[DOCS] Added X-Pack bootstrap checks (elastic/x-pack-elasticsearch#2747)
* [DOCS] Added X-Pack bootstrap checks * [DOCS] Added more bootstrap checks * [DOCS] Added link to TLS configuration * [DOCS] Added Encrypt Sensitive Data bootstrap check * [DOCS] Added link to watcher encryption task * [DOCS] Added role mapping bootstrap check * [DOCS] Added PKI realm boostrap check * [DOCS] Added token SSL bootstrap check * [DOCS] Added role mapping bootstrap check * [DOCS] Added bootstrap check file names Original commit: elastic/x-pack-elasticsearch@4f3eb72d94
This commit is contained in:
Lisa Cawley
GitHub
parent
eaf67f8bc2
commit
c7b100a8c3
|
|
@ -0,0 +1,85 @@
|
||||||
|
[role="xpack"]
|
||||||
|
[[bootstrap-checks-xpack]]
|
||||||
|
== Bootstrap Checks for {xpack}
|
||||||
|
++++
|
||||||
|
<titleabbrev>Bootstrap Checks</titleabbrev>
|
||||||
|
++++
|
||||||
|
|
||||||
|
|
||||||
|
In addition to the <<bootstrap-checks,{es} bootstrap checks>>, there are
|
||||||
|
checks that are specific to {xpack} features.
|
||||||
|
|
||||||
|
[float]
|
||||||
|
=== Encrypt sensitive data check
|
||||||
|
//See EncryptSensitiveDAtaBootstrapCheck.java
|
||||||
|
|
||||||
|
If you use {watcher} and have chosen to encrypt sensitive data (by setting
|
||||||
|
`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
|
||||||
|
the secure settings store.
|
||||||
|
|
||||||
|
To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
|
||||||
|
on each node in the cluster. For more information, see
|
||||||
|
{xpack-ref}/encrypting-data.html[Encrypting Sensitive Data in {watcher}].
|
||||||
|
|
||||||
|
[float]
|
||||||
|
=== PKI realm check
|
||||||
|
//See PkiRealmBootstrapCheckTests.java
|
||||||
|
|
||||||
|
If you use {security} and a Public Key Infrastructure (PKI) realm, you must
|
||||||
|
configure Transport Layer Security (TLS) on your cluster and enable client
|
||||||
|
authentication on the network layers (either transport or http). For more
|
||||||
|
information, see {xpack-ref}/pki-realm.html[PKI User Authentication] and
|
||||||
|
{xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].
|
||||||
|
|
||||||
|
To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS
|
||||||
|
and enable client authentication on at least one network communication layer.
|
||||||
|
|
||||||
|
[float]
|
||||||
|
=== Role mappings check
|
||||||
|
|
||||||
|
If you authenticate users with realms other than `native` or `file` realms, you
|
||||||
|
must create role mappings. These role mappings define which roles are assigned
|
||||||
|
to each user.
|
||||||
|
|
||||||
|
If you use files to manage the role mappings, you must configure a YAML file
|
||||||
|
and copy it to each node in the cluster. By default, role mappings are stored in
|
||||||
|
`ES_PATH_CONF/x-pack/role_mapping.yml`. Alternatively, you can specify a
|
||||||
|
different role mapping file for each type of realm and specify its location in
|
||||||
|
the `elasticsearch.yml` file. For more information, see
|
||||||
|
{xpack-ref}/mapping-roles.html#mapping-roles-file[Using Role Mapping Files].
|
||||||
|
|
||||||
|
To pass this bootstrap check, the role mapping files must exist and must be
|
||||||
|
valid. The Distinguished Names (DNs) that are listed in the role mappings files
|
||||||
|
must also be valid.
|
||||||
|
|
||||||
|
[float]
|
||||||
|
=== SSL/TLS check
|
||||||
|
//See TLSLicenseBootstrapCheck.java
|
||||||
|
|
||||||
|
In 6.0 and later releases, if you have a gold, platinum, or enterprise license
|
||||||
|
and {security} is enabled, you must configure SSL/TLS for
|
||||||
|
internode-communication.
|
||||||
|
|
||||||
|
NOTE: Single-node clusters that use a loopback interface do not have this
|
||||||
|
requirement. For more information, see
|
||||||
|
{xpack-ref}/encrypting-communications.html[Encrypting Communications].
|
||||||
|
|
||||||
|
To pass this bootstrap check, you must
|
||||||
|
{xpack-ref}/ssl-tls.html[set up SSL/TLS in your cluster].
|
||||||
|
|
||||||
|
|
||||||
|
[float]
|
||||||
|
=== Token SSL check
|
||||||
|
//See TokenSSLBootstrapCheckTests.java
|
||||||
|
|
||||||
|
If you use {security} and the built-in token service is enabled, you must
|
||||||
|
configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is required
|
||||||
|
in order to use the token service.
|
||||||
|
|
||||||
|
In particular, if `xpack.security.authc.token.enabled` and `http.enabled` are
|
||||||
|
set to `true` in the `elasticsearch.yml` file, you must also set
|
||||||
|
`xpack.security.http.ssl.enabled` to `true`. For more information about these
|
||||||
|
settings, see <<security-settings>> and <<modules-http>>.
|
||||||
|
|
||||||
|
To pass this bootstrap check, you must enable HTTPS or disable the built-in
|
||||||
|
token service by using the {security} settings.
|
||||||
|
|
@ -13,4 +13,5 @@ easy-to-install package. To access this functionality, you must
|
||||||
include::installing-xes.asciidoc[]
|
include::installing-xes.asciidoc[]
|
||||||
include::{xes-repo-dir}/settings/configuring-xes.asciidoc[]
|
include::{xes-repo-dir}/settings/configuring-xes.asciidoc[]
|
||||||
include::setup-xclient.asciidoc[]
|
include::setup-xclient.asciidoc[]
|
||||||
|
include::bootstrap-checks-xes.asciidoc[]
|
||||||
include::{xes-repo-dir}/security/configuring-es.asciidoc[]
|
include::{xes-repo-dir}/security/configuring-es.asciidoc[]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue