radu-gheorghe · September 15, 2023 04:54
diff --git a/securityconfig-secret.yaml b/securityconfig-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: securityconfig-secret
 type: Opaque
 stringData:
  internal_users.yml: |-
    _meta:
      type: "internalusers"
      config_version: 2
    admin:
      hash: "$2y$12$B1MZUbsRd6AbhUXiSw2GOejrlPrnqgoDwgPm/LqH0VTlF8xM2.leO"
      reserved: true
      backend_roles:
      - "admin"
      description: "Demo admin user"
  action_groups.yml: |-
     _meta:
       type: "actiongroups"
       config_version: 2
  nodes_dn.yml: |-
        _meta:
          type: "nodesdn"
          config_version: 2
  whitelist.yml: |-
    _meta:
      type: "whitelist"
      config_version: 2
  tenants.yml: |-
    _meta:
      type: "tenants"
      config_version: 2
  roles_mapping.yml: |-
    _meta:
      type: "rolesmapping"
      config_version: 2
    all_access:
      reserved: false
      backend_roles:
      - "admin"
      description: "Maps admin to all_access"

    own_index:
      reserved: false
      users:
      - "*"
      description: "Allow full access to an index named like the username"

    logstash:
      reserved: false
      backend_roles:
      - "logstash"

    kibana_user:
      reserved: false
      backend_roles:
      - "kibanauser"
      description: "Maps kibanauser to kibana_user"

    readall:
      reserved: false
      backend_roles:
      - "readall"

    manage_snapshots:
      reserved: false
      backend_roles:
      - "snapshotrestore"

    kibana_server:
      reserved: true
      users:
      - "kibanaserver"
  roles.yml: |-
    _meta:
      type: "roles"
      config_version: 2
    # Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
    kibana_read_only:
      reserved: true

    # The security REST API access role is used to assign specific users access to change the security settings through the REST API.
    security_rest_api_access:
      reserved: true

    security_rest_api_full_access:
      reserved: true
      cluster_permissions:
        - 'restapi:admin/actiongroups'
        - 'restapi:admin/allowlist'
        - 'restapi:admin/internalusers'
        - 'restapi:admin/nodesdn'
        - 'restapi:admin/roles'
        - 'restapi:admin/rolesmapping'
        - 'restapi:admin/ssl/certs/info'
        - 'restapi:admin/ssl/certs/reload'
        - 'restapi:admin/tenants'

    # Allows users to view monitors, destinations and alerts
    alerting_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/alerting/alerts/get'
        - 'cluster:admin/opendistro/alerting/destination/get'
        - 'cluster:admin/opendistro/alerting/monitor/get'
        - 'cluster:admin/opendistro/alerting/monitor/search'
        - 'cluster:admin/opensearch/alerting/findings/get'
        - 'cluster:admin/opensearch/alerting/workflow/get'
        - 'cluster:admin/opensearch/alerting/workflow_alerts/get'

    # Allows users to view and acknowledge alerts
    alerting_ack_alerts:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/alerting/alerts/*'
        - 'cluster:admin/opendistro/alerting/chained_alerts/*'
        - 'cluster:admin/opendistro/alerting/workflow_alerts/*'

    # Allows users to use all alerting functionality
    alerting_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster_monitor'
        - 'cluster:admin/opendistro/alerting/*'
        - 'cluster:admin/opensearch/alerting/*'
        - 'cluster:admin/opensearch/notifications/feature/publish'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices_monitor'
            - 'indices:admin/aliases/get'
            - 'indices:admin/mappings/get'

    # Allow users to read Anomaly Detection detectors and results
    anomaly_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/ad/detector/info'
        - 'cluster:admin/opendistro/ad/detector/search'
        - 'cluster:admin/opendistro/ad/detectors/get'
        - 'cluster:admin/opendistro/ad/result/search'
        - 'cluster:admin/opendistro/ad/tasks/search'
        - 'cluster:admin/opendistro/ad/detector/validate'
        - 'cluster:admin/opendistro/ad/result/topAnomalies'

