diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 5a2d80c588..083a8d1776 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -22,9 +22,7 @@ The Security plugin supports the following common settings: - `plugins.security.authcz.admin_dn` (Static): Defines the DNs of certificates to which admin privileges should be assigned. Required. -- `plugins.security.roles_mapping_resolution` (Static): Defines how backend roles are mapped to Security roles. - - Valid values are: +- `plugins.security.roles_mapping_resolution` (Static): Defines how backend roles are mapped to Security roles. The following values are supported: - `MAPPING_ONLY`(Default): Mappings must be configured explicitly in `roles_mapping.yml`. - `BACKENDROLES_ONLY`: Backend roles are mapped to security roles directly. Settings in `roles_mapping.yml` have no effect. - `BOTH`: Backend roles are mapped to security roles both directly and through `roles_mapping.yml`. @@ -125,27 +123,19 @@ The Security plugin supports the following expert-level settings: If you change any of the following password hashing properties, you must rehash all internal passwords to ensure compatibility and security. {: .warning} -- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use. - - Valid values are: - +- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use. The following values are supported: - `BCrypt` (Default) - `PBKDF2` + - `Argon2` - `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are between `4` and `31`, inclusive. Default is `12`. -- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing. - - Valid values are: - +- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing. The following values are supported: - `A` - `B` - `Y` (Default) -- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password. - - Valid values are: - +- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password. The following values are supported: - `SHA1` - `SHA224` - `SHA256` (Default) @@ -156,6 +146,24 @@ If you change any of the following password hashing properties, you must rehash - `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`. +- `plugins.security.password.hashing.argon2.iterations`: Specifies the number of passes over memory that the algorithm performs. Increasing this value raises CPU computation time and improves resistance to brute-force attacks. Default: `3`. + +- `plugins.security.password.hashing.argon2.memory`: Specifies the amount of memory (in kibibytes) used during hashing. Default: `65536` (64 MiB). + +- `plugins.security.password.hashing.argon2.parallelism`: Specifies the number of parallel threads used for computation. Default: `1`. + +- `plugins.security.password.hashing.argon2.length`: Specifies the length (in bytes) of the resulting hash output. Default: `32`. + +- `plugins.security.password.hashing.argon2.type`: Specifies which variant of Argon2 to use. The following values are supported: + - `Argon2i` + - `Argon2d` + - `Argon2id` (default) + +- `plugins.security.password.hashing.argon2.version`: Specifies which version of Argon2 to use. The following values are supported: + - `16` + - `19` (default) + + ## Audit log settings