[DOCS] Security disabled by default (elastic/x-pack-elasticsearch#4288)
Original commit: elastic/x-pack-elasticsearch@110df8a58e
This commit is contained in:
parent
f682ecc576
commit
bbcb33b519
|
@ -45,23 +45,16 @@ be disabled individually, using the
|
|||
[[bootstrap-elastic-passwords]]
|
||||
==== The Elastic Bootstrap Password
|
||||
|
||||
When you install {xpack}, if the `elastic` user does not already have a password,
|
||||
When you install {es}, if the `elastic` user does not already have a password,
|
||||
it uses a default bootstrap password. The bootstrap password is a transient
|
||||
password that enables you to run the tools that set all the built-in user passwords.
|
||||
|
||||
By default, the bootstrap password is derived from a randomized `keystore.seed`
|
||||
setting, which is added to the keystore when you install {xpack}. You do not need
|
||||
setting, which is added to the keystore during installation. You do not need
|
||||
to know or change this bootstrap password. If you have defined a
|
||||
`bootstrap.password` setting in the keystore, however, that value is used instead.
|
||||
For more information about interacting with the keystore, see
|
||||
{ref}/secure-settings.html[Secure Settings].
|
||||
////
|
||||
//TBD: Is the following still true?
|
||||
As the `elastic` user is stored in the native realm, the password will be
|
||||
synced to all the nodes in a cluster. It is safe to bootstrap the password with
|
||||
multiple nodes as long as the password is the same. If different passwords are
|
||||
set with different nodes, it is unpredictable which password will be bootstrapped.
|
||||
////
|
||||
|
||||
NOTE: After you <<set-built-in-user-passwords,set passwords for the built-in users>>,
|
||||
in particular for the `elastic` user, there is no further use for the bootstrap
|
||||
|
|
|
@ -86,7 +86,7 @@ Grants the minimum privileges required for any user of {kib}. This role grants
|
|||
access to the {kib} indices and grants monitoring privileges for the cluster.
|
||||
|
||||
[[built-in-roles-logstash-admin]] `logstash_admin` ::
|
||||
Grants access to the `.logstash*` indices for managing configurations.
|
||||
Grants access to the `.logstash*` indices for managing configurations.
|
||||
|
||||
[[built-in-roles-logstash-system]] `logstash_system` ::
|
||||
Grants access necessary for the Logstash system user to send system-level data
|
||||
|
@ -101,7 +101,7 @@ suitable for use within a Logstash pipeline.
|
|||
|
||||
[[built-in-roles-beats-system]] `beats_system` ::
|
||||
Grants access necessary for the Beats system user to send system-level data
|
||||
(such as monitoring) to {es}.
|
||||
(such as monitoring) to {es}.
|
||||
+
|
||||
NOTE: This role should not be assigned to users as the granted permissions may
|
||||
change between releases.
|
||||
|
@ -277,10 +277,8 @@ see <<custom-roles-provider, Custom Roles Provider Extension>>.
|
|||
[[roles-management-ui]]
|
||||
=== Role Management UI
|
||||
|
||||
If you are a {kib} user, make sure to
|
||||
<<installing-xpack, install {xpack} in {kib}>>.
|
||||
This enables you to easily manage users and roles from within {kib}. To manage roles,
|
||||
log in to {kib} and go to *Management / Elasticsearch / Roles*.
|
||||
{security} enables you to easily manage users and roles from within {kib}. To
|
||||
manage roles, log in to {kib} and go to *Management / Elasticsearch / Roles*.
|
||||
|
||||
[float]
|
||||
[[roles-management-api]]
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
[[security-getting-started]]
|
||||
== Getting Started with Security
|
||||
|
||||
To secure a cluster, you must install {xpack} on every node in the
|
||||
To secure a cluster, you must enable {security} on every node in the
|
||||
cluster. Basic authentication is enabled by default--to communicate
|
||||
with the cluster, you must specify a username and password.
|
||||
Unless you {xpack-ref}/anonymous-access.html[enable anonymous access], all
|
||||
|
@ -14,7 +14,8 @@ does not have a password set by default.
|
|||
|
||||
To get started with {security}:
|
||||
|
||||
. <<installing-xpack, Install X-Pack>>.
|
||||
. Verify that the `xpack.security.enabled` setting is `true`. For more
|
||||
information, see {ref}/security-settings.html[Security Settings in {es}].
|
||||
|
||||
. Start {es} and {kib}.
|
||||
|
||||
|
|
|
@ -11,7 +11,8 @@ including passwords and will not be able to install a license that enables {secu
|
|||
To enable encryption, you need to perform the following steps on each node in
|
||||
the cluster:
|
||||
|
||||
. <<installing-xpack-es,Install {xpack} into {es}>>.