    # Allows users to use all Anomaly Detection functionality
    anomaly_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster_monitor'
        - 'cluster:admin/opendistro/ad/*'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices_monitor'
            - 'indices:admin/aliases/get'
            - 'indices:admin/mappings/get'

    # Allow users to execute read only k-NN actions
    knn_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/knn_search_model_action'
        - 'cluster:admin/knn_get_model_action'
        - 'cluster:admin/knn_stats_action'

    # Allow users to use all k-NN functionality
    knn_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/knn_training_model_action'
        - 'cluster:admin/knn_training_job_router_action'
        - 'cluster:admin/knn_training_job_route_decision_info_action'
        - 'cluster:admin/knn_warmup_action'
        - 'cluster:admin/knn_delete_model_action'
        - 'cluster:admin/knn_remove_model_from_cache_action'
        - 'cluster:admin/knn_update_model_graveyard_action'
        - 'cluster:admin/knn_search_model_action'
        - 'cluster:admin/knn_get_model_action'
        - 'cluster:admin/knn_stats_action'

    # Allows users to read Notebooks
    notebooks_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/notebooks/list'
        - 'cluster:admin/opendistro/notebooks/get'

    # Allows users to all Notebooks functionality
    notebooks_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/notebooks/create'
        - 'cluster:admin/opendistro/notebooks/update'
        - 'cluster:admin/opendistro/notebooks/delete'
        - 'cluster:admin/opendistro/notebooks/get'
        - 'cluster:admin/opendistro/notebooks/list'

    # Allows users to read observability objects
    observability_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/observability/get'

    # Allows users to all Observability functionality
    observability_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/observability/create'
        - 'cluster:admin/opensearch/observability/update'
        - 'cluster:admin/opensearch/observability/delete'
        - 'cluster:admin/opensearch/observability/get'

    # Allows users to all PPL functionality
    ppl_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/ppl'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:admin/mappings/get'
            - 'indices:data/read/search*'
            - 'indices:monitor/settings/get'

    # Allows users to read and download Reports
    reports_instances_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/reports/instance/list'
        - 'cluster:admin/opendistro/reports/instance/get'
        - 'cluster:admin/opendistro/reports/menu/download'

    # Allows users to read and download Reports and Report-definitions
    reports_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/reports/definition/get'
        - 'cluster:admin/opendistro/reports/definition/list'
        - 'cluster:admin/opendistro/reports/instance/list'
        - 'cluster:admin/opendistro/reports/instance/get'
        - 'cluster:admin/opendistro/reports/menu/download'

    # Allows users to all Reports functionality
    reports_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/reports/definition/create'
        - 'cluster:admin/opendistro/reports/definition/update'
        - 'cluster:admin/opendistro/reports/definition/on_demand'
        - 'cluster:admin/opendistro/reports/definition/delete'
        - 'cluster:admin/opendistro/reports/definition/get'
        - 'cluster:admin/opendistro/reports/definition/list'
        - 'cluster:admin/opendistro/reports/instance/list'
        - 'cluster:admin/opendistro/reports/instance/get'
        - 'cluster:admin/opendistro/reports/menu/download'

    # Allows users to use all asynchronous-search functionality
    asynchronous_search_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/asynchronous_search/*'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:data/read/search*'

    # Allows users to read stored asynchronous-search results
    asynchronous_search_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/asynchronous_search/get'

    # Allows user to use all index_management actions - ism policies, rollups, transforms
    index_management_full_access:
      reserved: true
      cluster_permissions:
        - "cluster:admin/opendistro/ism/*"
        - "cluster:admin/opendistro/rollup/*"
        - "cluster:admin/opendistro/transform/*"
        - "cluster:admin/opensearch/controlcenter/lron/*"
        - "cluster:admin/opensearch/notifications/channels/get"
        - "cluster:admin/opensearch/notifications/feature/publish"
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:admin/opensearch/ism/*'

    # Allows users to use all cross cluster replication functionality at leader cluster
    cross_cluster_replication_leader_full_access:
      reserved: true
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - "indices:admin/plugins/replication/index/setup/validate"
            - "indices:data/read/plugins/replication/changes"
            - "indices:data/read/plugins/replication/file_chunk"

