[DOC] Miscellaneous security doc updates (elastic/x-pack-elasticsearch#1908)
- Document refresh interval for role mapping files - Fix obsolete shield reference in transport profile example - Clarify that AD & PKI don't support run_as - Fix logstash conf examples - Clarify interaction of SSL settings and PKI realm settings - Document PKI DN format, and recommend use of pki_dn metadata - Provide more details about action.auto_create_index during setup Original commit: elastic/x-pack-elasticsearch@49ddb12a7e
This commit is contained in:
parent
b636dcc366
commit
c5012ac6e8
|
@ -82,7 +82,10 @@ Continue with installation? [y/N]y
|
||||||
----------------------------------------------------------
|
----------------------------------------------------------
|
||||||
--
|
--
|
||||||
|
|
||||||
. If you have disabled automatic index creation in {es}, configure
|
. {xpack} will try to automatically create a number of indices within {es}.
|
||||||
|
By default, {es} is configured to allow automatic index creation, and no
|
||||||
|
additional steps are required. However, if you have disabled automatic index
|
||||||
|
creation in {es}, you must configure
|
||||||
{ref}/docs-index_.html#index-creation[`action.auto_create_index`] in
|
{ref}/docs-index_.html#index-creation[`action.auto_create_index`] in
|
||||||
`elasticsearch.yml` to allow {xpack} to create the following indices:
|
`elasticsearch.yml` to allow {xpack} to create the following indices:
|
||||||
+
|
+
|
||||||
|
@ -92,6 +95,16 @@ Continue with installation? [y/N]y
|
||||||
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*
|
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*
|
||||||
-----------------------------------------------------------
|
-----------------------------------------------------------
|
||||||
--
|
--
|
||||||
|
+
|
||||||
|
[IMPORTANT]
|
||||||
|
=============================================================================
|
||||||
|
If you are using https://www.elastic.co/products/logstash[Logstash]
|
||||||
|
or https://www.elastic.co/products/beats[Beats] then you will most likely
|
||||||
|
require additional index names in your `action.auto_create_index` setting, and
|
||||||
|
the exact value will depend on your local configuration. If you are unsure of
|
||||||
|
the correct value for your environment, you may consider setting the value to
|
||||||
|
`*` which will allow automatic creation of all indices.
|
||||||
|
=============================================================================
|
||||||
|
|
||||||
. Start {es}.
|
. Start {es}.
|
||||||
+
|
+
|
||||||
|
|
|
@ -65,11 +65,40 @@ xpack:
|
||||||
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
|
username_pattern: "EMAILADDRESS=(.*?)(?:,|$)"
|
||||||
------------------------------------------------------------
|
------------------------------------------------------------
|
||||||
+
|
+
|
||||||
You can also specify which truststore to use for authentication. This is useful
|
. Restart Elasticsearch.
|
||||||
when the SSL/TLS layer trusts clients with certificates that are signed by a
|
|
||||||
different CA than the one that signs your users' certificates. To specify the
|
[[pki-ssl-config]]
|
||||||
location of the truststore, specify the `truststore.path` option:
|
==== PKI and SSL Settings
|
||||||
+
|
|
||||||
|
The PKI realm relies on the SSL settings of the node's network interface
|
||||||
|
(transport or http). The realm can be configured to be more restrictive than
|
||||||
|
the underlying network connection - that is, it is possible to configure the
|
||||||
|
node such that some connections are accepted by the network interface but then
|
||||||
|
fail to be authenticated by the PKI realm. However the reverse is not possible
|
||||||
|
- the PKI realm cannot authenticate a connection that has been refused by the
|
||||||
|
network interface.
|
||||||
|
|
||||||
|
In particular this means:
|
||||||
|
|
||||||
|
* The transport or http interface must request client certificates by setting
|
||||||
|
`client_authentication` to `optional` or `required`.
|
||||||
|
* The interface must _trust_ the certificate that is presented by the client
|
||||||
|
by configuring either the `truststore` or `certificate_authorities` paths,
|
||||||
|
or by setting `verification_mode` to `none`.
|
||||||
|
* The _protocols_ supported by the interface must be compatible with those
|
||||||
|
used by the client.
|
||||||
|
|
||||||
|
|
||||||
|
The relevant network interface (transport or http) must be configured to trust
|
||||||
|
any certificate that is to be used within the PKI realm. However it possible to
|
||||||
|
configure the PKI realm to trust only a _subset_ of the certificates accepted
|
||||||
|
by the network interface.
|
||||||
|
This is useful when the SSL/TLS layer trusts clients with certificates that are
|
||||||
|
signed by a different CA than the one that signs your users' certificates.
|
||||||
|
|
||||||
|
To configure the PKI realm with its own truststore, specify the
|
||||||
|
`truststore.path` option as below:
|
||||||
|
|
||||||
[source, yaml]
|
[source, yaml]
|
||||||
------------------------------------------------------------
|
------------------------------------------------------------
|
||||||
xpack:
|
xpack:
|
||||||
|
@ -83,35 +112,41 @@ xpack:
|
||||||
password: "x-pack-test-password"
|
password: "x-pack-test-password"
|
||||||
------------------------------------------------------------
|
------------------------------------------------------------
|
||||||
|
|
||||||
. Restart Elasticsearch.
