2017-11-09 17:28:56 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[[configuring-security]]
|
2018-05-01 17:11:38 -04:00
|
|
|
== Configuring security in {es}
|
2017-11-09 17:28:56 -05:00
|
|
|
++++
|
2018-12-19 17:53:37 -05:00
|
|
|
<titleabbrev>Configuring security</titleabbrev>
|
2017-11-09 17:28:56 -05:00
|
|
|
++++
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
The {es} {security-features} enable you to easily secure a cluster. You can
|
2017-11-09 17:28:56 -05:00
|
|
|
password-protect your data as well as implement more advanced security measures
|
|
|
|
such as encrypting communications, role-based access control, IP filtering, and
|
|
|
|
auditing. For more information, see
|
2019-10-07 18:23:19 -04:00
|
|
|
<<elasticsearch-security>>.
|
2017-11-10 12:33:56 -05:00
|
|
|
|
2019-05-09 10:48:23 -04:00
|
|
|
. Verify that you are using a license that includes the specific
|
|
|
|
{security-features} you want.
|
2018-04-06 14:48:03 -04:00
|
|
|
+
|
|
|
|
--
|
2019-05-09 10:48:23 -04:00
|
|
|
For more information, see https://www.elastic.co/subscriptions and
|
|
|
|
{stack-ov}/license-management.html[License management].
|
2018-04-06 14:48:03 -04:00
|
|
|
--
|
|
|
|
|
|
|
|
. Verify that the `xpack.security.enabled` setting is `true` on each node in
|
2019-05-09 10:48:23 -04:00
|
|
|
your cluster. If you are using basic or trial licenses, the default value is `false`.
|
2019-10-07 18:23:19 -04:00
|
|
|
For more information, see <<security-settings>>.
|
2018-04-06 14:48:03 -04:00
|
|
|
|
2018-08-21 09:20:00 -04:00
|
|
|
. If you plan to run {es} in a Federal Information Processing Standard (FIPS)
|
|
|
|
140-2 enabled JVM, see <<fips-140-compliance>>.
|
|
|
|
|
2019-05-09 10:48:23 -04:00
|
|
|
. <<configuring-tls,Configure Transport Layer Security (TLS/SSL) for internode-communication>>.
|
2018-04-06 14:48:03 -04:00
|
|
|
+
|
|
|
|
--
|
|
|
|
NOTE: This requirement applies to clusters with more than one node and to
|
|
|
|
clusters with a single node that listens on an external interface. Single-node
|
|
|
|
clusters that use a loopback interface do not have this requirement. For more
|
|
|
|
information, see
|
2019-10-07 18:23:19 -04:00
|
|
|
<<encrypting-communications>>.
|
2018-04-06 14:48:03 -04:00
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
. If it is not already running, start {es}.
|
|
|
|
|
|
|
|
. Set the passwords for all built-in users.
|
|
|
|
+
|
|
|
|
--
|
2018-12-19 17:53:37 -05:00
|
|
|
The {es} {security-features} provide
|
2019-10-07 18:23:19 -04:00
|
|
|
<<built-in-users,built-in users>> to
|
2018-04-11 11:21:15 -04:00
|
|
|
help you get up and running. The +elasticsearch-setup-passwords+ command is the
|
|
|
|
simplest method to set the built-in users' passwords for the first time.
|
2018-04-06 14:48:03 -04:00
|
|
|
|
|
|
|
For example, you can run the command in an "interactive" mode, which prompts you
|
2019-03-01 13:29:59 -05:00
|
|
|
to enter new passwords for the built-in users:
|
2018-04-06 14:48:03 -04:00
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
--------------------------------------------------
|
2018-04-11 11:21:15 -04:00
|
|
|
bin/elasticsearch-setup-passwords interactive
|
2018-04-06 14:48:03 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
For more information about the command options, see <<setup-passwords>>.
|
|
|
|
|
2018-04-11 11:21:15 -04:00
|
|
|
IMPORTANT: The `elasticsearch-setup-passwords` command uses a transient bootstrap
|
|
|
|
password that is no longer valid after the command runs successfully. You cannot
|
|
|
|
run the `elasticsearch-setup-passwords` command a second time. Instead, you can
|
|
|
|
update passwords from the **Management > Users** UI in {kib} or use the security
|
|
|
|
user API.
|
2018-04-06 14:48:03 -04:00
|
|
|
|
|
|
|
--
|
|
|
|
|
2019-05-09 10:48:23 -04:00
|
|
|
. Choose which types of realms you want to use to authenticate users.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
TIP: The types of authentication realms that you can enable varies according to
|
|
|
|
your subscription. For more information, see https://www.elastic.co/subscriptions.