    # Allows users to use all cross cluster replication functionality at follower cluster
    cross_cluster_replication_follower_full_access:
      reserved: true
      cluster_permissions:
        - "cluster:admin/plugins/replication/autofollow/update"
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - "indices:admin/plugins/replication/index/setup/validate"
            - "indices:data/write/plugins/replication/changes"
            - "indices:admin/plugins/replication/index/start"
            - "indices:admin/plugins/replication/index/pause"
            - "indices:admin/plugins/replication/index/resume"
            - "indices:admin/plugins/replication/index/stop"
            - "indices:admin/plugins/replication/index/update"
            - "indices:admin/plugins/replication/index/status_check"

    # Allows users to use all cross cluster search functionality at remote cluster
    cross_cluster_search_remote_full_access:
      reserved: true
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:admin/shards/search_shards'
            - 'indices:data/read/search'

    # Allow users to read ML stats/models/tasks
    ml_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/ml/stats/nodes'
        - 'cluster:admin/opensearch/ml/model_groups/search'
        - 'cluster:admin/opensearch/ml/models/get'
        - 'cluster:admin/opensearch/ml/models/search'
        - 'cluster:admin/opensearch/ml/tasks/get'
        - 'cluster:admin/opensearch/ml/tasks/search'

    # Allows users to use all ML functionality
    ml_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster_monitor'
        - 'cluster:admin/opensearch/ml/*'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices_monitor'

    # Allows users to use all Notifications functionality
    notifications_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/notifications/*'

    # Allows users to read Notifications config/channels
    notifications_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/notifications/configs/get'
        - 'cluster:admin/opensearch/notifications/features'
        - 'cluster:admin/opensearch/notifications/channels/get'

    # Allows users to use all snapshot management functionality
    snapshot_management_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/snapshot_management/*'
        - 'cluster:admin/opensearch/notifications/feature/publish'
        - 'cluster:admin/repository/*'
        - 'cluster:admin/snapshot/*'

    # Allows users to see snapshots, repositories, and snapshot management policies
    snapshot_management_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/snapshot_management/policy/get'
        - 'cluster:admin/opensearch/snapshot_management/policy/search'
        - 'cluster:admin/opensearch/snapshot_management/policy/explain'
        - 'cluster:admin/repository/get'
        - 'cluster:admin/snapshot/get'

    # Allows user to use point in time functionality
    point_in_time_full_access:
      reserved: true
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'manage_point_in_time'

    # Allows users to see security analytics detectors and others
    security_analytics_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/securityanalytics/alerts/get'
        - 'cluster:admin/opensearch/securityanalytics/correlations/findings'
        - 'cluster:admin/opensearch/securityanalytics/correlations/list'
        - 'cluster:admin/opensearch/securityanalytics/detector/get'
        - 'cluster:admin/opensearch/securityanalytics/detector/search'
        - 'cluster:admin/opensearch/securityanalytics/findings/get'
        - 'cluster:admin/opensearch/securityanalytics/mapping/get'
        - 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
        - 'cluster:admin/opensearch/securityanalytics/rule/get'
        - 'cluster:admin/opensearch/securityanalytics/rule/search'

    # Allows users to use all security analytics functionality
    security_analytics_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/securityanalytics/alerts/*'
        - 'cluster:admin/opensearch/securityanalytics/correlations/*'
        - 'cluster:admin/opensearch/securityanalytics/detector/*'
        - 'cluster:admin/opensearch/securityanalytics/findings/*'
        - 'cluster:admin/opensearch/securityanalytics/mapping/*'
        - 'cluster:admin/opensearch/securityanalytics/rule/*'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:admin/mapping/put'
            - 'indices:admin/mappings/get'

