honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Fix X-Pack settings for Elasticsearch (elastic/x-pack-elasticsearch#1863) 

Original commit: elastic/x-pack-elasticsearch@8469db2909
This commit is contained in:
Lisa Cawley 2017-06-27 09:14:35 -07:00 committed by GitHub
parent 7c7bf475c1
commit f2e20f86e4
6 changed files with 245 additions and 258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/en/index.asciidoc
View File

@ -6,19 +6,6 @@
:es-test-dir: {docdir}/../../../../elasticsearch/docs/src/test
:plugins-examples-dir: {docdir}/../../../../elasticsearch/plugins/examples
:security: X-Pack security
:monitoring: X-Pack monitoring
:watcher: Watcher
:reporting: X-Pack reporting
:graph: X-Pack graph
:searchprofiler: X-Pack search profiler
:xpackml: X-Pack machine learning
:ml: machine learning
:dfeed: datafeed
:dfeeds: datafeeds
:dfeed-cap: Datafeed
:dfeeds-cap: Datafeeds
include::{es-repo-dir}/Versions.asciidoc[]
include::{es-repo-dir}/reference/index-shared1.asciidoc[]

3
docs/en/settings/configuring-xes.asciidoc
View File

@ -2,9 +2,8 @@
[[settings-xpack]]
== Configuring X-Pack
include::x-pack-settings.asciidoc
include::x-pack-settings.asciidoc[]
include::ml-settings.asciidoc[]
include::monitoring-settings.asciidoc[]
include::security-settings.asciidoc[]
include::notification-settings.asciidoc[]

9
docs/en/settings/monitoring-settings.asciidoc
View File

@ -1,5 +1,6 @@
[role="xpack"]
[[monitoring-settings]]
== Monitoring Settings
=== Monitoring Settings
Monitoring is enabled by default when you install {xpack}. You configure
<<monitoring-collection-settings, `xpack.monitoring.collection`>>
@ -17,13 +18,13 @@ For more information, see
[float]
[[general-monitoring-settings]]
=== General Monitoring Settings
==== General Monitoring Settings
`xpack.monitoring.enabled`::
Set to `false` to disable {es} {monitoring} for Elasticsearch.
[float]
[[monitoring-collection-settings]]
=== Monitoring Collection Settings
==== Monitoring Collection Settings
`xpack.monitoring.collection.cluster.state.timeout`::
@ -93,4 +94,4 @@ the `http` exporter will not be deleted automatically.
:verifies:
:server!:
include::ssl-settings.asciidoc[]
include::ssl-settings.asciidoc[]

160
docs/en/settings/notification-settings.asciidoc
View File

@ -1,14 +1,15 @@
[role="xpack"]
[[notification-settings]]
== {watcher} Settings
=== {watcher} Settings
You configure `xpack.notification` settings in `elasticsearch.yml` to
You configure `xpack.notification` settings in `elasticsearch.yml` to
send set up {watcher} and send notifications via <<email-notification-settings, email>>,
<<hipchat-notification-settings, HipChat>>, <<slack-notification-settings,
<<hipchat-notification-settings, HipChat>>, <<slack-notification-settings,
Slack>>, and <<pagerduty-notification-settings, PagerDuty>>.
[float]
[[general-notification-settings]]
=== General Watcher Settings
==== General Watcher Settings
`xpack.watcher.enabled`::
Set to `false` to disable {watcher}.
@ -32,109 +33,109 @@ include::ssl-settings.asciidoc[]
[float]
[[email-notification-settings]]
=== Email Notification Settings
You can configure the following email notification settings in
`elasticsearch.yml`. For more information about sending notifications
==== Email Notification Settings
You can configure the following email notification settings in
`elasticsearch.yml`. For more information about sending notifications
via email, see {xpack-ref}/actions-email.html#configuring-email-actions[Configuring Email].
`xpack.notification.email.account`::
Specifies account information for sending notifications via email. You
Specifies account information for sending notifications via email. You
can specify the following email account attributes:
[[email-account-attributes]]
`profile`;;
`profile`;;
The {xpack-ref}/actions-email.html#configuring-email[email profile] to use to build the MIME
messages that are sent from the account. Valid values: `standard`, `gmail` and
messages that are sent from the account. Valid values: `standard`, `gmail` and
`outlook`. Defaults to `standard`.
