Skip to content

Added documentation for Experimental Security Configuration Versioning Management and APIs #10143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added documentation for Experimental Security Configuration Versioning Management and APIs #10143

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5845849
Added documentation for Security Configuration Versioning and Rollbac…
Jun 23, 2025
98fbb83
Merge branch 'main' into versioning
divyanshi-0402 Jun 25, 2025
f71f6d2
Merge branch 'main' into versioning
Naarcha-AWS Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions _security/configuration/versioning-for-security-configurations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Security Configuration Versioning and Rollback API

## Overview

OpenSearch now supports **versioning of security configurations** to improve traceability, auditability, and operational safety. Each update to critical security configurations is tracked as a new version, and users can view or roll back to any previous version via the dedicated APIs.

This documentation covers:
- How versioning works
- How to use the View API to inspect past versions
- How to use the Rollback API to restore configurations

---

## 1. Versioning Overview

### What is versioned?

Any supported security configuration update is captured as a new version. A version includes:
- Snapshot of the full security configuration at that time
- A unique version ID (e.g., `v1`, `v2`, ...)
- Timestamp of creation
- User who performed the update

### When is a new version created?

A new version is created **only when a change is detected** compared to the latest saved version. This prevents redundant versions and ensures meaningful version history.

---

## 2. View Version API

Purpose: View the complete history of security configuration changes, or any specific version of the security configurations.

### Endpoint:
- To view all the versions : GET /_plugins/_security/api/versions
- To view a specific version : GET /_plugins/_security/api/version/{versionId}

Access Control: Admin/Security Manager permissions required

## 3. Rollback Version API

Purpose : Allows rollback to immediate or any desired version of security

### Endpoint:
- To rollback to immediate previous version : POST /_plugins/_security/api/version/rollback
- To rollback to a specific version : POST /_plugins/_security/api/version/rollback/{versionID}

Access Control: Admin/Security Manager permissions required

## 4. Enabling the Feature

* To enable this feature, add the following setting to your `opensearch.yml` file:
```bash
plugins.security.configurations_versions.enabled: true
```
* Optional: Control how many versions are retained using:
```bash
plugins.security.config_version.retention_count: 10
```