opensearch-project
diff --git a/‎_api-reference/security-apis.md
Lines changed: 0 additions & 20 deletions b/‎_api-reference/security-apis.md
Lines changed: 0 additions & 20 deletions
diff --git a/‎_api-reference/security/authentication/auth-info.md
Lines changed: 134 additions & 0 deletions b/‎_api-reference/security/authentication/auth-info.md
Lines changed: 134 additions & 0 deletions
diff --git a/‎_api-reference/security/authentication/change-password.md
Lines changed: 92 additions & 0 deletions b/‎_api-reference/security/authentication/change-password.md
Lines changed: 92 additions & 0 deletions
diff --git a/‎_api-reference/security/authentication/index.md
Lines changed: 38 additions & 0 deletions b/‎_api-reference/security/authentication/index.md
Lines changed: 38 additions & 0 deletions
diff --git a/‎_api-reference/security/configuration/index.md
Lines changed: 56 additions & 0 deletions b/‎_api-reference/security/configuration/index.md
Lines changed: 56 additions & 0 deletions
@@ -0,0 +1,134 @@
+---
+layout: default
+title: Authentication Information API
+grand_parent: Security APIs
+parent: Authentication APIs
+nav_order: 10
+---
+
+# Authentication Information API
+**Introduced 1.0**
+{: .label .label-purple }
+
+The Authentication Information API returns information about the currently authenticated user. This includes the user's name, roles, backend roles, custom attributes, and tenant memberships. This API is useful for debugging authentication issues, verifying user permissions, and building applications that need to understand the current user's access levels.
+
+<!-- spec_insert_start
+api: security.authinfo
+component: endpoints
+-->
+## Endpoints
+```json
+GET  /_plugins/_security/authinfo
+POST /_plugins/_security/authinfo
+```
+<!-- spec_insert_end -->
+
+<!-- spec_insert_start
+api: security.authinfo
+component: query_parameters
+-->
+## Query parameters
+
+The following table lists the available query parameters. All query parameters are optional.
+
+| Parameter | Data type | Description |
+| :--- | :--- | :--- |
+| `auth_type` | String | The type of the current authentication request. |
+| `verbose` | Boolean | Whether to return a verbose response. |
+
+<!-- spec_insert_end -->
+
+## Example request
+
+The following example request retrieves authentication information for the currently authenticated user:
+
+```bash
+GET /_plugins/_security/authinfo
+```
+{% include copy-curl.html %}
+
+To get verbose information:
+
+```bash
+GET /_plugins/_security/authinfo?verbose=true
+```
+{% include copy-curl.html %}
+
+## Example response
+
+```json
+{
+  "user": "User [name=admin, backend_roles=[admin], requestedTenant=null]",
+  "user_name": "admin",
+  "backend_roles": [
+    "admin"
+  ],
+  "roles": [
+    "all_access",
+    "security_rest_api_access"
+  ],
+  "tenants": {
+    "admin": true,
+    "global_tenant": true
+  },
+  "principal": null,
+  "peer_certificates": "0",
+  "sso_logout_url": null,
+  "remote_address": "127.0.0.1:54013"
+}
+```
+
+For a verbose response, additional fields are included:
+
+```json
+{
+  "user": "User [name=admin, backend_roles=[admin], requestedTenant=null]",
+  "user_name": "admin",
+  "backend_roles": [
+    "admin"
+  ],
+  "custom_attribute_names": [],
+  "roles": [
+    "all_access",
+    "security_rest_api_access"
+  ],
+  "tenants": {
+    "admin": true,
+    "global_tenant": true
+  },
+  "principal": null,
+  "peer_certificates": "0",
+  "sso_logout_url": null,
+  "remote_address": "127.0.0.1:54013",
+  "size_of_user": "115",
+  "size_of_backendroles": "28",
+  "size_of_custom_attributes": "2",
+  "user_requested_tenant": null
+}
+```
+
+## Response body fields
+
+The response body is a JSON object with the following fields.
