OpenSearch/docs/reference/sql/security.asciidoc

[role="xpack"]
[testenv="basic"]
[[sql-security]]
== Security

{es-sql} integrates with security, if this is enabled on your cluster. 
In such a scenario, {es-sql} supports both security at the transport layer (by encrypting the communication between the consumer and the server) and authentication (for the access layer).

[float]
[[ssl-tls-config]]
==== SSL/TLS configuration

In case of an encrypted transport, the SSL/TLS support needs to be enabled in {es-sql} to properly establish communication with {es}. This is done by setting the `ssl` property to `true` or by using the `https` prefix in the URL. +
Depending on your SSL configuration (whether the certificates are signed by a CA or not, whether they are global at JVM level or just local to one application), might require setting up the `keystore` and/or `truststore`, that is where the _credentials_ are stored (`keystore` - which typically stores private keys and certificates) and how to _verify_ them (`truststore` - which typically stores certificates from third party also known as CA - certificate authorities). +
Typically (and again, do note that your environment might differ significantly), if the SSL setup for {es-sql} is not already done at the JVM level, one needs to setup the keystore if the {es-sql} security requires client authentication (PKI - Public Key Infrastructure), and setup `truststore` if SSL is enabled.

[float]
==== Authentication

The authentication support in {es-sql} is of two types:

Username/Password:: Set these through `user` and `password` properties.
PKI/X.509:: Use X.509 certificates to authenticate {es-sql} to {es}. For this, one would need to setup the `keystore` containing the private key and certificate to the appropriate user (configured in {es}) and the `truststore` with the CA certificate used to sign the SSL/TLS certificates in the {es} cluster. That is, one should setup the key to authenticate {es-sql} and also to verify that is the right one. To do so, one should set the `ssl.keystore.location` and `ssl.truststore.location` properties to indicate the `keystore` and `truststore` to use. It is recommended to have these secured through a password in which case `ssl.keystore.pass` and `ssl.truststore.pass` properties are required.

[float]
[[sql-security-permissions]]
==== Permissions (server-side)
Lastly, one the server one need to add a few permissions to
users so they can run SQL. To run SQL a user needs `read` and
`indices:admin/get` permissions at minimum while some parts of 
the API require `cluster:monitor/main`. 

The following example configures a role that can run SQL in JDBC querying the `test` and `bort`
indices:

[source, yaml]
--------------------------------------------------
include-tagged::{sql-tests}/security/roles.yml[cli_drivers]
--------------------------------------------------
[DOCS] Move sql to docs (#31474) 2018-06-22 18:40:25 -04:00			`[role="xpack"]`
			`[testenv="basic"]`
[DOCS] Significantly improve SQL docs Introduce SQL commands Move reserved keywords into an appendix Add section on security Introduce concepts section 2018-06-20 14:40:13 -04:00			`[[sql-security]]`
			`== Security`

			`{es-sql} integrates with security, if this is enabled on your cluster.`
			`In such a scenario, {es-sql} supports both security at the transport layer (by encrypting the communication between the consumer and the server) and authentication (for the access layer).`

			`[float]`
[DOCS] Add anchors for Asciidoctor migration (#41648) 2019-04-30 10:19:09 -04:00			`[[ssl-tls-config]]`
[DOCS] Significantly improve SQL docs Introduce SQL commands Move reserved keywords into an appendix Add section on security Introduce concepts section 2018-06-20 14:40:13 -04:00			`==== SSL/TLS configuration`

			In case of an encrypted transport, the SSL/TLS support needs to be enabled in {es-sql} to properly establish communication with {es}. This is done by setting the `ssl` property to `true` or by using the `https` prefix in the URL. +
			Depending on your SSL configuration (whether the certificates are signed by a CA or not, whether they are global at JVM level or just local to one application), might require setting up the `keystore` and/or `truststore`, that is where the _credentials_ are stored (`keystore` - which typically stores private keys and certificates) and how to _verify_ them (`truststore` - which typically stores certificates from third party also known as CA - certificate authorities). +
			Typically (and again, do note that your environment might differ significantly), if the SSL setup for {es-sql} is not already done at the JVM level, one needs to setup the keystore if the {es-sql} security requires client authentication (PKI - Public Key Infrastructure), and setup `truststore` if SSL is enabled.

			`[float]`
			`==== Authentication`

			`The authentication support in {es-sql} is of two types:`

			Username/Password:: Set these through `user` and `password` properties.
			PKI/X.509:: Use X.509 certificates to authenticate {es-sql} to {es}. For this, one would need to setup the `keystore` containing the private key and certificate to the appropriate user (configured in {es}) and the `truststore` with the CA certificate used to sign the SSL/TLS certificates in the {es} cluster. That is, one should setup the key to authenticate {es-sql} and also to verify that is the right one. To do so, one should set the `ssl.keystore.location` and `ssl.truststore.location` properties to indicate the `keystore` and `truststore` to use. It is recommended to have these secured through a password in which case `ssl.keystore.pass` and `ssl.truststore.pass` properties are required.

			`[float]`
			`[[sql-security-permissions]]`
			`==== Permissions (server-side)`
			`Lastly, one the server one need to add a few permissions to`
			users so they can run SQL. To run SQL a user needs `read` and
			`indices:admin/get` permissions at minimum while some parts of
			the API require `cluster:monitor/main`.

			The following example configures a role that can run SQL in JDBC querying the `test` and `bort`
			`indices:`

[DOCS] Remove unneeded options from `[source,sql]` code blocks (#42759) In AsciiDoc, `subs="attributes,callouts,macros"` options were required to render `include-tagged::` in a code block. With elastic/docs#827, Elasticsearch Reference documentation migrated from AsciiDoc to Asciidoctor. In Asciidoctor, the `subs="attributes,callouts,macros"` options are no longer needed to render `include-tagged::` in a code block. This commit removes those unneeded options. Resolves #41589 2019-05-31 13:03:41 -04:00			`[source, yaml]`
[DOCS] Significantly improve SQL docs Introduce SQL commands Move reserved keywords into an appendix Add section on security Introduce concepts section 2018-06-20 14:40:13 -04:00			`--------------------------------------------------`
SQL: Support pattern against compatible indices (#34718) Extend querying support on multiple indices from being strictly identical to being just compatible. Use FieldCapabilities API (extended through #33803) for mapping merging. Close #31837 #31611 2018-10-23 10:07:51 -04:00			`include-tagged::{sql-tests}/security/roles.yml[cli_drivers]`
[DOCS] Significantly improve SQL docs Introduce SQL commands Move reserved keywords into an appendix Add section on security Introduce concepts section 2018-06-20 14:40:13 -04:00			`--------------------------------------------------`