`email_defaults.*`;;
An optional set of email attributes to use as defaults
`email_defaults.*`;;
An optional set of email attributes to use as defaults
for the emails sent from the account. See {xpack-ref}/actions-email.html#email-action-attributes[
Email Action Attributes] for the supported attributes.
`smtp.auth`;;
Set to `true` to attempt to authenticate the user using the
`smtp.auth`;;
Set to `true` to attempt to authenticate the user using the
AUTH command. Defaults to `false`.
`smtp.host`;;
`smtp.host`;;
The SMTP server to connect to. Required.
`smtp.port`;;
`smtp.port`;;
The SMTP server port to connect to. Defaults to 25.
`smtp.user`;;
`smtp.user`;;
The user name for SMTP. Required.
`smtp.password`;;
`smtp.password`;;
The password for the specified SMTP user.
`smtp.starttls.enable`;;
Set to `true` to enable the use of the `STARTTLS`
command (if supported by the server) to switch the connection to a
TLS-protected connection before issuing any login commands. Note that
an appropriate trust store must configured so that the client will
`smtp.starttls.enable`;;
Set to `true` to enable the use of the `STARTTLS`
command (if supported by the server) to switch the connection to a
TLS-protected connection before issuing any login commands. Note that
an appropriate trust store must configured so that the client will
trust the server's certificate. Defaults to `false`.
`smtp.*`;;
SMTP attributes that enable fine control over the SMTP
protocol when sending messages. See
`smtp.*`;;
SMTP attributes that enable fine control over the SMTP
protocol when sending messages. See
https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html[com.sun.mail.smtp]
for the full list of SMTP properties you can set. Note that all timeouts
for the full list of SMTP properties you can set. Note that all timeouts
(`writetimeout`, `connection_timeout` and `timeout`) default to 2 minutes.
`xpack.notification.email.html.sanitization.allow`::
Specifies the HTML elements that are allowed in email notifications. For
more information, see {xpack-ref}/actions-email.html#email-html-sanitization[Configuring HTML
more information, see {xpack-ref}/actions-email.html#email-html-sanitization[Configuring HTML
Sanitization Options]. You can specify individual HTML elements
and the following HTML feature groups:
[[html-feature-groups]]
`_tables`;;
All table related elements: `<table>`, `<th>`, `<tr>`
`_tables`;;
All table related elements: `<table>`, `<th>`, `<tr>`
and `<td>`.
`_blocks`;;
`_blocks`;;
The following block elements: `<p>`, `<div>`, `<h1>`,
`<h2>`, `<h3>`, `<h4>`, `<h5>`, `<h6>`, `<ul>`, `<ol>`,
`<li>`, and `<blockquote>`.
`_formatting`;;
`_formatting`;;
The following inline formatting elements: `<b>`, `<i>`,
`<s>`, `<u>`, `<o>`, `<sup>`, `<sub>`, `<ins>`, `<del>`,
`<strong>`, `<strike>`, `<tt>`, `<code>`, `<big>`,
`<small>`, `<br>`, `<span>`, and `<em>`.
`_links`;;
`_links`;;
The `<a>` element with an `href` attribute that points
to a URL using the following protocols: `http`, `https`
and `mailto`.
`_styles`;;
`_styles`;;
The `style` attribute on all elements. Note that CSS
attributes are also sanitized to prevent XSS attacks.
`img`;;
`img:all`;;
`img:all`;;
All images (external and embedded).
`img:embedded`;;
`img:embedded`;;
Only embedded images. Embedded images can only use the
`cid:` URL protocol in their `src` attribute.
`xpack.notification.email.html.sanitization.disallow`::
Specifies the HTML elements that are NOT allowed in email notifications.
You can specify individual HTML elements and <<html-feature-groups,
Specifies the HTML elements that are NOT allowed in email notifications.
You can specify individual HTML elements and <<html-feature-groups,
HTML feature groups>>.
`xpack.notification.email.html.sanitization.enabled` ::
Set to `false` to completely disable HTML sanitation. Not recommended.
`xpack.notification.email.html.sanitization.enabled` ::
Set to `false` to completely disable HTML sanitation. Not recommended.
