2017-04-06 21:29:29 -04:00
|
|
|
[[security-getting-started]]
|
|
|
|
== Getting Started with Security
|
|
|
|
|
2018-04-05 15:06:43 -04:00
|
|
|
To secure a cluster, you must enable {security} on every node in the
|
2017-04-06 21:29:29 -04:00
|
|
|
cluster. Basic authentication is enabled by default--to communicate
|
|
|
|
with the cluster, you must specify a username and password.
|
2017-07-19 16:52:34 -04:00
|
|
|
Unless you {xpack-ref}/anonymous-access.html[enable anonymous access], all
|
2017-04-06 21:29:29 -04:00
|
|
|
requests that don't include a user name and password are rejected.
|
|
|
|
|
|
|
|
{security} provides a built-in `elastic` superuser you can use
|
|
|
|
to start setting things up. This `elastic` user has full access
|
2017-07-20 12:23:20 -04:00
|
|
|
to the cluster, including all indices and data, so the `elastic` user
|
|
|
|
does not have a password set by default.
|
|
|
|
|
2017-04-06 21:29:29 -04:00
|
|
|
To get started with {security}:
|
|
|
|
|
2018-04-05 15:06:43 -04:00
|
|
|
. Verify that the `xpack.security.enabled` setting is `true`. For more
|
|
|
|
information, see {ref}/security-settings.html[Security Settings in {es}].
|
2017-07-20 12:23:20 -04:00
|
|
|
|
2017-09-26 11:52:04 -04:00
|
|
|
. Start {es} and {kib}.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-03-20 03:01:53 -04:00
|
|
|
. Set the passwords of the built in `elastic`, `kibana`, `logstash_system`, and
|
|
|
|
`beats_system` users.
|
2017-09-26 11:52:04 -04:00
|
|
|
In most cases, you can simply run the `bin/x-pack/setup-passwords` tool on one of the nodes in your cluster.
|
|
|
|
Run that command with the same user that is running your {es} process.
|
|
|
|
In "auto" mode this tool will randomly generate passwords and print them to the console.
|
2017-04-06 21:29:29 -04:00
|
|
|
+
|
2017-04-12 16:30:01 -04:00
|
|
|
--
|
2017-04-06 21:29:29 -04:00
|
|
|
[source,shell]
|
2017-07-20 12:23:20 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
bin/x-pack/setup-passwords auto
|
|
|
|
--------------------------------------------------
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2017-09-26 11:52:04 -04:00
|
|
|
For more information, see <<set-built-in-user-passwords>>.
|
2017-04-12 16:30:01 -04:00
|
|
|
--
|
|
|
|
|
2017-09-26 11:52:04 -04:00
|
|
|
. Set up roles and users to control access to {es} and {kib}.
|
2017-04-06 21:29:29 -04:00
|
|
|
For example, to grant _John Doe_ full access to all indices that match
|
|
|
|
the pattern `events*` and enable him to create visualizations and dashboards
|
|
|
|
for those indices in Kibana, you could create an `events_admin` role and
|
|
|
|
and assign the role to a new `johndoe` user.
|
|
|
|
+
|
2017-04-12 16:30:01 -04:00
|
|
|
--
|
2017-04-06 21:29:29 -04:00
|
|
|
[source,shell]
|
|
|
|
----------------------------------------------------------
|
|
|
|
curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -H "Content-Type: application/json" -d '{
|
|
|
|
"indices" : [
|
|
|
|
{
|
|
|
|
"names" : [ "events*" ],
|
|
|
|
"privileges" : [ "all" ]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"names" : [ ".kibana*" ],
|
|
|
|
"privileges" : [ "manage", "read", "index" ]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}'
|
|
|
|
|
|
|
|
curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content-Type: application/json" -d '{
|
|
|
|
"password" : "userpassword",
|
|
|
|
"full_name" : "John Doe",
|
|
|
|
"email" : "john.doe@anony.mous",
|
|
|
|
"roles" : [ "events_admin" ]
|
|
|
|
}'
|
|
|
|
----------------------------------------------------------
|
|
|
|
// NOTCONSOLE
|
2017-04-12 16:30:01 -04:00
|
|
|
--
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
[[enable-auditing]]
|
|
|
|
. Enable Auditing to keep track of attempted and successful interactions with
|
2017-09-26 11:52:04 -04:00
|
|
|
your {es} cluster:
|
2017-04-06 21:29:29 -04:00
|
|
|
+
|
|
|
|
--
|
|
|
|
.. Add the following setting to `elasticsearch.yml` on all nodes in your cluster:
|
|
|
|
+
|
|
|
|
[source,yaml]
|
|
|
|
----------------------------
|
|
|
|
xpack.security.audit.enabled: true
|
|
|
|
----------------------------
|
2017-09-26 11:52:04 -04:00
|
|
|
.. Restart {es}.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
By default, events are logged to a dedicated `elasticsearch-access.log` file in
|
2017-09-26 11:52:04 -04:00
|
|
|
`ES_HOME/logs`. You can also store the events in an {es} index for
|
2017-04-06 21:29:29 -04:00
|
|
|
easier analysis and control what events are logged. For more information, see
|
2017-07-19 16:52:34 -04:00
|
|
|
{xpack-ref}/auditing.html[Configuring Auditing].
|
2017-04-06 21:29:29 -04:00
|
|
|
--
|
|
|
|
|
|
|
|
[[moving-on]]
|
|
|
|
IMPORTANT: Once you get these basic security measures in place, we strongly
|
|
|
|
recommend that you secure communications to and from nodes by
|
2017-07-19 16:52:34 -04:00
|
|
|
configuring your cluster to use {xpack-ref}/ssl-tls.html[SSL/TLS encryption].
|
2017-04-06 21:29:29 -04:00
|
|
|
Nodes that do not have encryption enabled send passwords in plain
|
2017-09-15 10:44:03 -04:00
|
|
|
text and will not be able to install a non-trial license that enables the use
|
|
|
|
of {security}.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
Depending on your security requirements, you might also want to:
|
|
|
|
|
2017-07-19 16:52:34 -04:00
|
|
|
* Integrate with {xpack-ref}/ldap-realm.html[LDAP] or {xpack-ref}/active-directory-realm.html[Active Directory],
|
|
|
|
or {xpack-ref}/pki-realm.html[require certificates] for authentication.
|
|
|
|
* Use {xpack-ref}/ip-filtering.html[IP Filtering] to allow or deny requests from particular
|
2017-04-06 21:29:29 -04:00
|
|
|
IP addresses or address ranges.
|