2018-05-02 13:56:31 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[configuring-native-realm]]
|
2018-05-02 15:08:02 -04:00
|
|
|
=== Configuring a native realm
|
2018-05-02 13:56:31 -04:00
|
|
|
|
|
|
|
The easiest way to manage and authenticate users is with the internal `native`
|
|
|
|
realm.
|
|
|
|
|
|
|
|
The native realm is available by default when no other realms are
|
|
|
|
configured. If other realm settings have been configured in `elasticsearch.yml`,
|
|
|
|
you must add the native realm to the realm chain.
|
|
|
|
|
2018-11-05 22:56:50 -05:00
|
|
|
You can configure a `native` realm in the `xpack.security.authc.realms.native`
|
|
|
|
namespace in `elasticsearch.yml`.
|
|
|
|
Explicitly configuring a native realm enables you to set the order in which it
|
|
|
|
appears in the realm chain, temporarily disable the realm, and control its
|
|
|
|
cache options.
|
|
|
|
|
|
|
|
. Add a realm configuration to `elasticsearch.yml` under the
|
|
|
|
`xpack.security.authc.realms.native` namespace. It is recommended that you
|
|
|
|
explicitly set the `order` attribute for the realm.
|
2018-05-02 13:56:31 -04:00
|
|
|
+
|
|
|
|
--
|
|
|
|
See <<ref-native-settings>> for all of the options you can set for the `native` realm.
|
|
|
|
For example, the following snippet shows a `native` realm configuration that
|
|
|
|
sets the `order` to zero so the realm is checked first:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
native:
|
|
|
|
native1:
|
|
|
|
order: 0
|
2018-05-02 13:56:31 -04:00
|
|
|
------------------------------------------------------------
|
2018-08-21 05:05:42 -04:00
|
|
|
|
|
|
|
NOTE: To limit exposure to credential theft and mitigate credential compromise,
|
|
|
|
the native realm stores passwords and caches user credentials according to
|
|
|
|
security best practices. By default, a hashed version of user credentials
|
|
|
|
is stored in memory, using a salted `sha-256` hash algorithm and a hashed
|
|
|
|
version of passwords is stored on disk salted and hashed with the `bcrypt`
|
|
|
|
hash algorithm. To use different hash algorithms, see <<hashing-settings>>.
|
2018-05-02 13:56:31 -04:00
|
|
|
--
|
|
|
|
|
|
|
|
. Restart {es}.
|
|
|
|
|
|
|
|
. Manage your users in {kib} on the *Management / Security / Users* page.
|
|
|
|
Alternatively, use the <<security-api-users,User Management APIs>>.
|
|
|
|
|