+
+| Property | Data type | Description |
+| :--- | :--- | :--- |
+| `user` | String | A string representation of the user object, including the username and backend roles. |
+| `user_name` | String | The username of the authenticated user. |
+| `backend_roles` | Array of strings | The backend roles associated with the user, typically obtained from an external authentication system. |
+| `roles` | Array of strings | The OpenSearch Security roles assigned to the user, determining their permissions. |
+| `tenants` | Object | The tenants the user has access to, with `true` indicating read-write access and `false` indicating read-only access. |
+| `principal` |  String | The user's authentication principal, if available. |
+| `peer_certificates` | String | The number of peer certificates related to the user's authentication. |
+| `sso_logout_url` | String | The logout URL for single sign-on (SSO) authentication, if applicable. |
+| `remote_address` | String | The IP address and port of the client making the request. |
+
+When requesting a verbose response, the following additional fields are included.
+
+| Property | Data type | Description |
+| :--- | :--- | :--- |
+| `custom_attribute_names` | Array of strings | The names of any custom attributes associated with the user. |
+| `size_of_user` | String | The size of the user object in memory, in bytes. |
+| `size_of_backendroles` | String | The size of the user's backend roles, in bytes. |
+| `size_of_custom_attributes` | String | The size of the user's custom attributes, in bytes. |
+| `user_requested_tenant` |  String | The name of the tenant the user has requested to switch to, if any. |
@@ -0,0 +1,92 @@
+---
+layout: default
+title: Change Password API
+grand_parent: Security APIs
+parent: Authentication APIs
+nav_order: 30
+---
+
+# Change Password API
+**Introduced 1.0**
+{: .label .label-purple }
+
+The Change Password API allows users to update their own passwords. Users must provide their current password for verification before the password change is allowed.
+
+<!-- spec_insert_start
+api: security.change_password
+component: endpoints
+-->
+## Endpoints
+```json
+PUT /_plugins/_security/api/account
+```
+<!-- spec_insert_end -->
+
+<!-- spec_insert_start
+api: security.change_password
+component: query_parameters
+-->
+
+<!-- spec_insert_start
+api: security.change_password
+component: request_body_parameters
+-->
+## Request body fields
+
+The request body is __required__. It is a JSON object with the following fields.
+
+| Property | Required | Data type | Description |
+| :--- | :--- | :--- | :--- |
+| `current_password` | **Required** | String | The current password. |
+| `password` | **Required** | String | The new password to set. |
+
+## Example request
+
+```json
+PUT /_plugins/_security/api/account
+{
+  "current_password": "old-secure-password",
+  "password": "new-secure-password"
+}
+```
+{% include copy-curl.html %}
+
+## Example response
+
+A successful response indicates that the password has been changed:
+
+```json
+{
+  "status": "OK",
+  "message": "Password changed"
+}
+```
+
+If the current password is incorrect, the API returns an error:
+
+```json
+{
+  "status": "UNAUTHORIZED",
+  "message": "Invalid credentials"
+}
+```
+
+## Response body fields
+
+The response body is a JSON object with the following fields.
+
+| Property | Data type | Description |
+| :--- | :--- | :--- |
+| `status` | String | The status of the request. A successful request returns "OK". |
+| `message` | String | A message describing the result of the operation. |
+
+## Password best practices
+
+Proper password management is essential for securing your OpenSearch cluster. When using this API to change a password, keep the following guidelines in mind:
+
+- You can only use this API to change the password of the currently authenticated user.
+- Make sure the new password meets any configured password policies.
+- Existing authentication tokens remain valid until they expire, even after the password changes.
+- Use strong passwords that include a mix of uppercase and lowercase letters, numbers, and special characters.
+
+To enhance security, use a password manager to generate and store complex passwords. Incorporate regular password rotation into your organization's security policy to help protect against unauthorized access.
