OpenSearch/x-pack/docs/en/security/index.asciidoc

[role="xpack"]
[[elasticsearch-security]]
= Securing the {stack}

[partintro]
--
The {stack-security-features} enable you to easily secure a cluster. You can
password-protect your data as well as implement more advanced security
measures such as encrypting communications, role-based access control,
IP filtering, and auditing. This guide describes how to configure the security
features you need, and interact with your secured cluster.

Security protects Elasticsearch clusters by:

* <<preventing-unauthorized-access, Preventing unauthorized access>>
  with password protection, role-based access control, and IP filtering.
* <<preserving-data-integrity, Preserving the integrity of your data>>
  with message authentication and SSL/TLS encryption.
* <<maintaining-audit-trail, Maintaining an audit trail>>
  so you know who's doing what to your cluster and the data it stores.

[float]
[[preventing-unauthorized-access]]
=== Preventing unauthorized access

To prevent unauthorized access to your Elasticsearch cluster, you must have a
way to _authenticate_ users. This simply means that you need a way to validate
that a user is who they claim to be. For example, you have to make sure only
the person named _Kelsey Andorra_ can sign in as the user `kandorra`. The
{es-security-features} provide a standalone authentication mechanism that enables
you to quickly password-protect your cluster. If you're already using
<<ldap-realm, LDAP>>, <<active-directory-realm, Active Directory>>, or
<<pki-realm, PKI>> to manage users in your organization, the {security-features}
are able to integrate with those systems to perform user authentication.

In many cases, simply authenticating users isn't enough. You also need a way to
control what data users have access to and what tasks they can perform. The
{es-security-features} enable you to _authorize_ users by assigning access
_privileges_ to _roles_ and assigning those roles to users. For example, this
<<authorization,role-based access control>> mechanism (a.k.a RBAC) enables
you to specify that the user `kandorra` can only perform read operations on the
`events` index and can't do anything at all with other indices.

The {security-features} also support <<ip-filtering, IP-based authorization>>.
You can whitelist and blacklist specific IP addresses or subnets to control
network-level access to a server.

[float]
[[preserving-data-integrity]]
=== Preserving data integrity

A critical part of security is keeping confidential data confidential.
Elasticsearch has built-in protections against accidental data loss and
corruption. However, there's nothing to stop deliberate tampering or data
interception. The {stack-security-features} preserve the integrity of your
data by <<ssl-tls, encrypting communications>> to and from nodes. For even
greater protection, you can increase the <<ciphers, encryption strength>> and
<<separating-node-client-traffic, separate client traffic from node-to-node communications>>.


[float]
[[maintaining-audit-trail]]
=== Maintaining an audit trail

Keeping a system secure takes vigilance. By using {stack-security-features} to
maintain an audit trail, you can easily see who is accessing your cluster and
what they're doing. By analyzing access patterns and failed attempts to access
your cluster, you can gain insights into attempted attacks and data breaches.
Keeping an auditable log of the activity in your cluster can also help diagnose
operational issues.

[float]
=== Where to Go Next

* <<security-getting-started, Getting Started>>
  steps through how to install and start using Security for basic authentication.

* <<how-security-works, How Security Works>>
  provides more information about how Security supports user authentication,
  authorization, and encryption.

* <<ccs-clients-integrations>>
  shows you how to interact with an Elasticsearch cluster protected by the
  {stack-security-features}.

[float]
=== Have Comments, Questions, or Feedback?

Head over to our {security-forum}[Security Discussion Forum]
to share your experience, questions, and suggestions.
--

include::how-security-works.asciidoc[]

include::authentication/index.asciidoc[]

include::authorization/index.asciidoc[]

include::{xes-repo-dir}/security/auditing/index.asciidoc[]

include::{xes-repo-dir}/security/securing-communications.asciidoc[]

include::{xes-repo-dir}/security/using-ip-filtering.asciidoc[]

include::{xes-repo-dir}/security/ccs-clients-integrations.asciidoc[]

include::get-started-security.asciidoc[]

include::securing-communications/tutorial-tls-intro.asciidoc[]

include::troubleshooting.asciidoc[]

include::limitations.asciidoc[]
[7.x][DOCS] Copies security source files from stack-docs (#47534) 2019-10-04 11:19:10 -04:00			`[role="xpack"]`
			`[[elasticsearch-security]]`
			`= Securing the {stack}`

