opensearch-project · natebower · Jul 8, 2025 · Jun 30, 2025 · Jul 2, 2025 · Jul 8, 2025
@@ -22,9 +22,7 @@ The Security plugin supports the following common settings:
 
 - `plugins.security.authcz.admin_dn` (Static): Defines the DNs of certificates to which admin privileges should be assigned. Required.
 
-- `plugins.security.roles_mapping_resolution` (Static): Defines how backend roles are mapped to Security roles.
-
-    Valid values are:
+- `plugins.security.roles_mapping_resolution` (Static): Defines how backend roles are mapped to Security roles. The following values are supported:
     - `MAPPING_ONLY`(Default): Mappings must be configured explicitly in `roles_mapping.yml`.
     - `BACKENDROLES_ONLY`: Backend roles are mapped to security roles directly. Settings in `roles_mapping.yml` have no effect.
     - `BOTH`: Backend roles are mapped to security roles both directly and through `roles_mapping.yml`.
@@ -125,27 +123,19 @@ The Security plugin supports the following expert-level settings:
 If you change any of the following password hashing properties, you must rehash all internal passwords to ensure compatibility and security.
 {: .warning}
 
-- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use.
-
-  Valid values are:
-
+- `plugins.security.password.hashing.algorithm`: (Static): Specifies the password hashing algorithm to use. The following values are supported:  
   - `BCrypt` (Default)
   - `PBKDF2` 
+  - `Argon2`
 
 - `plugins.security.password.hashing.bcrypt.rounds` (Static): Specifies the number of rounds to use for password hashing with `BCrypt`. Valid values are between `4` and `31`, inclusive. Default is `12`.
 
-- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing.
-
-  Valid values are:
-
+- `plugins.security.password.hashing.bcrypt.minor` (Static): Specifies the minor version of the `BCrypt` algorithm to use for password hashing. The following values are supported:
   - `A`
   - `B`
   - `Y` (Default)
 
-- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password.
-
-  Valid values are:
-
+- `plugins.security.password.hashing.pbkdf2.function` (Static): Specifies the pseudo-random function applied to the password. The following values are supported:
   - `SHA1`
   - `SHA224`
   - `SHA256` (Default)
@@ -156,6 +146,24 @@ If you change any of the following password hashing properties, you must rehash
 
 - `plugins.security.password.hashing.pbkdf2.length` (Static): Specifies the desired length of the final derived key. Default is `256`.
 
+- `plugins.security.password.hashing.argon2.iterations`: Specifies the number of passes over memory that the algorithm performs. Increasing this value raises CPU computation time and improves resistance to brute-force attacks. Default: `3`.
+
+- `plugins.security.password.hashing.argon2.memory`: Specifies the amount of memory (in kibibytes) used during hashing. Default: `65536` (64 MiB).
+
+- `plugins.security.password.hashing.argon2.parallelism`: Specifies the number of parallel threads used for computation. Default: `1`.
+
+- `plugins.security.password.hashing.argon2.length`: Specifies the length (in bytes) of the resulting hash output. Default: `32`.
+
+- `plugins.security.password.hashing.argon2.type`: Specifies which variant of Argon2 to use. The following values are supported:
+  - `Argon2i`
+  - `Argon2d`
+  - `Argon2id` (default)
+
+- `plugins.security.password.hashing.argon2.version`: Specifies which version of Argon2 to use. The following values are supported:
+  - `16`
+  - `19` (default)
+
+
 
 ## Audit log settings