    # Allows users to view and acknowledge alerts
    security_analytics_ack_alerts:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/securityanalytics/alerts/*'
  config.yml: |-
    _meta:
      type: "config"
      config_version: "2"
    config:
      dynamic:
        http:
          anonymous_auth_enabled: false
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: "4"
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
	apiVersion: v1
	kind: Secret
	metadata:
	name: securityconfig-secret
	type: Opaque
	stringData:
	internal_users.yml: \|-
	_meta:
	type: "internalusers"
	config_version: 2
	admin:
	hash: "$2y$12$B1MZUbsRd6AbhUXiSw2GOejrlPrnqgoDwgPm/LqH0VTlF8xM2.leO"
	reserved: true
	backend_roles:
	- "admin"
	description: "Demo admin user"
	action_groups.yml: \|-
	_meta:
	type: "actiongroups"
	config_version: 2
	nodes_dn.yml: \|-
	_meta:
	type: "nodesdn"
	config_version: 2
	whitelist.yml: \|-
	_meta:
	type: "whitelist"
	config_version: 2
	tenants.yml: \|-
	_meta:
	type: "tenants"
	config_version: 2
	roles_mapping.yml: \|-
	_meta:
	type: "rolesmapping"
	config_version: 2
	all_access:
	reserved: false
	backend_roles:
	- "admin"
	description: "Maps admin to all_access"

	own_index:
	reserved: false
	users:
	- "*"
	description: "Allow full access to an index named like the username"

	logstash:
	reserved: false
	backend_roles:
	- "logstash"

	kibana_user:
	reserved: false
	backend_roles:
	- "kibanauser"
	description: "Maps kibanauser to kibana_user"

	readall:
	reserved: false
	backend_roles:
	- "readall"

	manage_snapshots:
	reserved: false
	backend_roles:
	- "snapshotrestore"

	kibana_server:
	reserved: true
	users:
	- "kibanaserver"
	roles.yml: \|-
	_meta:
	type: "roles"
	config_version: 2
	# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
	kibana_read_only:
	reserved: true

	# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
	security_rest_api_access:
	reserved: true

	security_rest_api_full_access:
	reserved: true
	cluster_permissions:
	- 'restapi:admin/actiongroups'
	- 'restapi:admin/allowlist'
	- 'restapi:admin/internalusers'
	- 'restapi:admin/nodesdn'
	- 'restapi:admin/roles'
	- 'restapi:admin/rolesmapping'
	- 'restapi:admin/ssl/certs/info'
	- 'restapi:admin/ssl/certs/reload'
	- 'restapi:admin/tenants'

	# Allows users to view monitors, destinations and alerts
	alerting_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/alerting/alerts/get'
	- 'cluster:admin/opendistro/alerting/destination/get'
	- 'cluster:admin/opendistro/alerting/monitor/get'
	- 'cluster:admin/opendistro/alerting/monitor/search'
	- 'cluster:admin/opensearch/alerting/findings/get'
	- 'cluster:admin/opensearch/alerting/workflow/get'
	- 'cluster:admin/opensearch/alerting/workflow_alerts/get'

	# Allows users to view and acknowledge alerts
	alerting_ack_alerts:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/alerting/alerts/*'
	- 'cluster:admin/opendistro/alerting/chained_alerts/*'
	- 'cluster:admin/opendistro/alerting/workflow_alerts/*'

	# Allows users to use all alerting functionality
	alerting_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster_monitor'
	- 'cluster:admin/opendistro/alerting/*'
	- 'cluster:admin/opensearch/alerting/*'
	- 'cluster:admin/opensearch/notifications/feature/publish'
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices_monitor'
	- 'indices:admin/aliases/get'
	- 'indices:admin/mappings/get'

	# Allow users to read Anomaly Detection detectors and results
	anomaly_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/ad/detector/info'
	- 'cluster:admin/opendistro/ad/detector/search'
	- 'cluster:admin/opendistro/ad/detectors/get'
	- 'cluster:admin/opendistro/ad/result/search'
	- 'cluster:admin/opendistro/ad/tasks/search'
	- 'cluster:admin/opendistro/ad/detector/validate'
	- 'cluster:admin/opendistro/ad/result/topAnomalies'

	# Allows users to use all Anomaly Detection functionality
	anomaly_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster_monitor'
	- 'cluster:admin/opendistro/ad/*'
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices_monitor'
	- 'indices:admin/aliases/get'
	- 'indices:admin/mappings/get'

	# Allow users to execute read only k-NN actions
	knn_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/knn_search_model_action'
	- 'cluster:admin/knn_get_model_action'
	- 'cluster:admin/knn_stats_action'

