42 lines
1.8 KiB
Plaintext
42 lines
1.8 KiB
Plaintext
|
[[security-files]]
|
||
|
=== Security Files
|
||
|
|
||
|
The {security} uses the following files:
|
||
|
|
||
|
* `CONFIG_DIR/x-pack/roles.yml` defines the roles in use on the cluster
|
||
|
(read more <<roles-management-file, here>>).
|
||
|
|
||
|
* `CONFIG_DIR/x-pack/users` defines the users and their hashed passwords for
|
||
|
the <<file-realm,`file` realm>>.
|
||
|
|
||
|
* `CONFIG_DIR/x-pack/users_roles` defines the user roles assignment for the
|
||
|
the <<file-realm, `file` realm>>.
|
||
|
|
||
|
* `CONFIG_DIR/x-pack/role_mapping.yml` defines the role assignments for a
|
||
|
Distinguished Name (DN) to a role. This allows for LDAP and Active Directory
|
||
|
groups and users and PKI users to be mapped to roles (read more
|
||
|
<<mapping-roles, here>>).
|
||
|
|
||
|
* `CONFIG_DIR/x-pack/log4j2.properties` contains audit information (read more
|
||
|
<<logging-file, here>>).
|
||
|
|
||
|
* `CONFIG_DIR/x-pack/system_key` holds a cluster secret key that's used to
|
||
|
authenticate messages during node to node communication. For more information,
|
||
|
see <<enable-message-authentication, Enabling Message Authentication>>.
|
||
|
|
||
|
[[security-files-location]]
|
||
|
|
||
|
IMPORTANT: Any files that {security} uses must be stored in the Elasticsearch
|
||
|
configuration directory. Elasticsearch runs with restricted permissions
|
||
|
and is only permitted to read from the locations configured in the
|
||
|
directory layout for enhanced security.
|
||
|
|
||
|
Several of these files are in the YAML format. When you edit these files, be
|
||
|
aware that YAML is indentation-level sensitive and indentation errors can lead
|
||
|
to configuration errors. Avoid the tab character to set indentation levels, or
|
||
|
use an editor that automatically expands tabs to spaces.
|
||
|
|
||
|
Be careful to properly escape YAML constructs such as `:` or leading exclamation
|
||
|
points within quoted strings. Using the `|` or `>` characters to define block
|
||
|
literals instead of escaping the problematic characters can help avoid problems.
|