Update security info in X-Pack installation (elastic/x-pack-elasticsearch#2389)
* [DOCS] Update security info in X-Pack installation * [DOCS] Remove bootstrap from security info Original commit: elastic/x-pack-elasticsearch@fc272747b1
This commit is contained in:
parent
5cd92ffbbf
commit
a56312a8e9
|
@ -138,22 +138,7 @@ the correct value for your environment, you may consider setting the value to
|
||||||
`*` which will allow automatic creation of all indices.
|
`*` which will allow automatic creation of all indices.
|
||||||
=============================================================================
|
=============================================================================
|
||||||
|
|
||||||
. Change the passwords for the built-in users. For more information,
|
. Configure passwords and SSL/TLS.
|
||||||
see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
|
|
||||||
.. If you have not already done so, bootstrap the password for the `elastic`
|
|
||||||
user by placing a password in the keystore of at least one node.
|
|
||||||
+
|
|
||||||
--
|
|
||||||
[source,shell]
|
|
||||||
--------------------------------------------------
|
|
||||||
bin/elasticsearch-keystore create
|
|
||||||
bin/elasticsearch-keystore add "bootstrap.password"
|
|
||||||
--------------------------------------------------
|
|
||||||
After you run the "add" command, you will be prompted to enter a password. This
|
|
||||||
bootstrap password is only intended to be a transient password that is used to
|
|
||||||
help you set all the built-in user passwords.
|
|
||||||
--
|
|
||||||
|
|
||||||
.. If you have more than one node or a single node that listens on an external
|
.. If you have more than one node or a single node that listens on an external
|
||||||
interface, you must configure SSL/TLS for inter-node communication. Single-node
|
interface, you must configure SSL/TLS for inter-node communication. Single-node
|
||||||
instances that use a loopback interface do not have this requirement. For more
|
instances that use a loopback interface do not have this requirement. For more
|
||||||
|
@ -189,14 +174,12 @@ directory. For example,
|
||||||
xpack.ssl.key: certs/${node.name}/${node.name}.key <1>
|
xpack.ssl.key: certs/${node.name}/${node.name}.key <1>
|
||||||
xpack.ssl.certificate: certs/${node.name}/${node.name}.crt <2>
|
xpack.ssl.certificate: certs/${node.name}/${node.name}.crt <2>
|
||||||
xpack.ssl.certificate_authorities: certs/ca/ca.crt <3>
|
xpack.ssl.certificate_authorities: certs/ca/ca.crt <3>
|
||||||
xpack.security.authc.token.enabled: false <4>
|
|
||||||
-----------------------------------------------------------
|
-----------------------------------------------------------
|
||||||
<1> If this path does not exist on every node or the file name does not match
|
<1> If this path does not exist on every node or the file name does not match
|
||||||
the `node.name` configuration setting, you must specify the full path to the
|
the `node.name` configuration setting, you must specify the full path to the
|
||||||
node key file.
|
node key file.
|
||||||
<2> Alternatively, specify the full path to the node certificate.
|
<2> Alternatively, specify the full path to the node certificate.
|
||||||
<3> Alternatively specify the full path to the CA certificate.
|
<3> Alternatively specify the full path to the CA certificate.
|
||||||
<4> Disables the built-in token service.
|
|
||||||
--
|
--
|
||||||
|
|
||||||
.. Start {es}.
|
.. Start {es}.
|
||||||
|
@ -219,7 +202,8 @@ bin/x-pack/setup-passwords interactive
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
If you prefer to have randomly generated passwords, specify `auto` instead of
|
If you prefer to have randomly generated passwords, specify `auto` instead of
|
||||||
`interactive`. If the node is not listening on "http://localhost:9200", use the
|
`interactive`. If the node is not listening on "http://localhost:9200", use the
|
||||||
`-u` parameter to specify the appropriate URL.
|
`-u` parameter to specify the appropriate URL. For more information,
|
||||||
|
see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
|
||||||
--
|
--
|
||||||
|
|
||||||
. {kibana-ref}/installing-xpack-kb.html[Install {xpack} on {kib}].
|
. {kibana-ref}/installing-xpack-kb.html[Install {xpack} on {kib}].
|
||||||
|
|
|
@ -16,12 +16,8 @@ see <<managing-native-users, Managing Native Users>>.
|
||||||
|
|
||||||
{security} provides built-in user credentials to help you get up and running.
|
{security} provides built-in user credentials to help you get up and running.
|
||||||
These users have a fixed set of privileges and cannot be authenticated until their
|
These users have a fixed set of privileges and cannot be authenticated until their
|
||||||
passwords have been set. In order to set these passwords, the `elastic` user must
|
passwords have been set. The `elastic` user can be used to
|
||||||
have its password bootstrapped. To bootstrap the password, please read
|
<<set-built-in-user-passwords,set all of the built-in user passwords>>.
