read"
]
}
]
}opensearch.audit.enable: true
opensearch.audit.type: internal_opensearch
opensearch.audit.config:
enabled: true
audit.ignore_users: ["kibana"]
audit.ignore_requests: ["SearchRequest"]
audit.resolve_bulk_requests: truePUT _template/audit_logs
{
"index_patterns": ["audit-*"],
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1
},
"mappings": {
"properties": {
"timestamp": { "type": "date" },
"user": { "type": "keyword" },
"action": { "type": "keyword" },
"indices": { "type": "keyword" },
"request_type": { "type": "keyword" }
}
}
}POST _plugins/_security/api/apikeys
{
"name": "dashboard_access",
"expiration": "30d",
"roles": ["dashboard_viewer"],
"access_control": {
"index_patterns": ["logs-*"],
"allowed_actions": ["read"]
}
}GET _plugins/_security/api/apikeys/validation
{
"api_key": "your-api-key"
}opensearch_security.session.ttl: 3600000
opensearch_security.session.keepalive: true
opensearch_security.session.validation_interval: 60000GET _plugins/_security/api/sessionsPUT _plugins/_security/api/securityconfig
{
"password_policy": {
"minimum_length": 12,
"require_numbers": true,
"require_lowercase": true,
"require_uppercase": true,
"require_symbols": true,
"password_history": 5
}
}network.host: localhost
network.bind_host: localhost
network.publish_host: localhostPUT _plugins/_alerting/monitors/security_monitor
{
"type": "monitor",
"name": "Security Events Monitor",
"enabled": true,
"schedule": {
"period": {
"interval": 5,
"unit": "MINUTES"
}
},
"inputs": [
{
"search": {
"indices": ["audit-*"],
"query": {
"bool": {
"must": [
{
"term": {
"action": "FAILED_LOGIN"
}
}
]
}
}
}
}
],
"triggers": [
{
"name": "Security Alert",
"severity": "High",
"condition": {
"script": {
"source": "ctx.results[0].hits.total.value > 5"
}
}
}
]
}