|
The `certificate_authorities` option may be used as an alternative to the
|
||||||
|
`truststore.path` setting.
|
||||||
|
|
||||||
|
|
||||||
[[pki-settings]]
|
[[pki-settings]]
|
||||||
===== PKI Realm Settings
|
===== PKI Realm Settings
|
||||||
|
|
||||||
[cols="4,^3,10"]
|
[cols="4,^3,10"]
|
||||||
|=======================
|
|=======================
|
||||||
| Setting | Required | Description
|
| Setting | Required | Description
|
||||||
| `type` | yes | Indicates the realm type. Must be set to `pki`.
|
| `type` | yes | Indicates the realm type. Must be set to `pki`.
|
||||||
| `order` | no | Indicates the priority of this realm within the realm
|
| `order` | no | Indicates the priority of this realm within the realm
|
||||||
chain. Realms with a lower order are consulted first.
|
chain. Realms with a lower order are consulted first.
|
||||||
Although not required, we recommend explicitly
|
Although not required, we recommend explicitly
|
||||||
setting this value when you configure multiple realms.
|
setting this value when you configure multiple realms.
|
||||||
Defaults to `Integer.MAX_VALUE`.
|
Defaults to `Integer.MAX_VALUE`.
|
||||||
| `enabled` | no | Indicates whether this realm is enabled or disabled.
|
| `enabled` | no | Indicates whether this realm is enabled or disabled.
|
||||||
Enables you to disable a realm without removing its
|
Enables you to disable a realm without removing its
|
||||||
configuration. Defaults to `true`.
|
configuration. Defaults to `true`.
|
||||||
| `username_pattern` | no | Specifies the regular expression pattern used to extract
|
| `username_pattern` | no | Specifies the regular expression pattern used to extract
|
||||||
the username from the certificate DN. The first match
|
the username from the certificate DN. The first match
|
||||||
group is used as the username. Defaults to `CN=(.*?)(?:,\|$)`.
|
group is used as the username. Defaults to `CN=(.*?)(?:,\|$)`.
|
||||||
| `truststore.path` | no | The path to the truststore. Defaults to the path
|
| `certificate_authorities` | no | List of paths to the PEM encoded certificate files
|
||||||
defined by {ref}/security-settings.html#ssl-tls-settings[SSL/TLS settings].
|
that should be trusted.
|
||||||
| `truststore.password` | no/yes | Specifies the password for the truststore. Must be
|
This setting may not be used with `truststore.path`.
|
||||||
provided if `truststore.path` is set.
|
| `truststore.path` | no | The path to the truststore. Defaults to the path
|
||||||
| `truststore.algorithm` | no | Specifies the algorithm used for the truststore.
|
defined by {ref}/security-settings.html#ssl-tls-settings[SSL/TLS settings].
|
||||||
Defaults to `SunX509`.
|
This setting may not be used with `certificate_authorities`.
|
||||||
| `files.role_mapping` | no | Specifies the <<security-files-location,location>>
|
| `truststore.password` | no/yes | Specifies the password for the truststore. Must be
|
||||||
for the <<pki-role-mapping, YAML role mapping configuration file>>.
|
provided if `truststore.path` is set.
|
||||||
Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
|
| `truststore.algorithm` | no | Specifies the algorithm used for the truststore.
|
||||||
|
Defaults to `SunX509`.
|
||||||
|
| `files.role_mapping` | no | Specifies the <<security-files-location,location>>
|
||||||
|
for the <<pki-role-mapping, YAML role mapping configuration file>>.
|
||||||
|
Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
|
||||||
|=======================
|
|=======================
|
||||||
|
|
||||||
[[assigning-roles-pki]]
|
[[assigning-roles-pki]]
|
||||||
|
@ -151,4 +186,16 @@ user: <1>
|
||||||
<1> The name of a role.
|
<1> The name of a role.
|
||||||
<2> The distinguished name (DN) of a PKI user.
|
<2> The distinguished name (DN) of a PKI user.
|
||||||
|
|
||||||
|
The disinguished name for a PKI user follows X.500 naming conventions which
|
||||||
|
place the most specific fields (like `cn` or `uid`) at the beginning of the
|
||||||
|
name, and the most general fields (like `o` or `dc`) at the end of the name.
|
||||||
|
Some tools, such as _openssl_, may print out the subject name in a different
|
||||||
|
format.
|
||||||
|
|
||||||
|
One way that you can determine the correct DN for a certificate is to use the
|
||||||
|
{ref}/security-api-authenticate.html[authenticate API] (use the relevant PKI
|
||||||
|
certificate as the means of authentication) and inspect the metadata field in
|
||||||
|
the result. The user's distinguished name will be populated under the `pki_dn`
|
||||||
|
key. You can also use the authenticate API to validate your role mapping.