@@ -0,0 +1,38 @@
+---
+layout: default
+title: Authentication APIs
+parent: Security APIs
+has_children: true
+nav_order: 10
+---
+
+# Authentication APIs
+
+Authentication is a fundamental aspect of security in OpenSearch, verifying the identity of users and services before granting access to protected resources. The Security plugin provides several APIs you can use to manage authentication, obtain user information, and handle credentials.
+
+## Available APIs
+
+The Authentication APIs include the following operations:
+
+- [Authentication Information API]({{site.url}}{{site.baseurl}}/api-reference/security/authentication/auth-info/): Returns information about the currently authenticated user, including roles, backend roles, and tenant memberships. Useful for debugging authentication issues, verifying permissions, and retrieving user context for applications.
+
+- [Change Password API]({{site.url}}{{site.baseurl}}/api-reference/security/authentication/change-password/): Lets users update their own passwords securely. Requires verification of the current password and does not require administrator involvement.
+
+## Authentication workflows
+
+These APIs support the following common authentication workflows:
+
+- **User verification**: Confirm a user's identity and permissions before executing sensitive operations.
+- **Self-service password management**: Allow users to change their passwords independently.
+- **Multi-tenant access**: Determine a user's accessible tenants and associated permissions.
+
+## Authentication methods
+
+The Security plugin supports [multiple authentication methods]({{site.url}}{{site.baseurl}}/security/authentication-backends/authc-index/), including:
+
+- Basic authentication (username and password).
+- Token-based authentication.
+- Certificate-based authentication.
+- Single sign-on (SSO) methods, such as SAML and OpenID Connect.
+
+The APIs in this section are compatible with all supported authentication methods and offer a consistent interface for managing authentication in OpenSearch.
@@ -0,0 +1,56 @@
+---
+layout: default
+title: Configuration APIs
+parent: Security APIs
+has_children: true
+nav_order: 20
+---
+
+# Configuration APIs
+**Introduced 1.0**
+{: .label .label-purple }
+
+The Configuration APIs provide programmatic access for managing, validating, and upgrading Security plugin configuration components. These APIs help ensure that your security settings remain compatible and effective as your OpenSearch cluster evolves.
+
+Security configurations may require updates in the following scenarios:
+
+- Upgrading to a new version of OpenSearch or the Security plugin
+- Enabling new features that require updated settings
+- Migrating configurations between environments
+- Troubleshooting security issues
+
+## When to use
+
+Use the Configuration APIs to perform the following actions:
+
+- Identify outdated or incompatible configuration components.
+- Perform automatic upgrades to maintain compatibility.
+- Validate the structure and integrity of your security configuration.
+- Manage versioning of security settings.
+
+## Available APIs
+
+- [Upgrade Check API]({{site.url}}{{site.baseurl}}/api-reference/security/configuration/upgrade-check/): Checks your current configuration for compatibility with your OpenSearch version and identifies components that need to be upgraded.
+
+- [Upgrade Perform API]({{site.url}}{{site.baseurl}}/api-reference/security/configuration/upgrade-perform/): Applies updates to the security configuration, based on the results of the Upgrade Check API.
+
+## Configuration components
+
+These APIs manage the following configuration components:
+
+- **Roles**: Permissions for actions users can perform
+- **Role mappings**: Mappings for users or backend roles with specific roles
+- **Action groups**: Collections of permissions used to simplify role definitions
+- **Internal users**: User credentials stored directly in OpenSearch
+- **Tenants**: Isolated workspaces that support multi-tenancy
+- **Security configuration**: Global security settings
+
+## Best practices
+
+When using the Configuration APIs, remember the following best practices:
+
+- Always back up your security configuration before making changes.
+- Run the Upgrade Check API before using the Upgrade Perform API.
+- Test changes in a non-production environment before deploying to production.
+- Integrate these APIs into your regular upgrade and maintenance workflows.
+- Validate functionality after applying configuration changes.