Defaults to `true`.
[float]
[[hipchat-notification-settings]]
=== HipChat Notification Settings
You can configure the following HipChat notification settings in
`elasticsearch.yml`. For more information about sending notifications
==== HipChat Notification Settings
You can configure the following HipChat notification settings in
`elasticsearch.yml`. For more information about sending notifications
via HipChat, see {xpack-ref}/actions-hipchat.html#configuring-hipchat-actions[Configuring HipChat].
`xpack.notification.hipchat` ::
@ -142,46 +143,46 @@ Specifies account information for sending notifications
via HipChat. You can specify the following HipChat account attributes:
[[hipchat-account-attributes]]
`profile`;;
The HipChat account profile to use: `integration`,
`profile`;;
The HipChat account profile to use: `integration`,
`user`, or `v1`. Required.
`auth_token`;;
The authentication token to use to access
`auth_token`;;
The authentication token to use to access
the HipChat API. Required.
`host`;;
`host`;;
The HipChat server hostname. Defaults to `api.hipchat.com`.
`port`;;
`port`;;
The HipChat server port number. Defaults to 443.
`room`;;
The room you want to send messages to. Must be specified
if the `profile` is set to `integration`. Not valid for
`room`;;
The room you want to send messages to. Must be specified
if the `profile` is set to `integration`. Not valid for
the `user` or `vi` profiles.
`user`;;
The HipChat user account to use to send messages.
`user`;;
The HipChat user account to use to send messages.
Specified as an email address. Must be specified if the
`profile` is set to `user`. Not valid for the `integration`
`profile` is set to `user`. Not valid for the `integration`
or `v1` profiles.
`message.format`;;
The format of the message: `text` or `html`.
`message.format`;;
The format of the message: `text` or `html`.
Defaults to `html`.
`message.color`;;
The background color of the notification in the room.
`message.color`;;
The background color of the notification in the room.
Defaults to `yellow`.
`message.notify`;;
`message.notify`;;
Indicates whether people in the room should be
actively notified. Defaults to `false`.
[float]
[[slack-notification-settings]]
=== Slack Notification Settings
==== Slack Notification Settings
You can configure the following Slack notification settings in
`elasticsearch.yml`. For more information about sending notifications
via Slack, see {xpack-ref}/actions-slack.html#configuring-slack-actions[Configuring Slack].
@ -222,7 +223,7 @@ via Slack. You can specify the following Slack account attributes:
[float]
[[jira-notification-settings]]
=== Jira Notification Settings
==== Jira Notification Settings
You can configure the following Jira notification settings in
`elasticsearch.yml`. For more information about using notifications
to create issues in Jira, see {xpack-ref}/actions-jira.html#configuring-jira-actions[Configuring Jira].
@ -233,7 +234,7 @@ issues in Jira. You can specify the following Jira account attributes:
[[jira-account-attributes]]
`url`;;
`url`;;
The URL of the Jira Software server. Required.
`user`;;
@ -250,9 +251,9 @@ issues in Jira. You can specify the following Jira account attributes:
[float]
[[pagerduty-notification-settings]]
=== PagerDuty Notification Settings
You can configure the following PagerDuty notification settings in
`elasticsearch.yml`. For more information about sending notifications
==== PagerDuty Notification Settings
You can configure the following PagerDuty notification settings in
`elasticsearch.yml`. For more information about sending notifications
via PagerDuty, see {xpack-ref}/actions-pagerduty.html#configuring-pagerduty-actions[Configuring PagerDuty].
@ -264,12 +265,12 @@ via PagerDuty. You can specify the following PagerDuty account attributes:
`name`;;
A name for the PagerDuty account associated with the API key you
are using to access PagerDuty. Required.
`service_api_key`;;
The https://developer.pagerduty.com/documentation/rest/authentication[
PagerDuty API key] to use to access PagerDuty. Required.
`event_defaults`;;
Default values for {xpack-ref}/actions-pagerduty.html#pagerduty-event-trigger-incident-attributes[
PagerDuty event attributes]. Optional.
@ -278,21 +279,20 @@ via PagerDuty. You can specify the following PagerDuty account attributes:
A string that contains the default description for PagerDuty events.
If no default is configured, each PagerDuty action must specify a
`description`.
