[DOC] Miscellaneous security doc updates (elastic/x-pack-elasticsearch#1908)

- Document refresh interval for role mapping files
- Fix obsolete shield reference in transport profile example 
- Clarify that AD & PKI don't support run_as
- Fix logstash conf examples
- Clarify interaction of SSL settings and PKI realm settings
- Document PKI DN format, and recommend use of pki_dn metadata
- Provide more details about action.auto_create_index during setup

Original commit: elastic/x-pack-elasticsearch@49ddb12a7e
This commit is contained in:
Tim Vernum 2017-07-07 13:33:35 +10:00 committed by GitHub
parent b636dcc366
commit c5012ac6e8
7 changed files with 108 additions and 33 deletions

View File

@ -82,7 +82,10 @@ Continue with installation? [y/N]y
---------------------------------------------------------- ----------------------------------------------------------
-- --
. If you have disabled automatic index creation in {es}, configure . {xpack} will try to automatically create a number of indices within {es}.
By default, {es} is configured to allow automatic index creation, and no
additional steps are required. However, if you have disabled automatic index
creation in {es}, you must configure
{ref}/docs-index_.html#index-creation[`action.auto_create_index`] in {ref}/docs-index_.html#index-creation[`action.auto_create_index`] in
`elasticsearch.yml` to allow {xpack} to create the following indices: `elasticsearch.yml` to allow {xpack} to create the following indices:
+ +
@ -92,6 +95,16 @@ Continue with installation? [y/N]y
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml* action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*
----------------------------------------------------------- -----------------------------------------------------------
-- --
+
[IMPORTANT]
=============================================================================
If you are using https://www.elastic.co/products/logstash[Logstash]
or https://www.elastic.co/products/beats[Beats] then you will most likely
require additional index names in your `action.auto_create_index` setting, and
the exact value will depend on your local configuration. If you are unsure of
the correct value for your environment, you may consider setting the value to
`*` which will allow automatic creation of all indices.
=============================================================================
. Start {es}. . Start {es}.
+ +

View File

@ -65,11 +65,40 @@ xpack:
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)" username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
------------------------------------------------------------ ------------------------------------------------------------
+ +
You can also specify which truststore to use for authentication. This is useful . Restart Elasticsearch.
when the SSL/TLS layer trusts clients with certificates that are signed by a
different CA than the one that signs your users' certificates. To specify the [[pki-ssl-config]]
location of the truststore, specify the `truststore.path` option: ==== PKI and SSL Settings
+
The PKI realm relies on the SSL settings of the node's network interface
(transport or http). The realm can be configured to be more restrictive than
the underlying network connection - that is, it is possible to configure the
node such that some connections are accepted by the network interface but then
fail to be authenticated by the PKI realm. However the reverse is not possible
- the PKI realm cannot authenticate a connection that has been refused by the
network interface.
In particular this means:
* The transport or http interface must request client certificates by setting
`client_authentication` to `optional` or `required`.
* The interface must _trust_ the certificate that is presented by the client
by configuring either the `truststore` or `certificate_authorities` paths,
or by setting `verification_mode` to `none`.
* The _protocols_ supported by the interface must be compatible with those
used by the client.
The relevant network interface (transport or http) must be configured to trust
any certificate that is to be used within the PKI realm. However it possible to
configure the PKI realm to trust only a _subset_ of the certificates accepted
by the network interface.
This is useful when the SSL/TLS layer trusts clients with certificates that are
signed by a different CA than the one that signs your users' certificates.
To configure the PKI realm with its own truststore, specify the
`truststore.path` option as below:
[source, yaml] [source, yaml]
------------------------------------------------------------ ------------------------------------------------------------
xpack: xpack:
@ -83,7 +112,9 @@ xpack:
password: "x-pack-test-password" password: "x-pack-test-password"
------------------------------------------------------------ ------------------------------------------------------------
. Restart Elasticsearch. The `certificate_authorities` option may be used as an alternative to the
`truststore.path` setting.
[[pki-settings]] [[pki-settings]]
===== PKI Realm Settings ===== PKI Realm Settings
@ -103,8 +134,12 @@ xpack:
| `username_pattern` | no | Specifies the regular expression pattern used to extract | `username_pattern` | no | Specifies the regular expression pattern used to extract
the username from the certificate DN. The first match the username from the certificate DN. The first match
group is used as the username. Defaults to `CN=(.*?)(?:,\|$)`. group is used as the username. Defaults to `CN=(.*?)(?:,\|$)`.
| `certificate_authorities` | no | List of paths to the PEM encoded certificate files
that should be trusted.
This setting may not be used with `truststore.path`.
| `truststore.path` | no | The path to the truststore. Defaults to the path | `truststore.path` | no | The path to the truststore. Defaults to the path
defined by {ref}/security-settings.html#ssl-tls-settings[SSL/TLS settings]. defined by {ref}/security-settings.html#ssl-tls-settings[SSL/TLS settings].
This setting may not be used with `certificate_authorities`.
| `truststore.password` | no/yes | Specifies the password for the truststore. Must be | `truststore.password` | no/yes | Specifies the password for the truststore. Must be
provided if `truststore.path` is set. provided if `truststore.path` is set.
| `truststore.algorithm` | no | Specifies the algorithm used for the truststore. | `truststore.algorithm` | no | Specifies the algorithm used for the truststore.
@ -151,4 +186,16 @@ user: <1>
<1> The name of a role. <1> The name of a role.
<2> The distinguished name (DN) of a PKI user. <2> The distinguished name (DN) of a PKI user.
The disinguished name for a PKI user follows X.500 naming conventions which
place the most specific fields (like `cn` or `uid`) at the beginning of the
name, and the most general fields (like `o` or `dc`) at the end of the name.
Some tools, such as _openssl_, may print out the subject name in a different
format.
One way that you can determine the correct DN for a certificate is to use the
{ref}/security-api-authenticate.html[authenticate API] (use the relevant PKI
certificate as the means of authentication) and inspect the metadata field in
the result. The user's distinguished name will be populated under the `pki_dn`
key. You can also use the authenticate API to validate your role mapping.
For more information, see <<mapping-roles, Mapping Users and Groups to Roles>>. For more information, see <<mapping-roles, Mapping Users and Groups to Roles>>.

