2017-04-06 21:29:29 -04:00
|
|
|
[[security-files]]
|
|
|
|
=== Security Files
|
|
|
|
|
|
|
|
The {security} uses the following files:
|
|
|
|
|
|
|
|
* `CONFIG_DIR/x-pack/roles.yml` defines the roles in use on the cluster
|
|
|
|
(read more <<roles-management-file, here>>).
|
|
|
|
|
2018-04-11 11:36:12 -04:00
|
|
|
* `CONFIG_DIR/elasticsearch-users` defines the users and their hashed passwords for
|
2017-04-06 21:29:29 -04:00
|
|
|
the <<file-realm,`file` realm>>.
|
|
|
|
|
2018-04-11 11:36:12 -04:00
|
|
|
* `CONFIG_DIR/elasticsearch-users_roles` defines the user roles assignment for the
|
2017-04-06 21:29:29 -04:00
|
|
|
the <<file-realm, `file` realm>>.
|
|
|
|
|
|
|
|
* `CONFIG_DIR/x-pack/role_mapping.yml` defines the role assignments for a
|
|
|
|
Distinguished Name (DN) to a role. This allows for LDAP and Active Directory
|
|
|
|
groups and users and PKI users to be mapped to roles (read more
|
|
|
|
<<mapping-roles, here>>).
|
|
|
|
|
|
|
|
* `CONFIG_DIR/x-pack/log4j2.properties` contains audit information (read more
|
|
|
|
<<logging-file, here>>).
|
|
|
|
|
|
|
|
[[security-files-location]]
|
|
|
|
|
|
|
|
IMPORTANT: Any files that {security} uses must be stored in the Elasticsearch
|
|
|
|
configuration directory. Elasticsearch runs with restricted permissions
|
|
|
|
and is only permitted to read from the locations configured in the
|
|
|
|
directory layout for enhanced security.
|
|
|
|
|
|
|
|
Several of these files are in the YAML format. When you edit these files, be
|
|
|
|
aware that YAML is indentation-level sensitive and indentation errors can lead
|
|
|
|
to configuration errors. Avoid the tab character to set indentation levels, or
|
|
|
|
use an editor that automatically expands tabs to spaces.
|
|
|
|
|
|
|
|
Be careful to properly escape YAML constructs such as `:` or leading exclamation
|
|
|
|
points within quoted strings. Using the `|` or `>` characters to define block
|
|
|
|
literals instead of escaping the problematic characters can help avoid problems.
|