|
||||||
|
|
||||||
For more information, see <<mapping-roles, Mapping Users and Groups to Roles>>.
|
For more information, see <<mapping-roles, Mapping Users and Groups to Roles>>.
|
||||||
|
|
|
@ -258,6 +258,12 @@ are values. The mappings can have a many-to-many relationship. When you map role
|
||||||
to groups, the roles of a user in that group are the combination of the roles
|
to groups, the roles of a user in that group are the combination of the roles
|
||||||
assigned to that group and the roles assigned to that user.
|
assigned to that group and the roles assigned to that user.
|
||||||
|
|
||||||
|
By default, {security} checks role mapping files for changes every 5 seconds.
|
||||||
|
You can change this default behavior by changing the
|
||||||
|
`resource.reload.interval.high` setting in the `elasticsearch.yml` file
|
||||||
|
(as this is a common setting in Elasticsearch, changing its value may effect
|
||||||
|
other schedules in the system).
|
||||||
|
|
||||||
==== Realm Specific Details
|
==== Realm Specific Details
|
||||||
[float]
|
[float]
|
||||||
[[ldap-role-mapping]]
|
[[ldap-role-mapping]]
|
||||||
|
|
|
@ -8,8 +8,10 @@ users, you can use the _run as_ mechanism to restrict data access according to
|
||||||
|
|
||||||
To "run as" (impersonate) another user, you must be able to retrieve the user from
|
To "run as" (impersonate) another user, you must be able to retrieve the user from
|
||||||
the realm you use to authenticate. Both the internal `native` and `file` realms
|
the realm you use to authenticate. Both the internal `native` and `file` realms
|
||||||
support this out of the box. The LDAP realm however must be configured to enable
|
support this out of the box. The LDAP realm however must be configured to run in
|
||||||
user search. For more information, see <<ldap-user-search, Configuring an LDAP Realm with User Search>>.
|
_user search_ mode. For more information, see
|
||||||
|
<<ldap-user-search, Configuring an LDAP Realm with User Search>>.
|
||||||
|
The Active Directory and PKI realms do not support "run as".
|
||||||
|
|
||||||
To submit requests on behalf of other users, you need to have the `run_as`
|
To submit requests on behalf of other users, you need to have the `run_as`
|
||||||
permission. For example, the following role grants permission to submit request
|
permission. For example, the following role grants permission to submit request
|
||||||
|
|
|
@ -13,7 +13,7 @@ to `elasticsearch.yml`:
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
transport.profiles.client: <1>
|
transport.profiles.client: <1>
|
||||||
port: 9500-9600 <2>
|
port: 9500-9600 <2>
|
||||||
shield:
|
xpack.security:
|
||||||
type: client <3>
|
type: client <3>
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
<1> `client` is the name of this example profile
|
<1> `client` is the name of this example profile
|
||||||
|
|
|
@ -74,21 +74,26 @@ plugins in your Logstash `.conf` file. For example:
|
||||||
[source,js]
|
[source,js]
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
input {
|
input {
|
||||||
|
elasticsearch {
|
||||||
...
|
...
|
||||||
user => logstash_internal
|
user => logstash_internal
|
||||||
password => x-pack-test-password
|
password => x-pack-test-password
|
||||||
}
|
}
|
||||||
|
}
|
||||||
filter {
|
filter {
|
||||||
|
elasticsearch {
|
||||||
...
|
...
|
||||||
user => logstash_internal
|
user => logstash_internal
|
||||||
password => x-pack-test-password
|
password => x-pack-test-password
|
||||||
}
|
}
|
||||||
|
}
|
||||||
output {
|
output {
|
||||||
elasticsearch {
|
elasticsearch {
|
||||||
...
|
...
|
||||||
user => logstash_internal
|
user => logstash_internal
|
||||||
password => x-pack-test-password
|
password => x-pack-test-password
|
||||||
}
|
}
|
||||||
|
}
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
|
|
|
@ -494,10 +494,12 @@ Defaults to `CN=(.*?)(?:,\|$)`
|
||||||
`certificate_authorities`::
|
`certificate_authorities`::
|
||||||
List of PEM certificate files that should be used to authenticate a
|
List of PEM certificate files that should be used to authenticate a
|
||||||
user's certificate as trusted. Defaults to the trusted certificates configured for SSL.
|
user's certificate as trusted. Defaults to the trusted certificates configured for SSL.
|
||||||
|
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
||||||
This setting may not be used with `truststore.path`.
|
This setting may not be used with `truststore.path`.
|
||||||
|
|
||||||
`truststore.path`::
|
`truststore.path`::
|
||||||
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
|
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
|
||||||
|
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
||||||
This setting may not be used with `certificate_authorities`.
|
This setting may not be used with `certificate_authorities`.
|
||||||
|
|
||||||
`truststore.password`::
|
`truststore.password`::
|
||||||
|
|
Loading…
Reference in New Issue