Add documentation for security config upgrade feature #6634
Conversation
Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]>
peternied
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
AMoo-Miki,
natebower,
dlvenable and
stephen-crawford
as code owners
Naarcha-AWS
added
Blocked
|
Thanks, @peternied! Can you please address the Vale errors prior to the doc review? Thanks. |
hdhalter
added
the
release-notes
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
peternied
force-pushed
the
security-upgrade
branch
from
d1ad07e to
7f07e97
Compare
Naarcha-AWS
added
3 - Tech review
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
@peternied I left 2 comments, but otherwise this looks good to me and can go for editorial review.
Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]>
Naarcha-AWS
added
4 - Doc review
Naarcha-AWS
added
5 - Editorial review
There was a problem hiding this comment.
@peternied @Naarcha-AWS Please see my comments and changes, particularly my comment on line 1305, and let me know if you have any questions. Thanks!
_security/access-control/api.md
Outdated
| Introduced 2.13 | ||
| {: .label .label-purple } | ||
|
|
||
| Checks the cuurent configuration bundled with the host's Security plugin and compares it to the latest Security plugin bundled with OpenSearch. Then, the API returns whether or not can be performed and what resources can be updated. |
There was a problem hiding this comment.
There appear to be some words missing in the second sentence.
There was a problem hiding this comment.
Original text: Checks the configuration bundled with the Security plugin against the existing security configuration, returns if an upgrade can be performed and what resources would be updated.
Here is a diagram of what the actual flow / comparisons are. (Thanks ChatGPT!)
sequenceDiagram
participant U as User
participant D as Configuration on Disk
participant S as SecurityPlugin
participant M as Configuration in SecurityPlugin Memory
U->>+S: API Call to Check Configuration
S->>+D: Retrieve Current Configuration from Disk
D-->>-S: Current Disk Configuration
S->>+M: Check Configuration in Memory
M-->>-S: Current in Memory Configuration
S->>S: Compare Configurations
alt Configurations Match
S-->>U: No Update Needed
else Configurations Do Not Match
S->>S: Determine Resources for Update
S-->>U: Update Can be Performed, List resources to Update
end
There was a problem hiding this comment.
@natebower I feel like that original text might be a better starting point, but let me know if you'd like me to workshop it more
There was a problem hiding this comment.
@peternied: I think I'm confused as to what you mean by "bundled"? When I hear bundled, I assume the API is checking for upgrades either against the upstream instance (The newest artifact) or the version the artifact the user downloaded. But, if the user has to download a new artifact for the latest Security Plugin information to persist in memory, isn't there a step we're missing in the documentation then?
There was a problem hiding this comment.
I mean the version the artifact the user downloaded.
This API is for after an upgrade was performed, such as a Rolling Upgrade.
Note; I think this highlights another part of the documentation that I should include 'now that you've upgraded you can [optionally] upgrade the security configuration via this API' which links to this documentation
_security/access-control/api.md
Outdated
|
|
||
| Adds and updates resources on a host's existing security configuration from the configuration bundled with the latest version of the Security plugin. | ||
|
|
||
| These bundled configuration files can be found in the `<OPENSEARCH_HOME>/security/config` directory. Default configuration files are updated on OpenSearch upgrade, whereas the cluster configuration is only updated by the cluster operators. This endpoint helps cluster operators upgrade missing defaults and stale defaults definitions. |
There was a problem hiding this comment.
"cluster operator" (singular)?
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
hdhalter
added
3 - Done
…arch-project#6634)" This reverts commit 6f862fa. Signed-off-by: Peter Nied <[email protected]>
#6956) This reverts commit 6f862fa. Signed-off-by: Peter Nied <[email protected]>
Description
Adds documentation for the new security feature to upgrade configurations based on the default config files bundled with the security plugin
Issues Resolved
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.