`incident_key`::
`incident_key`::
A string that contains the default incident key to use when sending
PagerDuty events.
`client`::
A string that specifies the default monitoring client.
`client_url`::
The URL of the default monitoring client.
The URL of the default monitoring client.
`event_type`::
The default event type. Valid values: `trigger`,`resolve`, `acknowledge`.
`attach_payload`::
Whether or not to provide the watch payload as context for
the event by default. Valid values: `true`, `false`.
`attach_payload`::
Whether or not to provide the watch payload as context for
the event by default. Valid values: `true`, `false`.

307
docs/en/settings/security-settings.asciidoc
View File

@ -1,23 +1,24 @@
[role="xpack"]
[[security-settings]]
== Security Settings
=== Security Settings
You configure `xpack.security` settings to
You configure `xpack.security` settings to
<<anonymous-access-settings, enable anonymous access>>
and perform message authentication,
<<field-document-security-settings, set up document and field
level security>>, <<realm-settings, configure realms>>,
<<field-document-security-settings, set up document and field
level security>>, <<realm-settings, configure realms>>,
and <<ssl-tls-settings, encrypt communications with SSL>>.
[float]
[[general-security-settings]]
=== General Security Settings
==== General Security Settings
`xpack.security.enabled`::
Set to `false` to disable {security}.
Configure in both `elasticsearch.yml` and `kibana.yml`.
Configure in both `elasticsearch.yml` and `kibana.yml`.
[float]
[[password-security-settings]]
=== Default Password Security Settings
==== Default Password Security Settings
`xpack.security.authc.accept_default_password`::
In `elasticsearch.yml`, set this to `false` to disable support for the default "changeme" password.
For more information, see {xpack-ref}/setting-up-authentication.html#disabling-default-password[
@ -25,13 +26,13 @@ Disable Default Password Functionality].
[float]
[[anonymous-access-settings]]
=== Anonymous Access Settings
You can configure the following anonymous access settings in
==== Anonymous Access Settings
You can configure the following anonymous access settings in
`elasticsearch.yml`. For more information, see {xpack-ref}/anonymous-access.html[
Enabling Anonymous Access].
`xpack.security.authc.anonymous.username`::
The username (principal) of the anonymous user. Defaults to `_es_anonymous_user`.
The username (principal) of the anonymous user. Defaults to `_es_anonymous_user`.
`xpack.security.authc.anonymous.roles`::
The roles to associate with the anonymous user. Required.
@ -40,26 +41,26 @@ The roles to associate with the anonymous user. Required.
When `true`, an HTTP 403 response is returned if the anonymous user
does not have the appropriate permissions for the requested action. The
user is not prompted to provide credentials to access the requested
resource. When set to `false`, a HTTP 401 is returned and the user
can provide credentials with the appropriate permissions to gain
resource. When set to `false`, a HTTP 401 is returned and the user
can provide credentials with the appropriate permissions to gain
access. Defaults to `true`.
[float]
[[field-document-security-settings]]
=== Document and Field Level Security Settings
==== Document and Field Level Security Settings
You can set the following document and field level security
settings in `elasticsearch.yml`. For more information, see
settings in `elasticsearch.yml`. For more information, see
{xpack-ref}/field-and-document-access-control.html[Setting Up Document and Field
Level Security].
`xpack.security.dls_fls.enabled`::
Set to `false` to prevent document and field level security
Set to `false` to prevent document and field level security
from being configured. Defaults to `true`.
[float]
[[token-service-settings]]
=== Token Service Settings
==== Token Service Settings
You can set the following token service settings in
`elasticsearch.yml`.
@ -78,8 +79,8 @@ The length of time that a token is valid for. By default this value is `20m` or
[float]
[[realm-settings]]
=== Realm Settings
You configure realm settings in the `xpack.security.authc.realms`
==== Realm Settings
You configure realm settings in the `xpack.security.authc.realms`
namespace in `elasticsearch.yml`. For example:
[source,yaml]
@ -103,92 +104,92 @@ xpack.security.authc.realms:
...
----------------------------------------
The valid settings vary depending on the realm type. For more
The valid settings vary depending on the realm type. For more
information, see {xpack-ref}/setting-up-authentication.html[Setting Up Authentication].
