opensearch-project · willyborankin · Jan 29, 2025 · cwperks · Jan 31, 2025 · willyborankin
@@ -18,7 +18,7 @@ plugins.security.nodes_dn:
 
 # The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to
 # manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured
-# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs
+# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_security/api/nodesdn APIs
 # which provide means to update/retrieve nodesdn dynamically.
 #
 # NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored

@@ -53,7 +53,7 @@ public class TlsTests {
 
     public static final String SUPPORTED_CIPHER_SUIT = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
     public static final String NOT_SUPPORTED_CIPHER_SUITE = "TLS_RSA_WITH_AES_128_CBC_SHA";
-    public static final String AUTH_INFO_ENDPOINT = "/_opendistro/_security/authinfo?pretty";
+    public static final String AUTH_INFO_ENDPOINT = "/_plugins/_security/authinfo?pretty";
 
     @ClassRule
     public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)

@@ -55,7 +55,6 @@
 import static org.hamcrest.Matchers.equalToIgnoringCase;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.opensearch.security.CrossClusterSearchTests.PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED;
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
@@ -270,7 +269,7 @@ protected void withUser(
     }
 
     protected String apiPathPrefix() {
-        return randomFrom(List.of(LEGACY_OPENDISTRO_PREFIX, PLUGINS_PREFIX));
+        return PLUGINS_PREFIX;
     }
 
     protected String securityPath(String... path) {

@@ -11,16 +11,13 @@
 
 package org.opensearch.security.api;
 
-import java.util.List;
-
 import org.junit.Test;
 
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_MESSAGE;
 import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_REGEX;
@@ -36,7 +33,7 @@ public class DashboardsInfoTest extends AbstractApiIntegrationTest {
     }
 
     private String apiPath() {
-        return randomFrom(List.of(PLUGINS_PREFIX + "/dashboardsinfo", LEGACY_OPENDISTRO_PREFIX + "/kibanainfo"));
+        return PLUGINS_PREFIX + "/dashboardsinfo";
     }
 
     @Test

@@ -11,7 +11,6 @@
 
 package org.opensearch.security.api;
 
-import java.util.List;
 import java.util.Map;
 
 import org.junit.Test;
@@ -22,7 +21,6 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 
 public class DashboardsInfoWithSettingsTest extends AbstractApiIntegrationTest {
@@ -49,7 +47,7 @@ protected Map<String, Object> getClusterSettings() {
     }
 
     private String apiPath() {
-        return randomFrom(List.of(PLUGINS_PREFIX + "/dashboardsinfo", LEGACY_OPENDISTRO_PREFIX + "/kibanainfo"));
+        return PLUGINS_PREFIX + "/dashboardsinfo";
     }
 
     @Test

@@ -30,7 +30,7 @@
 */
 abstract class CommonProxyAuthenticationTests {
 
-    protected static final String RESOURCE_AUTH_INFO = "_opendistro/_security/authinfo";
+    protected static final String RESOURCE_AUTH_INFO = "_plugins/_security/authinfo";
     protected static final TestSecurityConfig.User USER_ADMIN = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
 
     protected static final String ATTRIBUTE_DEPARTMENT = "department";

@@ -112,7 +112,7 @@ public void shouldAuthenticateWithJwtTokenInUrl_positive() {
             Map<String, String> expectedParams = Map.of("token", "REDACTED", "verbose", "true");
 
             auditLogsRule.assertExactlyOne(
-                userAuthenticated(ADMIN_USER).withRestRequest(GET, "/_opendistro/_security/authinfo").withRestParams(expectedParams)
+                userAuthenticated(ADMIN_USER).withRestRequest(GET, "/_plugins/_security/authinfo").withRestParams(expectedParams)
             );
         }
     }

