From fd45c55808fba7c1d70236913b826d5d8c8bc95b Mon Sep 17 00:00:00 2001 From: Aiden Lindsay Date: Mon, 30 Jun 2025 18:21:22 +0100 Subject: [PATCH 1/2] feat: added documentation for Argon2 hashing algorithm Signed-off-by: Aiden Lindsay --- .../security-settings.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 5a2d80c588a..9ddac5711ed 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -131,6 +131,7 @@ If you change any of the following password hashing properties, you must rehash - `BCrypt` (Default) - `PBKDF2` + - `Argon2` - `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are between `4` and `31`, inclusive. Default is `12`. @@ -156,6 +157,29 @@ If you change any of the following password hashing properties, you must rehash - `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`. +- `plugins.security.password.hashing.argon2.iterations` (Static): Specifies the number of passes over memory that the algorithm performs. Increasing this value raises CPU computation time, enhancing resistance to brute-force attacks. Default is `3`. + +- `plugins.security.password.hashing.argon2.memory` (Static): Specifies the amount of memory (in kibibytes) used during hashing. Default is `65536` (equivalent to 64 MiB). + +- `plugins.security.password.hashing.argon2.parallelism` (Static): Specifies the number of parallel threads used for computation. Default is `1`. + +- `plugins.security.password.hashing.argon2.length` (Static): Specifies the length (in bytes) of the resulting hash output. Default is `32`. + +- `plugins.security.password.hashing.argon2.type` (Static): Specifies which variant of Argon2 to use. + + Valid values are: + + - `Argon2i` + - `Argon2d` + - `Argon2id` (Default) + +- `plugins.security.password.hashing.argon2.version` (Static): Specifies which version of Argon2 to use. + + Valid values are: + + - `16` + - `19` (Default) + ## Audit log settings From 21154d4f30f629fdb1fc76a75dbb2a268b916244 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Tue, 8 Jul 2025 06:15:13 -0500 Subject: [PATCH 2/2] Add writer edits Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- .../security-settings.md | 42 ++++++------------- 1 file changed, 13 insertions(+), 29 deletions(-) diff --git a/_install-and-configure/configuring-opensearch/security-settings.md b/_install-and-configure/configuring-opensearch/security-settings.md index 9ddac5711ed..083a8d1776e 100644 --- a/_install-and-configure/configuring-opensearch/security-settings.md +++ b/_install-and-configure/configuring-opensearch/security-settings.md @@ -22,9 +22,7 @@ The Security plugin supports the following common settings: - `plugins.security.authcz.admin_dn` (Static): Defines the DNs of certificates to which admin privileges should be assigned. Required. -- `plugins.security.roles_mapping_resolution` (Static): Defines how backend roles are mapped to Security roles. - - Valid values are: +- `plugins.security.roles_mapping_resolution` (Static): Defines how backend roles are mapped to Security roles. The following values are supported: - `MAPPING_ONLY`(Default): Mappings must be configured explicitly in `roles_mapping.yml`. - `BACKENDROLES_ONLY`: Backend roles are mapped to security roles directly. Settings in `roles_mapping.yml` have no effect. - `BOTH`: Backend roles are mapped to security roles both directly and through `roles_mapping.yml`. @@ -125,28 +123,19 @@ The Security plugin supports the following expert-level settings: If you change any of the following password hashing properties, you must rehash all internal passwords to ensure compatibility and security. {: .warning} -- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use. - - Valid values are: - +- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use. The following values are supported: - `BCrypt` (Default) - `PBKDF2` - `Argon2` - `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are between `4` and `31`, inclusive. Default is `12`. -- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing. - - Valid values are: - +- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing. The following values are supported: - `A` - `B` - `Y` (Default) -- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password. - - Valid values are: - +- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password. The following values are supported: - `SHA1` - `SHA224` - `SHA256` (Default) @@ -157,28 +146,23 @@ If you change any of the following password hashing properties, you must rehash - `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`. -- `plugins.security.password.hashing.argon2.iterations` (Static): Specifies the number of passes over memory that the algorithm performs. Increasing this value raises CPU computation time, enhancing resistance to brute-force attacks. Default is `3`. +- `plugins.security.password.hashing.argon2.iterations`: Specifies the number of passes over memory that the algorithm performs. Increasing this value raises CPU computation time and improves resistance to brute-force attacks. Default: `3`. -- `plugins.security.password.hashing.argon2.memory` (Static): Specifies the amount of memory (in kibibytes) used during hashing. Default is `65536` (equivalent to 64 MiB). +- `plugins.security.password.hashing.argon2.memory`: Specifies the amount of memory (in kibibytes) used during hashing. Default: `65536` (64 MiB). -- `plugins.security.password.hashing.argon2.parallelism` (Static): Specifies the number of parallel threads used for computation. Default is `1`. +- `plugins.security.password.hashing.argon2.parallelism`: Specifies the number of parallel threads used for computation. Default: `1`. -- `plugins.security.password.hashing.argon2.length` (Static): Specifies the length (in bytes) of the resulting hash output. Default is `32`. - -- `plugins.security.password.hashing.argon2.type` (Static): Specifies which variant of Argon2 to use. - - Valid values are: +- `plugins.security.password.hashing.argon2.length`: Specifies the length (in bytes) of the resulting hash output. Default: `32`. +- `plugins.security.password.hashing.argon2.type`: Specifies which variant of Argon2 to use. The following values are supported: - `Argon2i` - `Argon2d` - - `Argon2id` (Default) - -- `plugins.security.password.hashing.argon2.version` (Static): Specifies which version of Argon2 to use. - - Valid values are: + - `Argon2id` (default) +- `plugins.security.password.hashing.argon2.version`: Specifies which version of Argon2 to use. The following values are supported: - `16` - - `19` (Default) + - `19` (default) + ## Audit log settings