|
|
|
|
|
|
|
|
--
|
|
|
|
** <<configuring-ad-realm,Active Directory realms>>
|
2019-11-18 14:51:02 -05:00
|
|
|
** <<file-realm,File realms>>
|
2019-11-18 18:19:13 -05:00
|
|
|
** <<kerberos-realm,Kerberos realms>>
|
2019-11-18 16:29:51 -05:00
|
|
|
** <<ldap-realm,LDAP realms>>
|
2019-11-15 18:33:12 -05:00
|
|
|
** <<native-realm,Native realms>>
|
2019-11-19 13:29:20 -05:00
|
|
|
** <<pki-realm,PKI realms>>
|
2019-11-18 12:58:47 -05:00
|
|
|
** <<saml-realm,SAML realms>>
|
2018-05-01 12:15:13 -04:00
|
|
|
|
2018-04-16 13:37:45 -04:00
|
|
|
. Set up roles and users to control access to {es}.
|
2019-04-30 16:40:26 -04:00
|
|
|
+
|
|
|
|
--
|
2018-04-16 13:37:45 -04:00
|
|
|
For example, to grant _John Doe_ full access to all indices that match
|
2019-10-23 10:36:31 -04:00
|
|
|
the pattern `events*` and enable them to create visualizations and dashboards
|
2018-09-26 10:33:58 -04:00
|
|
|
for those indices in {kib}, you could create an `events_admin` role
|
2018-04-16 13:37:45 -04:00
|
|
|
and assign the role to a new `johndoe` user.
|
2019-04-30 16:40:26 -04:00
|
|
|
|
2018-04-16 13:37:45 -04:00
|
|
|
[source,shell]
|
|
|
|
----------------------------------------------------------
|
2018-12-11 04:13:10 -05:00
|
|
|
curl -XPOST -u elastic 'localhost:9200/_security/role/events_admin' -H "Content-Type: application/json" -d '{
|
2018-04-16 13:37:45 -04:00
|
|
|
"indices" : [
|
|
|
|
{
|
|
|
|
"names" : [ "events*" ],
|
|
|
|
"privileges" : [ "all" ]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"names" : [ ".kibana*" ],
|
|
|
|
"privileges" : [ "manage", "read", "index" ]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}'
|
|
|
|
|
2018-12-11 04:13:10 -05:00
|
|
|
curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type: application/json" -d '{
|
2018-04-16 13:37:45 -04:00
|
|
|
"password" : "userpassword",
|
|
|
|
"full_name" : "John Doe",
|
|
|
|
"email" : "john.doe@anony.mous",
|
|
|
|
"roles" : [ "events_admin" ]
|
|
|
|
}'
|
|
|
|
----------------------------------------------------------
|
|
|
|
// NOTCONSOLE
|
|
|
|
--
|
|
|
|
|
2019-05-09 10:48:23 -04:00
|
|
|
. [[enable-auditing]](Optional) Enable auditing to keep track of attempted and
|
|
|
|
successful interactions with your {es} cluster:
|
2018-04-16 13:37:45 -04:00
|
|
|
+
|
|
|
|
--
|
2019-05-09 10:48:23 -04:00
|
|
|
TIP: Audit logging is available with specific subscriptions. For more
|
|
|
|
information, see https://www.elastic.co/subscriptions.
|
|
|
|
|
2018-04-16 13:37:45 -04:00
|
|
|
.. Add the following setting to `elasticsearch.yml` on all nodes in your cluster:
|
|
|
|
+
|
|
|
|
[source,yaml]
|
|
|
|
----------------------------
|
|
|
|
xpack.security.audit.enabled: true
|
|
|
|
----------------------------
|
|
|
|
+
|
2019-10-07 18:23:19 -04:00
|
|
|
For more information, see <<auditing>> and <<auditing-settings>>.
|
2018-04-16 13:37:45 -04:00
|
|
|
|
|
|
|
.. Restart {es}.
|
|
|
|
|
2019-01-29 08:53:55 -05:00
|
|
|
Events are logged to a dedicated `<clustername>_audit.json` file in
|
2019-01-24 05:36:10 -05:00
|
|
|
`ES_HOME/logs`, on each cluster node.
|
2018-04-16 13:37:45 -04:00
|
|
|
--
|
|
|
|
|
2019-10-07 18:23:19 -04:00
|
|
|
To walk through the configuration of {security-features} in {es}, {kib}, {ls}, and {metricbeat}, see <<security-getting-started>>.
|
2019-05-09 10:48:23 -04:00
|
|
|
|
2019-10-04 16:11:05 -04:00
|
|
|
include::securing-communications/separating-node-client-traffic.asciidoc[]
|
2018-05-01 12:15:13 -04:00
|
|
|
include::authentication/configuring-active-directory-realm.asciidoc[]
|
2019-03-18 17:12:23 -04:00
|
|
|
|
2019-10-04 16:11:05 -04:00
|
|
|
include::reference/files.asciidoc[]
|
2019-07-10 07:05:01 -04:00
|
|
|
include::fips-140-compliance.asciidoc[]
|
2018-12-04 16:18:54 -05:00
|
|
|
|