Update security info in X-Pack installation (elastic/x-pack-elasticsearch#2389)

* [DOCS] Update security info in X-Pack installation

* [DOCS] Remove bootstrap from security info

Original commit: elastic/x-pack-elasticsearch@fc272747b1
This commit is contained in:
Lisa Cawley 2017-08-29 13:10:23 -07:00 committed by lcawley
parent 5cd92ffbbf
commit a56312a8e9
3 changed files with 7 additions and 61 deletions

View File

@ -138,22 +138,7 @@ the correct value for your environment, you may consider setting the value to
`*` which will allow automatic creation of all indices. `*` which will allow automatic creation of all indices.
============================================================================= =============================================================================
. Change the passwords for the built-in users. For more information, . Configure passwords and SSL/TLS.
see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
.. If you have not already done so, bootstrap the password for the `elastic`
user by placing a password in the keystore of at least one node.
+
--
[source,shell]
--------------------------------------------------
bin/elasticsearch-keystore create
bin/elasticsearch-keystore add "bootstrap.password"
--------------------------------------------------
After you run the "add" command, you will be prompted to enter a password. This
bootstrap password is only intended to be a transient password that is used to
help you set all the built-in user passwords.
--
.. If you have more than one node or a single node that listens on an external .. If you have more than one node or a single node that listens on an external
interface, you must configure SSL/TLS for inter-node communication. Single-node interface, you must configure SSL/TLS for inter-node communication. Single-node
instances that use a loopback interface do not have this requirement. For more instances that use a loopback interface do not have this requirement. For more
@ -189,14 +174,12 @@ directory. For example,
xpack.ssl.key: certs/${node.name}/${node.name}.key <1> xpack.ssl.key: certs/${node.name}/${node.name}.key <1>
xpack.ssl.certificate: certs/${node.name}/${node.name}.crt <2> xpack.ssl.certificate: certs/${node.name}/${node.name}.crt <2>
xpack.ssl.certificate_authorities: certs/ca/ca.crt <3> xpack.ssl.certificate_authorities: certs/ca/ca.crt <3>
xpack.security.authc.token.enabled: false <4>
----------------------------------------------------------- -----------------------------------------------------------
<1> If this path does not exist on every node or the file name does not match <1> If this path does not exist on every node or the file name does not match
the `node.name` configuration setting, you must specify the full path to the the `node.name` configuration setting, you must specify the full path to the
node key file. node key file.
<2> Alternatively, specify the full path to the node certificate. <2> Alternatively, specify the full path to the node certificate.
<3> Alternatively specify the full path to the CA certificate. <3> Alternatively specify the full path to the CA certificate.
<4> Disables the built-in token service.
-- --
.. Start {es}. .. Start {es}.
@ -219,7 +202,8 @@ bin/x-pack/setup-passwords interactive
-------------------------------------------------- --------------------------------------------------
If you prefer to have randomly generated passwords, specify `auto` instead of If you prefer to have randomly generated passwords, specify `auto` instead of
`interactive`. If the node is not listening on "http://localhost:9200", use the `interactive`. If the node is not listening on "http://localhost:9200", use the
`-u` parameter to specify the appropriate URL. `-u` parameter to specify the appropriate URL. For more information,
see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
-- --
. {kibana-ref}/installing-xpack-kb.html[Install {xpack} on {kib}]. . {kibana-ref}/installing-xpack-kb.html[Install {xpack} on {kib}].

View File

@ -16,12 +16,8 @@ see <<managing-native-users, Managing Native Users>>.
{security} provides built-in user credentials to help you get up and running. {security} provides built-in user credentials to help you get up and running.
These users have a fixed set of privileges and cannot be authenticated until their These users have a fixed set of privileges and cannot be authenticated until their
passwords have been set. In order to set these passwords, the `elastic` user must passwords have been set. The `elastic` user can be used to
have its password bootstrapped. To bootstrap the password, please read <<set-built-in-user-passwords,set all of the built-in user passwords>>.
<<bootstrap-elastic-passwords,Bootstrap Elastic Password>> below.
Once the `elastic` user has its password bootstrapped,
this user can be used to <<set-built-in-user-passwords,set all of the built-in user passwords>>.
.{security} Built-in Users .{security} Built-in Users
|======== |========
@ -47,35 +43,6 @@ realm will not have any effect on the built-in users. The built-in users can
be disabled individually, using the be disabled individually, using the
{ref}/security-api-users.html[user management API]. {ref}/security-api-users.html[user management API].
[float]
[[bootstrap-elastic-passwords]]
==== Bootstrap Elastic Password
The `elastic` user can have its password bootstrapped by placing a password
in the keystore of at least one node. At startup, that node will pull the
password out of the keystore and set the `elastic` password to that value. The
password will only be set if the `elastic` user password has not already been set.
As the `elastic` user is stored in the native realm, the password will be
synced to all the nodes in a cluster. It is safe to bootstrap the password with
multiple nodes as long as the password is the same. If different passwords are
set with different nodes, it is unpredictable which password will be bootstrapped.
Specifically, the setting for the bootstrap password is "bootstrap.password". If
the keystore has not been created before, it must be created first.
[source,shell]
--------------------------------------------------
bin/elasticsearch-keystore create
bin/elasticsearch-keystore add "bootstrap.password"
--------------------------------------------------
After running the "add" command, you will be prompted to enter your password.
The bootstrap password is only intended to be a transient password used to help you
set all the built-in user passwords. As the password will remain accessible in the
keystore on the machine, the `elastic` user's password should be changed to a different
password when you <set-built-in-user-passwords,set all the built-in passwords>.
[float] [float]
[[set-built-in-user-passwords]] [[set-built-in-user-passwords]]
==== Set Built-in User Passwords ==== Set Built-in User Passwords
@ -86,8 +53,8 @@ You can update passwords from the *Management > Users* UI in Kibana, using the
setup-passwords tool, or with the security user api. setup-passwords tool, or with the security user api.
The setup-passwords tool is a command line tool that is provided to assist with The setup-passwords tool is a command line tool that is provided to assist with
setup. When it is run, it will use the `elastic` user bootstrap password to execute setup. When it is run, it will use the `elastic` user to execute API requests
api requests that will change the passwords of the `elastic`, `kibana`, and that will change the passwords of the `elastic`, `kibana`, and
`logstash_system` users. In "auto" mode the passwords will be generated randomly and `logstash_system` users. In "auto" mode the passwords will be generated randomly and
printed to the console. printed to the console.

View File

@ -12,11 +12,6 @@ to start setting things up. This `elastic` user has full access
to the cluster, including all indices and data, so the `elastic` user to the cluster, including all indices and data, so the `elastic` user
does not have a password set by default. does not have a password set by default.
In order for the `elastic` user to be usable, its <<bootstrap-elastic-passwords,password must be bootstrapped>>
by at least one of the nodes in your cluster. The bootstrap password is intended
to be a temporary password to help you setup your cluster. The `elastic` user password
will be changed during the setup process.
To get started with {security}: To get started with {security}:
. <<installing-xpack, Install X-Pack>>. . <<installing-xpack, Install X-Pack>>.