|
||||
. Verify that the `xpack.security.enabled` setting is `true`. For more
|
||||
information, see <<security-settings>>.
|
||||
|
||||
. <<node-certificates, Generate a private key and X.509 certificate>>.
|
||||
|
||||
|
|
|
@ -22,7 +22,9 @@ This feature was added as Beta in {es} `v5.3` with further improvements made in
|
|||
|
||||
To use cross cluster search with secured clusters:
|
||||
|
||||
* Install {xpack} on every node in each connected cluster.
|
||||
* Enable {security} on every node in each connected cluster. For more
|
||||
information about the `xpack.security.enabled` setting, see
|
||||
{ref}/security-settings.html[Security Settings in {es}].
|
||||
|
||||
* Enable encryption globally. To encrypt communications, you must enable
|
||||
<<ssl-tls,enable SSL/TLS>> on every node.
|
||||
|
|
|
@ -5,6 +5,9 @@
|
|||
<titleabbrev>Security Settings</titleabbrev>
|
||||
++++
|
||||
|
||||
By default, {security} is disabled when you have a basic or trial license. To
|
||||
enable {security}, use the `xpack.security.enabled` setting.
|
||||
|
||||
You configure `xpack.security` settings to
|
||||
<<anonymous-access-settings, enable anonymous access>>
|
||||
and perform message authentication,
|
||||
|
@ -22,13 +25,12 @@ For more information about creating and updating the {es} keystore, see
|
|||
[[general-security-settings]]
|
||||
==== General Security Settings
|
||||
`xpack.security.enabled`::
|
||||
Set to `true` (default) to enable {security} on the node. +
|
||||
Set to `true` to enable {security} on the node. +
|
||||
+
|
||||
If set to `false` in `elasticsearch.yml`, {security} is disabled. It also
|
||||
affects all {kib} instances that connect to this {es} instance; you do not
|
||||
need to disable {security} in those `kibana.yml` files. For more information
|
||||
about disabling {security} in specific {kib} instances, see
|
||||
{kibana-ref}/security-settings-kb.html[{kib} Security Settings].
|
||||
If set to `false`, which is the default value for basic and trial licenses,
|
||||
{security} is disabled. It also affects all {kib} instances that connect to this
|
||||
{es} instance; you do not need to disable {security} in those `kibana.yml` files.
|
||||
For more information about disabling {security} in specific {kib} instances, see {kibana-ref}/security-settings-kb.html[{kib} Security Settings].
|
||||
|
||||
`xpack.security.hide_settings`::
|
||||
A comma-separated list of settings that are omitted from the results of the
|
||||
|
@ -184,7 +186,7 @@ Defaults to Empty.
|
|||
`bind_password`::
|
||||
The password for the user that will be used to bind to the LDAP directory.
|
||||
Defaults to Empty.
|
||||
*Deprecated.* Use `secure_bind_password` instead.
|
||||
*Deprecated.* Use `secure_bind_password` instead.
|
||||
|
||||
`secure_bind_password` (<<secure-settings,Secure>>)::
|
||||
The password for the user that will be used to bind to the LDAP directory.
|
||||
|
@ -415,7 +417,7 @@ Defaults to Empty.
|
|||
`bind_password`::
|
||||
The password for the user that will be used to bind to Active Directory.
|
||||
Defaults to Empty.
|
||||
*Deprecated.* Use `secure_bind_password` instead.
|
||||
*Deprecated.* Use `secure_bind_password` instead.
|
||||
|
||||
`secure_bind_password` (<<secure-settings,Secure>>)::
|
||||
The password for the user that will be used to bind to Active Directory.
|
||||
|
@ -640,7 +642,7 @@ The Entity ID of the SAML Identity Provider
|
|||
|
||||
`idp.metadata.path`::
|
||||
The path _(recommended)_ or URL to a SAML 2.0 metadata file describing the
|
||||
capabilities and configuration of the Identity Provider.
|
||||
capabilities and configuration of the Identity Provider.
|
||||
If a path is provided, then it is resolved relative to the {es} config
|
||||
directory.
|
||||
If a URL is provided, then it must be either a `file` URL or a `https` URL.
|
||||
|
@ -664,7 +666,7 @@ Defaults to `true`.
|
|||
The Entity ID to use for this SAML Service Provider, entered as a URI.
|
||||
|
||||
`sp.acs`::
|
||||
The URL of the Assertion Consumer Service within {kib}.
|
||||
The URL of the Assertion Consumer Service within {kib}.
|
||||
|
||||
`sp.logout`::
|
||||
The URL of the Single Logout service within {kib}.
|
||||
|
|
Loading…
Reference in New Issue