View File

@ -258,6 +258,12 @@ are values. The mappings can have a many-to-many relationship. When you map role
to groups, the roles of a user in that group are the combination of the roles to groups, the roles of a user in that group are the combination of the roles
assigned to that group and the roles assigned to that user. assigned to that group and the roles assigned to that user.
By default, {security} checks role mapping files for changes every 5 seconds.
You can change this default behavior by changing the
`resource.reload.interval.high` setting in the `elasticsearch.yml` file
(as this is a common setting in Elasticsearch, changing its value may effect
other schedules in the system).
==== Realm Specific Details ==== Realm Specific Details
[float] [float]
[[ldap-role-mapping]] [[ldap-role-mapping]]

View File

@ -8,8 +8,10 @@ users, you can use the _run as_ mechanism to restrict data access according to
To "run as" (impersonate) another user, you must be able to retrieve the user from To "run as" (impersonate) another user, you must be able to retrieve the user from
the realm you use to authenticate. Both the internal `native` and `file` realms the realm you use to authenticate. Both the internal `native` and `file` realms
support this out of the box. The LDAP realm however must be configured to enable support this out of the box. The LDAP realm however must be configured to run in
user search. For more information, see <<ldap-user-search, Configuring an LDAP Realm with User Search>>. _user search_ mode. For more information, see
<<ldap-user-search, Configuring an LDAP Realm with User Search>>.
The Active Directory and PKI realms do not support "run as".
To submit requests on behalf of other users, you need to have the `run_as` To submit requests on behalf of other users, you need to have the `run_as`
permission. For example, the following role grants permission to submit request permission. For example, the following role grants permission to submit request

View File

@ -13,7 +13,7 @@ to `elasticsearch.yml`:
-------------------------------------------------- --------------------------------------------------
transport.profiles.client: <1> transport.profiles.client: <1>
port: 9500-9600 <2> port: 9500-9600 <2>
shield: xpack.security:
type: client <3> type: client <3>
-------------------------------------------------- --------------------------------------------------
<1> `client` is the name of this example profile <1> `client` is the name of this example profile

View File

@ -74,21 +74,26 @@ plugins in your Logstash `.conf` file. For example:
[source,js] [source,js]
-------------------------------------------------- --------------------------------------------------
input { input {
elasticsearch {
... ...
user => logstash_internal user => logstash_internal
password => x-pack-test-password password => x-pack-test-password
} }
}
filter { filter {
elasticsearch {
... ...
user => logstash_internal user => logstash_internal
password => x-pack-test-password password => x-pack-test-password
} }
}
output { output {
elasticsearch { elasticsearch {
... ...
user => logstash_internal user => logstash_internal
password => x-pack-test-password password => x-pack-test-password
} }
}
-------------------------------------------------- --------------------------------------------------
[float] [float]

View File

@ -494,10 +494,12 @@ Defaults to `CN=(.*?)(?:,\|$)`
`certificate_authorities`:: `certificate_authorities`::
List of PEM certificate files that should be used to authenticate a List of PEM certificate files that should be used to authenticate a
user's certificate as trusted. Defaults to the trusted certificates configured for SSL. user's certificate as trusted. Defaults to the trusted certificates configured for SSL.
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
This setting may not be used with `truststore.path`. This setting may not be used with `truststore.path`.
`truststore.path`:: `truststore.path`::
The path of a truststore to use. Defaults to the trusted certificates configured for SSL. The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
This setting may not be used with `certificate_authorities`. This setting may not be used with `certificate_authorities`.
`truststore.password`:: `truststore.password`::