@@ -117,7 +117,7 @@ public HttpResponse getWithoutLeadingSlash(String path, Header... headers) {
     }
 
     public HttpResponse getAuthInfo(Header... headers) {
-        return executeRequest(new HttpGet(getHttpServerUri() + "/_opendistro/_security/authinfo?pretty"), headers);
+        return executeRequest(new HttpGet(getHttpServerUri() + "/_plugins/_security/authinfo?pretty"), headers);
     }
 
     public HttpResponse securityHealth(Header... headers) {
@@ -127,7 +127,7 @@ public HttpResponse securityHealth(Header... headers) {
     public HttpResponse getAuthInfo(Map<String, String> urlParams, Header... headers) {
         String urlParamsString = "?"
             + urlParams.entrySet().stream().map(e -> e.getKey() + "=" + e.getValue()).collect(Collectors.joining("&"));
-        return executeRequest(new HttpGet(getHttpServerUri() + "/_opendistro/_security/authinfo" + urlParamsString), headers);
+        return executeRequest(new HttpGet(getHttpServerUri() + "/_plugins/_security/authinfo" + urlParamsString), headers);
     }
 
     public void confirmCorrectCredentials(String expectedUserName) {

@@ -139,7 +139,7 @@ private AuthTokenProcessorAction.Response handleImpl(
         String acsEndpoint,
         Saml2Settings saml2Settings,
         String requestPath // the parameter will be removed in the future as soon as we will read of legacy paths aka
-                           // /_opendistro/_security/...
+                           // /_security/...
     ) {
         if (token_log.isDebugEnabled()) {
             try {

@@ -73,7 +73,6 @@
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 
 public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
@@ -85,7 +84,7 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
 
     public static final String API_AUTHTOKEN_SUFFIX = "api/authtoken";
     private static final String AUTHINFO_SUFFIX = "authinfo";
-    private static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)";
+    private static final String REGEX_PATH_PREFIX = "/(" + PLUGINS_PREFIX + ")/" + "(.*)";
     private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX);
 
     private static boolean openSamlInitialized = false;

@@ -221,9 +221,9 @@
     private String buildAssertionConsumerEndpoint(String dashboardsRoot) {
 
         if (dashboardsRoot.endsWith("/")) {
-            return dashboardsRoot + "_opendistro/_security/saml/acs";
+            return dashboardsRoot + "_plugins/_security/saml/acs";
         } else {
-            return dashboardsRoot + "/_opendistro/_security/saml/acs";
+            return dashboardsRoot + "_plugins/_security/saml/acs";
         }
     }
 

@@ -246,7 +246,6 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private static final Logger actionTrace = LogManager.getLogger("opendistro_security_action_trace");
     private static final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(OpenSearchSecurityPlugin.class);
 
-    public static final String LEGACY_OPENDISTRO_PREFIX = "_opendistro/_security";
     public static final String PLUGINS_PREFIX = "_plugins/_security";
 
     private boolean sslCertReloadEnabled;

@@ -56,7 +56,6 @@
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 
 public final class AuditMessage {
@@ -68,9 +67,7 @@ public final class AuditMessage {
     private static final String SENSITIVE_KEY = "password";
     private static final String SENSITIVE_REPLACEMENT_VALUE = "__SENSITIVE__";
 
-    private static final Pattern SENSITIVE_PATHS = Pattern.compile(
-        "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/api/(account.*|internalusers.*|user.*)"
-    );
+    private static final Pattern SENSITIVE_PATHS = Pattern.compile("/(" + PLUGINS_PREFIX + ")/api/(account.*|internalusers.*|user.*)");
 
     @VisibleForTesting
     public static final String BCRYPT_REGEX = "\\$2[ayb]\\$.{56}";

@@ -47,7 +47,7 @@
 
 /**
  * Rest API action to fetch or update account details of the signed-in user.
- * Currently this action serves GET and PUT request for /_opendistro/_security/api/account endpoint
+ * Currently this action serves GET and PUT request for /_security/api/account endpoint
  */
 public class AccountApiAction extends AbstractApiAction {
 

