From bbcb33b5195c88864dc5decde91a73ffdb5a402e Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Thu, 5 Apr 2018 12:06:43 -0700 Subject: [PATCH] [DOCS] Security disabled by default (elastic/x-pack-elasticsearch#4288) Original commit: elastic/x-pack-elasticsearch@110df8a58eebba81c08f8093c87814aad5caac44 --- docs/en/security/authentication.asciidoc | 11 ++-------- docs/en/security/authorization.asciidoc | 10 ++++----- docs/en/security/getting-started.asciidoc | 5 +++-- .../securing-elasticsearch.asciidoc | 3 ++- .../cross-cluster.asciidoc | 4 +++- docs/en/settings/security-settings.asciidoc | 22 ++++++++++--------- 6 files changed, 26 insertions(+), 29 deletions(-) diff --git a/docs/en/security/authentication.asciidoc b/docs/en/security/authentication.asciidoc index 04324949fee..eff10a6567d 100644 --- a/docs/en/security/authentication.asciidoc +++ b/docs/en/security/authentication.asciidoc @@ -45,23 +45,16 @@ be disabled individually, using the [[bootstrap-elastic-passwords]] ==== The Elastic Bootstrap Password -When you install {xpack}, if the `elastic` user does not already have a password, +When you install {es}, if the `elastic` user does not already have a password, it uses a default bootstrap password. The bootstrap password is a transient password that enables you to run the tools that set all the built-in user passwords. By default, the bootstrap password is derived from a randomized `keystore.seed` -setting, which is added to the keystore when you install {xpack}. You do not need +setting, which is added to the keystore during installation. You do not need to know or change this bootstrap password. If you have defined a `bootstrap.password` setting in the keystore, however, that value is used instead. For more information about interacting with the keystore, see {ref}/secure-settings.html[Secure Settings]. -//// -//TBD: Is the following still true? -As the `elastic` user is stored in the native realm, the password will be -synced to all the nodes in a cluster. It is safe to bootstrap the password with -multiple nodes as long as the password is the same. If different passwords are -set with different nodes, it is unpredictable which password will be bootstrapped. -//// NOTE: After you <>, in particular for the `elastic` user, there is no further use for the bootstrap diff --git a/docs/en/security/authorization.asciidoc b/docs/en/security/authorization.asciidoc index fa755253f10..d89fe19a3ef 100644 --- a/docs/en/security/authorization.asciidoc +++ b/docs/en/security/authorization.asciidoc @@ -86,7 +86,7 @@ Grants the minimum privileges required for any user of {kib}. This role grants access to the {kib} indices and grants monitoring privileges for the cluster. [[built-in-roles-logstash-admin]] `logstash_admin` :: -Grants access to the `.logstash*` indices for managing configurations. +Grants access to the `.logstash*` indices for managing configurations. [[built-in-roles-logstash-system]] `logstash_system` :: Grants access necessary for the Logstash system user to send system-level data @@ -101,7 +101,7 @@ suitable for use within a Logstash pipeline. [[built-in-roles-beats-system]] `beats_system` :: Grants access necessary for the Beats system user to send system-level data -(such as monitoring) to {es}. +(such as monitoring) to {es}. + NOTE: This role should not be assigned to users as the granted permissions may change between releases. @@ -277,10 +277,8 @@ see <>. [[roles-management-ui]] === Role Management UI -If you are a {kib} user, make sure to -<>. -This enables you to easily manage users and roles from within {kib}. To manage roles, -log in to {kib} and go to *Management / Elasticsearch / Roles*. +{security} enables you to easily manage users and roles from within {kib}. To +manage roles, log in to {kib} and go to *Management / Elasticsearch / Roles*. [float] [[roles-management-api]] diff --git a/docs/en/security/getting-started.asciidoc b/docs/en/security/getting-started.asciidoc index 4aae7f69e72..82517a58951 100644 --- a/docs/en/security/getting-started.asciidoc +++ b/docs/en/security/getting-started.asciidoc @@ -1,7 +1,7 @@ [[security-getting-started]] == Getting Started with Security -To secure a cluster, you must install {xpack} on every node in the +To secure a cluster, you must enable {security} on every node in the cluster. Basic authentication is enabled by default--to communicate with the cluster, you must specify a username and password. Unless you {xpack-ref}/anonymous-access.html[enable anonymous access], all @@ -14,7 +14,8 @@ does not have a password set by default. To get started with {security}: -. <>. +. Verify that the `xpack.security.enabled` setting is `true`. For