/usr/share/elasticsearch/plugins/opendistro security/securityconfig/elasticsearch.yml.example

############## Open Distro Security configuration ###############

###########################################################
# Add the following settings to your standard elasticsearch.yml 
# alongside with the Open Distro Security TLS settings.
# Settings must always be the same on all nodes in the cluster.

############## Common configuration settings ##############

# Enable or disable the Open Distro Security advanced modules
# By default advanced modules are enabled, you can switch
# all advanced features off by setting the following key to false
opendistro_security.advanced_modules_enabled: true

# Specify a list of DNs which denote the other nodes in the cluster.
# This settings support wildcards and regular expressions
# This setting only has effect if 'opendistro_security.cert.intercluster_request_evaluator_class' is not set.
opendistro_security.nodes_dn:
  - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE"
  - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE"

# Defines the DNs (distinguished names) of certificates
# to which admin privileges should be assigned (mandatory)
opendistro_security.authcz.admin_dn:
  - "CN=kirk,OU=client,O=client,l=tEst, C=De"

# Define how backend roles should be mapped to Open Distro Security roles
# MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default)
# BACKENDROLES_ONLY - backend roles are mapped to Open Distro Security rules directly. Settings in roles_mapping.yml have no effect.
# BOTH - backend roles are mapped to Open Distro Security roles mapped directly and via roles_mapping.yml in addition
opendistro_security.roles_mapping_resolution: MAPPING_ONLY

############## REST Management API configuration settings ##############
# Enable or disable role based access to the REST management API
# Default is that no role is allowed to access the REST management API.
#opendistro_security.restapi.roles_enabled: ["all_access","xyz_role"]

# Disable particular endpoints and their HTTP methods for roles. 
# By default all endpoints/methods are allowed.
#opendistro_security.restapi.endpoints_disabled.<role>.<endpoint>: <array of http methods>
# Example:
#opendistro_security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"]
#opendistro_security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"]

# The following endpoints exist:
# ACTIONGROUPS
# CACHE
# CONFIG
# ROLES
# ROLESMAPPING
# INTERNALUSERS
# SYSTEMINFO
# PERMISSIONSINFO

############## Auditlog configuration settings ##############
# General settings

# Enable/disable rest request logging (default: true)
#opendistro_security.audit.enable_rest: true
# Enable/disable transport request logging (default: false)
#opendistro_security.audit.enable_transport: false
# Enable/disable bulk request logging (default: false)
# If enabled all subrequests in bulk requests will be logged too
#opendistro_security.audit.resolve_bulk_requests: false
# Disable some categories
#opendistro_security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"]
# Disable some requests (wildcard or regex of actions or rest request paths)
#opendistro_security.audit.ignore_requests: ["indices:data/read/*","*_bulk"]
# Tune threadpool size, default is 10 and 0 means disabled
#opendistro_security.audit.threadpool.size: 0
# Tune threadpool max size queue length, default is 100000
#opendistro_security.audit.threadpool.max_queue_len: 100000

# If enable_request_details is true then the audit log event will also contain
# details like the search query. Default is false. 
#opendistro_security.audit.enable_request_details: true
# Ignore users, e.g. do not log audit requests from that users (default: no ignored users)
#opendistro_security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']"

# Destination of the auditlog events
opendistro_security.audit.type: internal_elasticsearch
#opendistro_security.audit.type: external_elasticsearch
#opendistro_security.audit.type: debug
#opendistro_security.audit.type: webhook

# external_elasticsearch settings
#opendistro_security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']"
# Auditlog index can be a static one or one with a date pattern (default is 'auditlog6')
#opendistro_security.audit.config.index: auditlog6 # make sure you secure this index properly
#opendistro_security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly
#opendistro_security.audit.config.type: auditlog
#opendistro_security.audit.config.username: auditloguser
#opendistro_security.audit.config.password: auditlogpassword
#opendistro_security.audit.config.enable_ssl: false
#opendistro_security.audit.config.verify_hostnames: false
#opendistro_security.audit.config.enable_ssl_client_auth: false
#opendistro_security.audit.config.cert_alias: mycert
#opendistro_security.audit.config.pemkey_filepath: key.pem
#opendistro_security.audit.config.pemkey_content: <...pem base 64 content>
#opendistro_security.audit.config.pemkey_password: secret
#opendistro_security.audit.config.pemcert_filepath: cert.pem
#opendistro_security.audit.config.pemcert_content: <...pem base 64 content>
#opendistro_security.audit.config.pemtrustedcas_filepath: ca.pem
#opendistro_security.audit.config.pemtrustedcas_content: <...pem base 64 content>