			`[partintro]`
			`--`
			`The {stack-security-features} enable you to easily secure a cluster. You can`
			`password-protect your data as well as implement more advanced security`
			`measures such as encrypting communications, role-based access control,`
			`IP filtering, and auditing. This guide describes how to configure the security`
			`features you need, and interact with your secured cluster.`

			`Security protects Elasticsearch clusters by:`

			`* <<preventing-unauthorized-access, Preventing unauthorized access>>`
			`with password protection, role-based access control, and IP filtering.`
			`* <<preserving-data-integrity, Preserving the integrity of your data>>`
			`with message authentication and SSL/TLS encryption.`
			`* <<maintaining-audit-trail, Maintaining an audit trail>>`
			`so you know who's doing what to your cluster and the data it stores.`

			`[float]`
			`[[preventing-unauthorized-access]]`
			`=== Preventing unauthorized access`

			`To prevent unauthorized access to your Elasticsearch cluster, you must have a`
			`way to _authenticate_ users. This simply means that you need a way to validate`
			`that a user is who they claim to be. For example, you have to make sure only`
			the person named _Kelsey Andorra_ can sign in as the user `kandorra`. The
			`{es-security-features} provide a standalone authentication mechanism that enables`
			`you to quickly password-protect your cluster. If you're already using`
			`<<ldap-realm, LDAP>>, <<active-directory-realm, Active Directory>>, or`
			`<<pki-realm, PKI>> to manage users in your organization, the {security-features}`
			`are able to integrate with those systems to perform user authentication.`

			`In many cases, simply authenticating users isn't enough. You also need a way to`
			`control what data users have access to and what tasks they can perform. The`
			`{es-security-features} enable you to _authorize_ users by assigning access`
			`_privileges_ to _roles_ and assigning those roles to users. For example, this`
			`<<authorization,role-based access control>> mechanism (a.k.a RBAC) enables`
			you to specify that the user `kandorra` can only perform read operations on the
			`events` index and can't do anything at all with other indices.

			`The {security-features} also support <<ip-filtering, IP-based authorization>>.`
			`You can whitelist and blacklist specific IP addresses or subnets to control`
			`network-level access to a server.`

			`[float]`
			`[[preserving-data-integrity]]`
			`=== Preserving data integrity`

			`A critical part of security is keeping confidential data confidential.`
			`Elasticsearch has built-in protections against accidental data loss and`
			`corruption. However, there's nothing to stop deliberate tampering or data`
			`interception. The {stack-security-features} preserve the integrity of your`
			`data by <<ssl-tls, encrypting communications>> to and from nodes. For even`
			`greater protection, you can increase the <<ciphers, encryption strength>> and`
			`<<separating-node-client-traffic, separate client traffic from node-to-node communications>>.`


			`[float]`
			`[[maintaining-audit-trail]]`
			`=== Maintaining an audit trail`

			`Keeping a system secure takes vigilance. By using {stack-security-features} to`
			`maintain an audit trail, you can easily see who is accessing your cluster and`
			`what they're doing. By analyzing access patterns and failed attempts to access`
			`your cluster, you can gain insights into attempted attacks and data breaches.`
			`Keeping an auditable log of the activity in your cluster can also help diagnose`
			`operational issues.`

			`[float]`
			`=== Where to Go Next`

			`* <<security-getting-started, Getting Started>>`
			`steps through how to install and start using Security for basic authentication.`

			`* <<how-security-works, How Security Works>>`
			`provides more information about how Security supports user authentication,`
			`authorization, and encryption.`

			`* <<ccs-clients-integrations>>`
			`shows you how to interact with an Elasticsearch cluster protected by the`
			`{stack-security-features}.`

			`[float]`
			`=== Have Comments, Questions, or Feedback?`

			`Head over to our {security-forum}[Security Discussion Forum]`
			`to share your experience, questions, and suggestions.`
			`--`

			`include::how-security-works.asciidoc[]`

			`include::authentication/index.asciidoc[]`

			`include::authorization/index.asciidoc[]`

			`include::{xes-repo-dir}/security/auditing/index.asciidoc[]`

			`include::{xes-repo-dir}/security/securing-communications.asciidoc[]`

			`include::{xes-repo-dir}/security/using-ip-filtering.asciidoc[]`

			`include::{xes-repo-dir}/security/ccs-clients-integrations.asciidoc[]`

			`include::get-started-security.asciidoc[]`

			`include::securing-communications/tutorial-tls-intro.asciidoc[]`

			`include::troubleshooting.asciidoc[]`

			`include::limitations.asciidoc[]`