[float]
==== Settings Valid for All Realms
===== Settings Valid for All Realms
`type`::
`type`::
The type of the realm: `native, `ldap`, `active_directory`, `pki`, or `file`. Required.
`order`::
The priority of the realm within the realm chain. Defaults to `Integer.MAX_VALUE`.
`order`::
The priority of the realm within the realm chain. Defaults to `Integer.MAX_VALUE`.
`enabled`::
`enabled`::
Enable/disable the realm. Defaults to `true`.
[[ref-users-settings]]
[float]
==== File Realm Settings
===== File Realm Settings
`cache.ttl`::
The time-to-live for cached user entries--user credentials are cached for
`cache.ttl`::
The time-to-live for cached user entries--user credentials are cached for
this configured period of time. Defaults to `20m`. Specify values using the
standard Elasticsearch {ref}/common-options.html#time-units[time units].
standard Elasticsearch {ref}/common-options.html#time-units[time units].
Defaults to `20m`.
`cache.max_users`::
The maximum number of user entries that can live in the cache at a given time.
`cache.max_users`::
The maximum number of user entries that can live in the cache at a given time.
Defaults to 100,000.
`cache.hash_algo`::
(Expert Setting) The hashing algorithm that is used for the in-memory cached
`cache.hash_algo`::
(Expert Setting) The hashing algorithm that is used for the in-memory cached
user credentials. See the {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for
all possible values. Defaults to `ssha256`.
[[ref-ldap-settings]]
[float]
==== LDAP Realm Settings
`url`::
===== LDAP Realm Settings
`url`::
An LDAP URL in the format `ldap[s]://<server>:<port>`. Required.
`load_balance.type`::
The behavior to use when there are multiple LDAP URLs defined. For supported
`load_balance.type`::
The behavior to use when there are multiple LDAP URLs defined. For supported
values see {xpack-ref}/ldap-realm.html#ldap-load-balancing[LDAP load balancing and failover types].
Defaults to `failover`.
`load_balance.cache_ttl`::
When using `dns_failover` or `dns_round_robin` as the load balancing type,
this setting controls the amount of time to cache DNS lookups. Defaults
`load_balance.cache_ttl`::
When using `dns_failover` or `dns_round_robin` as the load balancing type,
this setting controls the amount of time to cache DNS lookups. Defaults
to `1h`.
`bind_dn`::
The DN of the user that will be used to bind to the LDAP and perform searches.
If this is not specified, an anonymous bind will be attempted.
`bind_dn`::
The DN of the user that will be used to bind to the LDAP and perform searches.
If this is not specified, an anonymous bind will be attempted.
Defaults to Empty.
`bind_password`::
The password for the user that will be used to bind to the LDAP.
`bind_password`::
The password for the user that will be used to bind to the LDAP.
Defaults to Empty.
`user_dn_templates`::
The DN template that replaces the user name with the string `{0}`.
This element is multivalued; you can specify multiple user contexts.
`user_dn_templates`::
The DN template that replaces the user name with the string `{0}`.
This element is multivalued; you can specify multiple user contexts.
Required to operate in user template mode. Not valid
if `user_search.base_dn` is specified. For more information on
the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms].
the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms].
`user_group_attribute`::
Specifies the attribute to examine on the user for group membership.
The default is `memberOf`. This setting will be ignored if any
`user_group_attribute`::
Specifies the attribute to examine on the user for group membership.
The default is `memberOf`. This setting will be ignored if any
`group_search` settings are specified. Defaults to `memberOf`.
`user_search.base_dn`::
Specifies a container DN to search for users. Required
to operated in user search mode. Not valid if
`user_search.base_dn`::
Specifies a container DN to search for users. Required
to operated in user search mode. Not valid if
`user_dn_templates is specified. For more information on
the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms].
`user_search.scope`::
The scope of the user search. Valid values are `sub_tree`, `one_level` or
`base`. `one_level` only searches objects directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is the user object, and that it is
`user_search.scope`::
The scope of the user search. Valid values are `sub_tree`, `one_level` or
`base`. `one_level` only searches objects directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is the user object, and that it is
the only user considered. Defaults to `sub_tree`.
`user_search.attribute`::
`user_search.attribute`::
The attribute to match with the username presented to. Defaults to `uid`.