@@ -46,7 +46,7 @@
 /**
  * Rest handler for fetching and updating audit configuration.
  * Supported REST endpoints
- * GET _opendistro/_security/api/audit/
+ * GET _security/api/audit/
  * {
  *   "config" : {
  *     "audit" : {
@@ -83,7 +83,7 @@
  *   }
  * }
  *
- * PUT _opendistro/_security/api/audit/config
+ * PUT _security/api/audit/config
  * {
  *   "audit":{
  *     "enable_rest":true,
@@ -116,7 +116,7 @@
  *   }
  * }
  *
- * PATCH _opendistro/_security/api/audit
+ * PATCH _security/api/audit
  * [{"op": "replace", "path": "/config/audit/enable_rest", "value": "true"}]
  * [{"op": "replace", "path": "/config/compliance/internal_config", "value": "true"}]
  */

@@ -36,23 +36,23 @@
  * SuperAdmin certificate for the default superuser is stored as a kirk.pem file in config folder of OpenSearch
  * <p>
  * Example calling the PUT API as SuperAdmin using curl (if http basic auth is on):
- * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’
+ * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_security/api/whitelist -H "Content-Type: application/json" -d’
  * {
  *      "enabled" : false,
- *      "requests" : {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]}
+ *      "requests" : {"/_cat/nodes": ["GET"], "/_security/api/whitelist": ["GET"]}
  * }
  *
  * Example using the PATCH API to change the requests as SuperAdmin:
- * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’
+ * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_security/api/whitelist -H "Content-Type: application/json" -d’
  * {
  *      "op":"replace",
  *      "path":"/config/requests",
- *      "value": {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]}
+ *      "value": {"/_cat/nodes": ["GET"], "/_security/api/whitelist": ["GET"]}
  * }
  *
  * To update enabled, use the "add" operation instead of the "replace" operation, since boolean variables are not recognized as valid paths when they are false.
  * eg:
- * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’
+ * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_security/api/whitelist -H "Content-Type: application/json" -d’
  * {
  *      "op":"add",
  *      "path":"/config/enabled",

@@ -51,19 +51,14 @@
 import org.opensearch.security.user.User;
 
 import static org.opensearch.core.xcontent.DeprecationHandler.THROW_UNSUPPORTED_OPERATION;
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 
 public class Utils {
 
     public final static String PLUGIN_ROUTE_PREFIX = "/" + PLUGINS_PREFIX;
 
-    public final static String LEGACY_PLUGIN_ROUTE_PREFIX = "/" + LEGACY_OPENDISTRO_PREFIX;
-
     public final static String PLUGIN_API_ROUTE_PREFIX = PLUGIN_ROUTE_PREFIX + "/api";
 
-    public final static String LEGACY_PLUGIN_API_ROUTE_PREFIX = LEGACY_PLUGIN_ROUTE_PREFIX + "/api";
-
     private static final ObjectMapper internalMapper = new ObjectMapper();
 
     public static Map<String, Object> convertJsonToxToStructuredMap(ToXContent jsonContent) {
@@ -204,7 +199,7 @@ public static Set<String> generateFieldResourcePaths(final Set<String> fields, f
      *Total number of routes is expanded as twice as the number of routes passed in
      */
     public static List<Route> addRoutesPrefix(List<Route> routes) {
-        return addRoutesPrefix(routes, LEGACY_PLUGIN_API_ROUTE_PREFIX, PLUGIN_API_ROUTE_PREFIX);
+        return addRoutesPrefix(routes, PLUGIN_API_ROUTE_PREFIX);
     }
 
     /**
@@ -235,7 +230,7 @@ public static List<Route> addRoutesPrefix(List<Route> routes, final String... pr
      *Total number of routes is expanded as twice as the number of routes passed in
      */
     public static List<DeprecatedRoute> addDeprecatedRoutesPrefix(List<DeprecatedRoute> deprecatedRoutes) {
-        return addDeprecatedRoutesPrefix(deprecatedRoutes, LEGACY_PLUGIN_API_ROUTE_PREFIX, PLUGIN_API_ROUTE_PREFIX);
+        return addDeprecatedRoutesPrefix(deprecatedRoutes, PLUGIN_API_ROUTE_PREFIX);
     }
 