more +information, see {ref}/security-settings.html[Security Settings in {es}]. . Start {es} and {kib}. diff --git a/docs/en/security/securing-communications/securing-elasticsearch.asciidoc b/docs/en/security/securing-communications/securing-elasticsearch.asciidoc index 1e19ad7388e..b100567edf8 100644 --- a/docs/en/security/securing-communications/securing-elasticsearch.asciidoc +++ b/docs/en/security/securing-communications/securing-elasticsearch.asciidoc @@ -11,7 +11,8 @@ including passwords and will not be able to install a license that enables {secu To enable encryption, you need to perform the following steps on each node in the cluster: -. <>. +. Verify that the `xpack.security.enabled` setting is `true`. For more +information, see <>. . <>. diff --git a/docs/en/security/tribe-clients-integrations/cross-cluster.asciidoc b/docs/en/security/tribe-clients-integrations/cross-cluster.asciidoc index e75326876ed..1cbcf623a5f 100644 --- a/docs/en/security/tribe-clients-integrations/cross-cluster.asciidoc +++ b/docs/en/security/tribe-clients-integrations/cross-cluster.asciidoc @@ -22,7 +22,9 @@ This feature was added as Beta in {es} `v5.3` with further improvements made in To use cross cluster search with secured clusters: -* Install {xpack} on every node in each connected cluster. +* Enable {security} on every node in each connected cluster. For more +information about the `xpack.security.enabled` setting, see +{ref}/security-settings.html[Security Settings in {es}]. * Enable encryption globally. To encrypt communications, you must enable <> on every node. diff --git a/docs/en/settings/security-settings.asciidoc b/docs/en/settings/security-settings.asciidoc index 80a90002fa3..04a5bc9857b 100644 --- a/docs/en/settings/security-settings.asciidoc +++ b/docs/en/settings/security-settings.asciidoc @@ -5,6 +5,9 @@ Security Settings ++++ +By default, {security} is disabled when you have a basic or trial license. To +enable {security}, use the `xpack.security.enabled` setting. + You configure `xpack.security` settings to <> and perform message authentication, @@ -22,13 +25,12 @@ For more information about creating and updating the {es} keystore, see [[general-security-settings]] ==== General Security Settings `xpack.security.enabled`:: -Set to `true` (default) to enable {security} on the node. + +Set to `true` to enable {security} on the node. + + -If set to `false` in `elasticsearch.yml`, {security} is disabled. It also -affects all {kib} instances that connect to this {es} instance; you do not -need to disable {security} in those `kibana.yml` files. For more information -about disabling {security} in specific {kib} instances, see -{kibana-ref}/security-settings-kb.html[{kib} Security Settings]. +If set to `false`, which is the default value for basic and trial licenses, +{security} is disabled. It also affects all {kib} instances that connect to this +{es} instance; you do not need to disable {security} in those `kibana.yml` files. +For more information about disabling {security} in specific {kib} instances, see {kibana-ref}/security-settings-kb.html[{kib} Security Settings]. `xpack.security.hide_settings`:: A comma-separated list of settings that are omitted from the results of the @@ -184,7 +186,7 @@ Defaults to Empty. `bind_password`:: The password for the user that will be used to bind to the LDAP directory. Defaults to Empty. -*Deprecated.* Use `secure_bind_password` instead. +*Deprecated.* Use `secure_bind_password` instead. `secure_bind_password` (<>):: The password for the user that will be used to bind to the LDAP directory. @@ -415,7 +417,7 @@ Defaults to Empty. `bind_password`:: The password for the user that will be used to bind to Active Directory. Defaults to Empty. -*Deprecated.* Use `secure_bind_password` instead. +*Deprecated.* Use `secure_bind_password` instead. `secure_bind_password` (<>):: The password for the user that will be used to bind to Active Directory. @@ -640,7 +642,7 @@ The Entity ID of the SAML Identity Provider `idp.metadata.path`:: The path _(recommended)_ or URL to a SAML 2.0 metadata file describing the -capabilities and configuration of the Identity Provider. +capabilities and configuration of the Identity Provider. If a path is provided, then it is resolved relative to the {es} config directory. If a URL is provided, then it must be either a `file` URL or a `https` URL. @@ -664,7 +666,7 @@ Defaults to `true`. The Entity ID to use for this SAML Service Provider, entered as a URI. `sp.acs`:: -The URL of the Assertion Consumer Service within {kib}. +The URL of the Assertion Consumer Service within {kib}. `sp.logout`:: The URL of the Single Logout service within {kib}.