[DOCS] Security disabled by default (elastic/x-pack-elasticsearch#4288)

Original commit: elastic/x-pack-elasticsearch@110df8a58e
This commit is contained in:
Lisa Cawley 2018-04-05 12:06:43 -07:00 committed by GitHub
parent f682ecc576
commit bbcb33b519
6 changed files with 26 additions and 29 deletions

View File

@ -45,23 +45,16 @@ be disabled individually, using the
[[bootstrap-elastic-passwords]]
==== The Elastic Bootstrap Password
When you install {xpack}, if the `elastic` user does not already have a password,
When you install {es}, if the `elastic` user does not already have a password,
it uses a default bootstrap password. The bootstrap password is a transient
password that enables you to run the tools that set all the built-in user passwords.
By default, the bootstrap password is derived from a randomized `keystore.seed`
setting, which is added to the keystore when you install {xpack}. You do not need
setting, which is added to the keystore during installation. You do not need
to know or change this bootstrap password. If you have defined a
`bootstrap.password` setting in the keystore, however, that value is used instead.
For more information about interacting with the keystore, see
{ref}/secure-settings.html[Secure Settings].
////
//TBD: Is the following still true?
As the `elastic` user is stored in the native realm, the password will be
synced to all the nodes in a cluster. It is safe to bootstrap the password with
multiple nodes as long as the password is the same. If different passwords are
set with different nodes, it is unpredictable which password will be bootstrapped.
////
NOTE: After you <<set-built-in-user-passwords,set passwords for the built-in users>>,
in particular for the `elastic` user, there is no further use for the bootstrap

View File

@ -86,7 +86,7 @@ Grants the minimum privileges required for any user of {kib}. This role grants
access to the {kib} indices and grants monitoring privileges for the cluster.
[[built-in-roles-logstash-admin]] `logstash_admin` ::
Grants access to the `.logstash*` indices for managing configurations.
Grants access to the `.logstash*` indices for managing configurations.
[[built-in-roles-logstash-system]] `logstash_system` ::
Grants access necessary for the Logstash system user to send system-level data
@ -101,7 +101,7 @@ suitable for use within a Logstash pipeline.
[[built-in-roles-beats-system]] `beats_system` ::
Grants access necessary for the Beats system user to send system-level data
(such as monitoring) to {es}.
(such as monitoring) to {es}.
+
NOTE: This role should not be assigned to users as the granted permissions may
change between releases.
@ -277,10 +277,8 @@ see <<custom-roles-provider, Custom Roles Provider Extension>>.
[[roles-management-ui]]
=== Role Management UI
If you are a {kib} user, make sure to
<<installing-xpack, install {xpack} in {kib}>>.
This enables you to easily manage users and roles from within {kib}. To manage roles,
log in to {kib} and go to *Management / Elasticsearch / Roles*.
{security} enables you to easily manage users and roles from within {kib}. To
manage roles, log in to {kib} and go to *Management / Elasticsearch / Roles*.
[float]
[[roles-management-api]]

View File

@ -1,7 +1,7 @@
[[security-getting-started]]
== Getting Started with Security
To secure a cluster, you must install {xpack} on every node in the
To secure a cluster, you must enable {security} on every node in the
cluster. Basic authentication is enabled by default--to communicate
with the cluster, you must specify a username and password.
Unless you {xpack-ref}/anonymous-access.html[enable anonymous access], all
@ -14,7 +14,8 @@ does not have a password set by default.
To get started with {security}:
. <<installing-xpack, Install X-Pack>>.
. Verify that the `xpack.security.enabled` setting is `true`. For more
information, see {ref}/security-settings.html[Security Settings in {es}].
. Start {es} and {kib}.

View File

@ -11,7 +11,8 @@ including passwords and will not be able to install a license that enables {secu
To enable encryption, you need to perform the following steps on each node in
the cluster:
. <<installing-xpack-es,Install {xpack} into {es}>>.
. Verify that the `xpack.security.enabled` setting is `true`. For more
information, see <<security-settings>>.
. <<node-certificates, Generate a private key and X.509 certificate>>.

View File

@ -22,7 +22,9 @@ This feature was added as Beta in {es} `v5.3` with further improvements made in
To use cross cluster search with secured clusters:
* Install {xpack} on every node in each connected cluster.
* Enable {security} on every node in each connected cluster. For more
information about the `xpack.security.enabled` setting, see
{ref}/security-settings.html[Security Settings in {es}].
* Enable encryption globally. To encrypt communications, you must enable
<<ssl-tls,enable SSL/TLS>> on every node.

View File

@ -5,6 +5,9 @@
<titleabbrev>Security Settings</titleabbrev>
++++
By default, {security} is disabled when you have a basic or trial license. To
enable {security}, use the `xpack.security.enabled` setting.
You configure `xpack.security` settings to
<<anonymous-access-settings, enable anonymous access>>
and perform message authentication,
@ -22,13 +25,12 @@ For more information about creating and updating the {es} keystore, see
[[general-security-settings]]
==== General Security Settings
`xpack.security.enabled`::
Set to `true` (default) to enable {security} on the node. +
Set to `true` to enable {security} on the node. +
+
If set to `false` in `elasticsearch.yml`, {security} is disabled. It also
affects all {kib} instances that connect to this {es} instance; you do not
need to disable {security} in those `kibana.yml` files. For more information
about disabling {security} in specific {kib} instances, see
{kibana-ref}/security-settings-kb.html[{kib} Security Settings].
If set to `false`, which is the default value for basic and trial licenses,
{security} is disabled. It also affects all {kib} instances that connect to this
{es} instance; you do not need to disable {security} in those `kibana.yml` files.
For more information about disabling {security} in specific {kib} instances, see {kibana-ref}/security-settings-kb.html[{kib} Security Settings].
`xpack.security.hide_settings`::
A comma-separated list of settings that are omitted from the results of the
@ -184,7 +186,7 @@ Defaults to Empty.
`bind_password`::
The password for the user that will be used to bind to the LDAP directory.
Defaults to Empty.
*Deprecated.* Use `secure_bind_password` instead.
*Deprecated.* Use `secure_bind_password` instead.
`secure_bind_password` (<<secure-settings,Secure>>)::
The password for the user that will be used to bind to the LDAP directory.
@ -415,7 +417,7 @@ Defaults to Empty.
`bind_password`::
The password for the user that will be used to bind to Active Directory.
Defaults to Empty.
*Deprecated.* Use `secure_bind_password` instead.
*Deprecated.* Use `secure_bind_password` instead.
`secure_bind_password` (<<secure-settings,Secure>>)::
The password for the user that will be used to bind to Active Directory.
@ -640,7 +642,7 @@ The Entity ID of the SAML Identity Provider
`idp.metadata.path`::
The path _(recommended)_ or URL to a SAML 2.0 metadata file describing the
capabilities and configuration of the Identity Provider.
capabilities and configuration of the Identity Provider.
If a path is provided, then it is resolved relative to the {es} config
directory.
If a URL is provided, then it must be either a `file` URL or a `https` URL.
@ -664,7 +666,7 @@ Defaults to `true`.
The Entity ID to use for this SAML Service Provider, entered as a URI.
`sp.acs`::
The URL of the Assertion Consumer Service within {kib}.
The URL of the Assertion Consumer Service within {kib}.
`sp.logout`::
The URL of the Single Logout service within {kib}.