# webhook settings
#opendistro_security.audit.config.webhook.url: "http://mywebhook/endpoint"
# One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK
#opendistro_security.audit.config.webhook.format: JSON
#opendistro_security.audit.config.webhook.ssl.verify: false
#opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem
#opendistro_security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content>

# log4j settings
#opendistro_security.audit.config.log4j.logger_name: auditlogger
#opendistro_security.audit.config.log4j.level: INFO

############## Kerberos configuration settings ##############
# If Kerberos authentication should be used you have to configure:

# The Path to the krb5.conf file
# Can be absolute or relative to the Elasticsearch config directory
#opendistro_security.kerberos.krb5_filepath: '/etc/krb5.conf'
            
# The Path to the keytab where the acceptor_principal credentials are stored.           
# Must be relative to the Elasticsearch config directory
#opendistro_security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab'

# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
#opendistro_security.kerberos.acceptor_principal: 'HTTP/localhost'

############## Advanced configuration settings ##############
# Enable transport layer impersonation
# Allow DNs (distinguished names) to impersonate as other users
#opendistro_security.authcz.impersonation_dn:
#  "CN=spock,OU=client,O=client,L=Test,C=DE":
#    - worf
#  "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
#    - user2
#    - user1

# Enable rest layer impersonation
# Allow users to impersonate as other users
#opendistro_security.authcz.rest_impersonation_user:
#  "picard":
#    - worf
#  "john":
#    - steve
#    - martin

# If this is set to true Open Distro Security will automatically initialize the configuration index
# with the files in the config directory if the index does not exist.
# WARNING: This will use well-known default passwords.
#          Use only in a private network/environment.
#opendistro_security.allow_default_init_securityindex: false

# If this is set to true then allow to startup with demo certificates.
# These are certificates issued by floragunn GmbH for demo purposes.
# WARNING: This certificates are well known and therefore unsafe
#          Use only in a private network/environment.
#opendistro_security.allow_unsafe_democertificates: false

############## Expert settings ##############
# WARNING: Expert settings, do only use if you know what you are doing
# If you set wrong values here this this could be a security risk
# or make Open Distro Security stop working

# Name of the index where .opendistro_security stores its configuration.

#opendistro_security.config_index_name: .opendistro_security

# This defines the OID of server node certificates
#opendistro_security.cert.oid: '1.2.3.4.5.5'

# This specifies the implementation of com.amazon.opendistroforelasticsearch.security.transport.InterClusterRequestEvaluator
# that is used to determine inter-cluster request.
# Instances of com.amazon.opendistroforelasticsearch.security.transport.InterClusterRequestEvaluator must implement a single argument
# constructor that takes an org.elasticsearch.common.settings.Settings
#opendistro_security.cert.intercluster_request_evaluator_class: com.amazon.opendistroforelasticsearch.security.transport.DefaultInterClusterRequestEvaluator

# Allow snapshot restore for normal users
# By default only requests signed by an admin TLS certificate can do this
# To enable snapshot restore for normal users set 'opendistro_security.enable_snapshot_restore_privilege: true'
# The user who wants to restore a snapshot must have the 'cluster:admin/snapshot/restore' privilege and must also have
# "indices:admin/create" and "indices:data/write/index" for the indices to be restores.
# A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index
# If 'opendistro_security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted.

# This makes it less secure.
#opendistro_security.enable_snapshot_restore_privilege: true
#opendistro_security.check_snapshot_restore_write_privileges: false

# Authentication cache timeout in minutes (A value of 0 disables caching, default is 60)
#opendistro_security.cache.ttl_minutes: 60

# Disable Open Distro Security
# WARNING: This can expose your configuration (including passwords) to the public.
#opendistro_security.disabled: false


# Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role
# to be visible, listed in the opendistro_security.protected_indices.roles setting.
# Enable protected indices
# opendistro_security.protected_indices.enabled: true
# Specify a list of roles a user must be member of to touch any protected index.
# opendistro_security.protected_indices.roles: ['all_access']
# Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role.
# opendistro_security.protected_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*']