|
||||||
<<bootstrap-elastic-passwords,Bootstrap Elastic Password>> below.
|
|
||||||
|
|
||||||
Once the `elastic` user has its password bootstrapped,
|
|
||||||
this user can be used to <<set-built-in-user-passwords,set all of the built-in user passwords>>.
|
|
||||||
|
|
||||||
.{security} Built-in Users
|
.{security} Built-in Users
|
||||||
|========
|
|========
|
||||||
|
@ -47,35 +43,6 @@ realm will not have any effect on the built-in users. The built-in users can
|
||||||
be disabled individually, using the
|
be disabled individually, using the
|
||||||
{ref}/security-api-users.html[user management API].
|
{ref}/security-api-users.html[user management API].
|
||||||
|
|
||||||
[float]
|
|
||||||
[[bootstrap-elastic-passwords]]
|
|
||||||
==== Bootstrap Elastic Password
|
|
||||||
The `elastic` user can have its password bootstrapped by placing a password
|
|
||||||
in the keystore of at least one node. At startup, that node will pull the
|
|
||||||
password out of the keystore and set the `elastic` password to that value. The
|
|
||||||
password will only be set if the `elastic` user password has not already been set.
|
|
||||||
|
|
||||||
As the `elastic` user is stored in the native realm, the password will be
|
|
||||||
synced to all the nodes in a cluster. It is safe to bootstrap the password with
|
|
||||||
multiple nodes as long as the password is the same. If different passwords are
|
|
||||||
set with different nodes, it is unpredictable which password will be bootstrapped.
|
|
||||||
|
|
||||||
Specifically, the setting for the bootstrap password is "bootstrap.password". If
|
|
||||||
the keystore has not been created before, it must be created first.
|
|
||||||
|
|
||||||
[source,shell]
|
|
||||||
--------------------------------------------------
|
|
||||||
bin/elasticsearch-keystore create
|
|
||||||
bin/elasticsearch-keystore add "bootstrap.password"
|
|
||||||
--------------------------------------------------
|
|
||||||
|
|
||||||
After running the "add" command, you will be prompted to enter your password.
|
|
||||||
|
|
||||||
The bootstrap password is only intended to be a transient password used to help you
|
|
||||||
set all the built-in user passwords. As the password will remain accessible in the
|
|
||||||
keystore on the machine, the `elastic` user's password should be changed to a different
|
|
||||||
password when you <set-built-in-user-passwords,set all the built-in passwords>.
|
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
[[set-built-in-user-passwords]]
|
[[set-built-in-user-passwords]]
|
||||||
==== Set Built-in User Passwords
|
==== Set Built-in User Passwords
|
||||||
|
@ -86,8 +53,8 @@ You can update passwords from the *Management > Users* UI in Kibana, using the
|
||||||
setup-passwords tool, or with the security user api.
|
setup-passwords tool, or with the security user api.
|
||||||
|
|
||||||
The setup-passwords tool is a command line tool that is provided to assist with
|
The setup-passwords tool is a command line tool that is provided to assist with
|
||||||
setup. When it is run, it will use the `elastic` user bootstrap password to execute
|
setup. When it is run, it will use the `elastic` user to execute API requests
|
||||||
api requests that will change the passwords of the `elastic`, `kibana`, and
|
that will change the passwords of the `elastic`, `kibana`, and
|
||||||
`logstash_system` users. In "auto" mode the passwords will be generated randomly and
|
`logstash_system` users. In "auto" mode the passwords will be generated randomly and
|
||||||
printed to the console.
|
printed to the console.
|
||||||
|
|
||||||
|
|
|
@ -12,11 +12,6 @@ to start setting things up. This `elastic` user has full access
|
||||||
to the cluster, including all indices and data, so the `elastic` user
|
to the cluster, including all indices and data, so the `elastic` user
|
||||||
does not have a password set by default.
|
does not have a password set by default.
|
||||||
|
|
||||||
In order for the `elastic` user to be usable, its <<bootstrap-elastic-passwords,password must be bootstrapped>>
|
|
||||||
by at least one of the nodes in your cluster. The bootstrap password is intended
|
|
||||||
to be a temporary password to help you setup your cluster. The `elastic` user password
|
|
||||||
will be changed during the setup process.
|
|
||||||
|
|
||||||
To get started with {security}:
|
To get started with {security}:
|
||||||
|
|
||||||
. <<installing-xpack, Install X-Pack>>.
|
. <<installing-xpack, Install X-Pack>>.
|
||||||
|
|
Loading…
Reference in New Issue