Update security info in X-Pack installation (elastic/x-pack-elasticsearch#2389)
* [DOCS] Update security info in X-Pack installation * [DOCS] Remove bootstrap from security info Original commit: elastic/x-pack-elasticsearch@fc272747b1
This commit is contained in:
Lisa Cawley
lcawley
parent
5cd92ffbbf
commit
a56312a8e9
|
|
@ -138,22 +138,7 @@ the correct value for your environment, you may consider setting the value to
|
|||
`*` which will allow automatic creation of all indices.
|
||||
=============================================================================
|
||||
|
||||
. Change the passwords for the built-in users. For more information,
|
||||
see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
|
||||
.. If you have not already done so, bootstrap the password for the `elastic`
|
||||
user by placing a password in the keystore of at least one node.
|
||||
+
|
||||
--
|
||||
[source,shell]
|
||||
--------------------------------------------------
|
||||
bin/elasticsearch-keystore create
|
||||
bin/elasticsearch-keystore add "bootstrap.password"
|
||||
--------------------------------------------------
|
||||
After you run the "add" command, you will be prompted to enter a password. This
|
||||
bootstrap password is only intended to be a transient password that is used to
|
||||
help you set all the built-in user passwords.
|
||||
--
|
||||
|
||||
. Configure passwords and SSL/TLS.
|
||||
.. If you have more than one node or a single node that listens on an external
|
||||
interface, you must configure SSL/TLS for inter-node communication. Single-node
|
||||
instances that use a loopback interface do not have this requirement. For more
|
||||
|
|
@ -189,14 +174,12 @@ directory. For example,
|
|||
xpack.ssl.key: certs/${node.name}/${node.name}.key <1>
|
||||
xpack.ssl.certificate: certs/${node.name}/${node.name}.crt <2>
|
||||
xpack.ssl.certificate_authorities: certs/ca/ca.crt <3>
|
||||
xpack.security.authc.token.enabled: false <4>
|
||||
-----------------------------------------------------------
|
||||
<1> If this path does not exist on every node or the file name does not match
|
||||
the `node.name` configuration setting, you must specify the full path to the
|
||||
node key file.
|
||||
<2> Alternatively, specify the full path to the node certificate.
|
||||
<3> Alternatively specify the full path to the CA certificate.
|
||||
<4> Disables the built-in token service.
|
||||
--
|
||||
|
||||
.. Start {es}.
|
||||
|
|
@ -219,7 +202,8 @@ bin/x-pack/setup-passwords interactive
|
|||
--------------------------------------------------
|
||||
If you prefer to have randomly generated passwords, specify `auto` instead of
|
||||
`interactive`. If the node is not listening on "http://localhost:9200", use the
|
||||
`-u` parameter to specify the appropriate URL.
|
||||
`-u` parameter to specify the appropriate URL. For more information,
|
||||
see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
|
||||
--
|
||||
|
||||
. {kibana-ref}/installing-xpack-kb.html[Install {xpack} on {kib}].
|
||||
|
|
|
|||
|
|
@ -16,12 +16,8 @@ see <<managing-native-users, Managing Native Users>>.
|
|||
|
||||
{security} provides built-in user credentials to help you get up and running.
|
||||
These users have a fixed set of privileges and cannot be authenticated until their
|
||||
passwords have been set. In order to set these passwords, the `elastic` user must
|
||||
have its password bootstrapped. To bootstrap the password, please read
|
||||
<<bootstrap-elastic-passwords,Bootstrap Elastic Password>> below.
|
||||
|
||||
Once the `elastic` user has its password bootstrapped,
|
||||
this user can be used to <<set-built-in-user-passwords,set all of the built-in user passwords>>.
|
||||
passwords have been set. The `elastic` user can be used to
|
||||
<<set-built-in-user-passwords,set all of the built-in user passwords>>.
|
||||
|
||||
.{security} Built-in Users
|
||||
|========
|
||||
|
|
@ -47,35 +43,6 @@ realm will not have any effect on the built-in users. The built-in users can
|
|||
be disabled individually, using the
|
||||
{ref}/security-api-users.html[user management API].
|
||||
|
||||
[float]
|
||||
[[bootstrap-elastic-passwords]]
|
||||
==== Bootstrap Elastic Password
|
||||
The `elastic` user can have its password bootstrapped by placing a password
|
||||
in the keystore of at least one node. At startup, that node will pull the
|
||||
password out of the keystore and set the `elastic` password to that value. The
|
||||
password will only be set if the `elastic` user password has not already been set.
|
||||
|
||||
As the `elastic` user is stored in the native realm, the password will be
|
||||
synced to all the nodes in a cluster. It is safe to bootstrap the password with
|
||||
multiple nodes as long as the password is the same. If different passwords are
|
||||
set with different nodes, it is unpredictable which password will be bootstrapped.
|
||||
|
||||
Specifically, the setting for the bootstrap password is "bootstrap.password". If
|
||||
the keystore has not been created before, it must be created first.
|
||||
|
||||
[source,shell]
|
||||
--------------------------------------------------
|
||||
bin/elasticsearch-keystore create
|
||||
bin/elasticsearch-keystore add "bootstrap.password"
|
||||
--------------------------------------------------
|
||||
|
||||
After running the "add" command, you will be prompted to enter your password.
|
||||
|
||||
The bootstrap password is only intended to be a transient password used to help you
|
||||
set all the built-in user passwords. As the password will remain accessible in the
|
||||
keystore on the machine, the `elastic` user's password should be changed to a different
|
||||
password when you <set-built-in-user-passwords,set all the built-in passwords>.
|
||||
|
||||
[float]
|
||||
[[set-built-in-user-passwords]]
|
||||
==== Set Built-in User Passwords
|
||||
|
|
@ -86,8 +53,8 @@ You can update passwords from the *Management > Users* UI in Kibana, using the
|
|||
setup-passwords tool, or with the security user api.
|
||||
|
||||
The setup-passwords tool is a command line tool that is provided to assist with
|
||||
setup. When it is run, it will use the `elastic` user bootstrap password to execute
|
||||
api requests that will change the passwords of the `elastic`, `kibana`, and
|
||||
setup. When it is run, it will use the `elastic` user to execute API requests
|
||||
that will change the passwords of the `elastic`, `kibana`, and
|
||||
`logstash_system` users. In "auto" mode the passwords will be generated randomly and
|
||||
printed to the console.
|
||||
|
||||
|
|
|
|||
|
|
@ -12,11 +12,6 @@ to start setting things up. This `elastic` user has full access
|
|||
to the cluster, including all indices and data, so the `elastic` user
|
||||
does not have a password set by default.
|
||||
|
||||
In order for the `elastic` user to be usable, its <<bootstrap-elastic-passwords,password must be bootstrapped>>
|
||||
by at least one of the nodes in your cluster. The bootstrap password is intended
|
||||
to be a temporary password to help you setup your cluster. The `elastic` user password
|
||||
will be changed during the setup process.
|
||||
|
||||
To get started with {security}:
|
||||
|
||||
. <<installing-xpack, Install X-Pack>>.
|
||||
|
|
|
|||
Loading…
Reference in New Issue