	# Allow users to use all k-NN functionality
	knn_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/knn_training_model_action'
	- 'cluster:admin/knn_training_job_router_action'
	- 'cluster:admin/knn_training_job_route_decision_info_action'
	- 'cluster:admin/knn_warmup_action'
	- 'cluster:admin/knn_delete_model_action'
	- 'cluster:admin/knn_remove_model_from_cache_action'
	- 'cluster:admin/knn_update_model_graveyard_action'
	- 'cluster:admin/knn_search_model_action'
	- 'cluster:admin/knn_get_model_action'
	- 'cluster:admin/knn_stats_action'

	# Allows users to read Notebooks
	notebooks_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/notebooks/list'
	- 'cluster:admin/opendistro/notebooks/get'

	# Allows users to all Notebooks functionality
	notebooks_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/notebooks/create'
	- 'cluster:admin/opendistro/notebooks/update'
	- 'cluster:admin/opendistro/notebooks/delete'
	- 'cluster:admin/opendistro/notebooks/get'
	- 'cluster:admin/opendistro/notebooks/list'

	# Allows users to read observability objects
	observability_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/observability/get'

	# Allows users to all Observability functionality
	observability_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/observability/create'
	- 'cluster:admin/opensearch/observability/update'
	- 'cluster:admin/opensearch/observability/delete'
	- 'cluster:admin/opensearch/observability/get'

	# Allows users to all PPL functionality
	ppl_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/ppl'
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices:admin/mappings/get'
	- 'indices:data/read/search*'
	- 'indices:monitor/settings/get'

	# Allows users to read and download Reports
	reports_instances_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/reports/instance/list'
	- 'cluster:admin/opendistro/reports/instance/get'
	- 'cluster:admin/opendistro/reports/menu/download'

	# Allows users to read and download Reports and Report-definitions
	reports_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/reports/definition/get'
	- 'cluster:admin/opendistro/reports/definition/list'
	- 'cluster:admin/opendistro/reports/instance/list'
	- 'cluster:admin/opendistro/reports/instance/get'
	- 'cluster:admin/opendistro/reports/menu/download'

	# Allows users to all Reports functionality
	reports_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/reports/definition/create'
	- 'cluster:admin/opendistro/reports/definition/update'
	- 'cluster:admin/opendistro/reports/definition/on_demand'
	- 'cluster:admin/opendistro/reports/definition/delete'
	- 'cluster:admin/opendistro/reports/definition/get'
	- 'cluster:admin/opendistro/reports/definition/list'
	- 'cluster:admin/opendistro/reports/instance/list'
	- 'cluster:admin/opendistro/reports/instance/get'
	- 'cluster:admin/opendistro/reports/menu/download'

	# Allows users to use all asynchronous-search functionality
	asynchronous_search_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/asynchronous_search/*'
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices:data/read/search*'

	# Allows users to read stored asynchronous-search results
	asynchronous_search_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opendistro/asynchronous_search/get'

	# Allows user to use all index_management actions - ism policies, rollups, transforms
	index_management_full_access:
	reserved: true
	cluster_permissions:
	- "cluster:admin/opendistro/ism/*"
	- "cluster:admin/opendistro/rollup/*"
	- "cluster:admin/opendistro/transform/*"
	- "cluster:admin/opensearch/controlcenter/lron/*"
	- "cluster:admin/opensearch/notifications/channels/get"
	- "cluster:admin/opensearch/notifications/feature/publish"
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices:admin/opensearch/ism/*'

	# Allows users to use all cross cluster replication functionality at leader cluster
	cross_cluster_replication_leader_full_access:
	reserved: true
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- "indices:admin/plugins/replication/index/setup/validate"
	- "indices:data/read/plugins/replication/changes"
	- "indices:data/read/plugins/replication/file_chunk"