     /**

@@ -70,7 +70,6 @@
 
 import org.greenrobot.eventbus.Subscribe;
 
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 
 public class SecurityRestFilter {
@@ -91,7 +90,7 @@ public class SecurityRestFilter {
     public static final String HEALTH_SUFFIX = "health";
     public static final String WHO_AM_I_SUFFIX = "whoami";
 
-    public static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)";
+    public static final String REGEX_PATH_PREFIX = "/(" + PLUGINS_PREFIX + ")/" + "(.*)";
     public static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX);
 
     public SecurityRestFilter(
@@ -202,7 +201,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
      * If allowlisting is enabled, then Non-SuperAdmin is allowed to access only those APIs that are allowlisted in {@link #requests}
      * For example: if allowlisting is enabled and requests = ["/_cat/nodes"], then SuperAdmin can access all APIs, but non SuperAdmin
      * can only access "/_cat/nodes"
-     * Further note: Some APIs are only accessible by SuperAdmin, regardless of allowlisting. For example: /_opendistro/_security/api/whitelist is only accessible by SuperAdmin.
+     * Further note: Some APIs are only accessible by SuperAdmin, regardless of allowlisting. For example: /_security/api/whitelist is only accessible by SuperAdmin.
      * See {@link AllowlistApiAction} for the implementation of this API.
      * SuperAdmin is identified by credentials, which can be passed in the curl request.
      */

@@ -46,14 +46,13 @@
 import io.jsonwebtoken.JwtParserBuilder;
 import io.jsonwebtoken.security.WeakKeyException;
 
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 import static org.opensearch.security.util.AuthTokenUtils.isAccessToRestrictedEndpoints;
 
 public class OnBehalfOfAuthenticator implements HTTPAuthenticator {
 
     private static final int MINIMUM_SIGNING_KEY_BIT_LENGTH = 512;
-    private static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)";
+    private static final String REGEX_PATH_PREFIX = "/(" + PLUGINS_PREFIX + ")/" + "(.*)";
     private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX);
 
     protected final Logger log = LogManager.getLogger(this.getClass());

@@ -50,7 +50,6 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
-import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
@@ -60,9 +59,6 @@ public class DashboardsInfoAction extends BaseRestHandler {
         .addAll(
             addRoutesPrefix(ImmutableList.of(new Route(GET, "/dashboardsinfo"), new Route(POST, "/dashboardsinfo")), PLUGIN_ROUTE_PREFIX)
         )
-        .addAll(
-            addRoutesPrefix(ImmutableList.of(new Route(GET, "/kibanainfo"), new Route(POST, "/kibanainfo")), LEGACY_PLUGIN_ROUTE_PREFIX)
-        )
         .build();
 
     private final Logger log = LogManager.getLogger(this.getClass());

@@ -44,14 +44,12 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
-import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class SecurityHealthAction extends BaseRestHandler {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new Route(GET, "/health"), new Route(POST, "/health")),
-        LEGACY_PLUGIN_ROUTE_PREFIX,
         PLUGIN_ROUTE_PREFIX
     );
 

@@ -57,14 +57,12 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
-import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class SecurityInfoAction extends BaseRestHandler {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new Route(GET, "/authinfo"), new Route(POST, "/authinfo")),
-        LEGACY_PLUGIN_ROUTE_PREFIX,
         PLUGIN_ROUTE_PREFIX
     );
 

@@ -61,14 +61,12 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
-import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class TenantInfoAction extends BaseRestHandler {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new Route(GET, "/tenantinfo"), new Route(POST, "/tenantinfo")),
-        LEGACY_PLUGIN_ROUTE_PREFIX,
         PLUGIN_ROUTE_PREFIX
     );