	# Allows users to use all cross cluster replication functionality at follower cluster
	cross_cluster_replication_follower_full_access:
	reserved: true
	cluster_permissions:
	- "cluster:admin/plugins/replication/autofollow/update"
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- "indices:admin/plugins/replication/index/setup/validate"
	- "indices:data/write/plugins/replication/changes"
	- "indices:admin/plugins/replication/index/start"
	- "indices:admin/plugins/replication/index/pause"
	- "indices:admin/plugins/replication/index/resume"
	- "indices:admin/plugins/replication/index/stop"
	- "indices:admin/plugins/replication/index/update"
	- "indices:admin/plugins/replication/index/status_check"

	# Allows users to use all cross cluster search functionality at remote cluster
	cross_cluster_search_remote_full_access:
	reserved: true
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices:admin/shards/search_shards'
	- 'indices:data/read/search'

	# Allow users to read ML stats/models/tasks
	ml_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/ml/stats/nodes'
	- 'cluster:admin/opensearch/ml/model_groups/search'
	- 'cluster:admin/opensearch/ml/models/get'
	- 'cluster:admin/opensearch/ml/models/search'
	- 'cluster:admin/opensearch/ml/tasks/get'
	- 'cluster:admin/opensearch/ml/tasks/search'

	# Allows users to use all ML functionality
	ml_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster_monitor'
	- 'cluster:admin/opensearch/ml/*'
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices_monitor'

	# Allows users to use all Notifications functionality
	notifications_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/notifications/*'

	# Allows users to read Notifications config/channels
	notifications_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/notifications/configs/get'
	- 'cluster:admin/opensearch/notifications/features'
	- 'cluster:admin/opensearch/notifications/channels/get'

	# Allows users to use all snapshot management functionality
	snapshot_management_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/snapshot_management/*'
	- 'cluster:admin/opensearch/notifications/feature/publish'
	- 'cluster:admin/repository/*'
	- 'cluster:admin/snapshot/*'

	# Allows users to see snapshots, repositories, and snapshot management policies
	snapshot_management_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/snapshot_management/policy/get'
	- 'cluster:admin/opensearch/snapshot_management/policy/search'
	- 'cluster:admin/opensearch/snapshot_management/policy/explain'
	- 'cluster:admin/repository/get'
	- 'cluster:admin/snapshot/get'

	# Allows user to use point in time functionality
	point_in_time_full_access:
	reserved: true
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'manage_point_in_time'

	# Allows users to see security analytics detectors and others
	security_analytics_read_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/securityanalytics/alerts/get'
	- 'cluster:admin/opensearch/securityanalytics/correlations/findings'
	- 'cluster:admin/opensearch/securityanalytics/correlations/list'
	- 'cluster:admin/opensearch/securityanalytics/detector/get'
	- 'cluster:admin/opensearch/securityanalytics/detector/search'
	- 'cluster:admin/opensearch/securityanalytics/findings/get'
	- 'cluster:admin/opensearch/securityanalytics/mapping/get'
	- 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
	- 'cluster:admin/opensearch/securityanalytics/rule/get'
	- 'cluster:admin/opensearch/securityanalytics/rule/search'

	# Allows users to use all security analytics functionality
	security_analytics_full_access:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/securityanalytics/alerts/*'
	- 'cluster:admin/opensearch/securityanalytics/correlations/*'
	- 'cluster:admin/opensearch/securityanalytics/detector/*'
	- 'cluster:admin/opensearch/securityanalytics/findings/*'
	- 'cluster:admin/opensearch/securityanalytics/mapping/*'
	- 'cluster:admin/opensearch/securityanalytics/rule/*'
	index_permissions:
	- index_patterns:
	- '*'
	allowed_actions:
	- 'indices:admin/mapping/put'
	- 'indices:admin/mappings/get'

	# Allows users to view and acknowledge alerts
	security_analytics_ack_alerts:
	reserved: true
	cluster_permissions:
	- 'cluster:admin/opensearch/securityanalytics/alerts/*'
	config.yml: \|-
	_meta:
	type: "config"
	config_version: "2"
	config:
	dynamic:
	http:
	anonymous_auth_enabled: false
	authc:
	basic_internal_auth_domain:
	http_enabled: true
	transport_enabled: true
	order: "4"
	http_authenticator:
	type: basic
	challenge: true
	authentication_backend:
	type: intern