`user_search.pool.enabled`::
@ -196,62 +197,62 @@ Enables or disables connection pooling for user search. When
disabled a new connection is created for every search. The
default is `true`.
`user_search.pool.size`::
The maximum number of connections to the LDAP server to allow in the
`user_search.pool.size`::
The maximum number of connections to the LDAP server to allow in the
connection pool. Defaults to `20`.
`user_search.pool.initial_size`::
`user_search.pool.initial_size`::
The initial number of connections to create to the LDAP server on startup.
Defaults to `5`.
`user_search.pool.health_check.enabled`::
Flag to enable or disable a health check on LDAP connections in the connection
`user_search.pool.health_check.enabled`::
Flag to enable or disable a health check on LDAP connections in the connection
pool. Connections are checked in the background at the specified interval.
Defaults to `true`.
`user_search.pool.health_check.dn`::
The distinguished name to be retrieved as part of the health check.
Defaults to the value of `bind_dn`. Required if `bind_dn` is not
`user_search.pool.health_check.dn`::
The distinguished name to be retrieved as part of the health check.
Defaults to the value of `bind_dn`. Required if `bind_dn` is not
specified.
`user_search.pool.health_check.interval`::
`user_search.pool.health_check.interval`::
The interval to perform background checks of connections in the pool.
Defaults to `60s`.
`group_search.base_dn`::
The container DN to search for groups in which the user has membership. When
this element is absent, Security searches for the attribute specified by
`group_search.base_dn`::
The container DN to search for groups in which the user has membership. When
this element is absent, Security searches for the attribute specified by
`user_group_attribute` set on the user in order to determine group membership.
`group_search.scope`::
Specifies whether the group search should be `sub_tree`, `one_level` or
`base`. `one_level` only searches objects directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is a group object, and that it is the
`group_search.scope`::
Specifies whether the group search should be `sub_tree`, `one_level` or
`base`. `one_level` only searches objects directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is a group object, and that it is the
only group considered. Defaults to `sub_tree`.
`group_search.filter`::
`group_search.filter`::
When not set, the realm searches for `group`, `groupOfNames`, `groupOfUniqueNames`,
or `posixGroup` with the attributes `member`, `memberOf`, or `memberUid`. Any
instance of `{0}` in the filter is replaced by the user attribute defined in
`group_search.user_attribute`.
`group_search.user_attribute`::
Specifies the user attribute that will be fetched and provided as a parameter to
`group_search.user_attribute`::
Specifies the user attribute that will be fetched and provided as a parameter to
the filter. If not set, the user DN is passed into the filter. Defaults to Empty.
`unmapped_groups_as_roles`::
Takes a boolean variable. When this element is set to `true`, the names of any
`unmapped_groups_as_roles`::
Takes a boolean variable. When this element is set to `true`, the names of any
LDAP groups that are not referenced in a role-mapping _file_ are used as role
names and assigned to the user. Defaults to `false`.
`files.role_mapping`::
The {xpack-ref}/security-files.html[location] for the {xpack-ref}/mapping-roles.html#mapping-roles[
YAML role mapping configuration file]. Defaults to
`files.role_mapping`::
The {xpack-ref}/security-files.html[location] for the {xpack-ref}/mapping-roles.html#mapping-roles[
YAML role mapping configuration file]. Defaults to
`CONFIG_DIR/x-pack/role_mapping.yml`.
`follow_referrals`::
Boolean value that specifies whether Securityshould follow referrals returned
by the LDAP server. Referrals are URLs returned by the server that are to be
`follow_referrals`::
Boolean value that specifies whether Securityshould follow referrals returned
by the LDAP server. Referrals are URLs returned by the server that are to be
used to continue the LDAP operation (e.g. search). Defaults to `true`.
`metadata`::
@ -318,65 +319,65 @@ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
`cache.ttl`::
Specifies the time-to-live for cached user entries (a user and its credentials
are cached for this period of time). Use the standard Elasticsearch
`cache.ttl`::
Specifies the time-to-live for cached user entries (a user and its credentials
are cached for this period of time). Use the standard Elasticsearch
{ref}/common-options.html#time-units[time units]). Defaults to `20m`.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
Defaults to `100000`.
`cache.hash_algo`::
(Expert Setting) Specifies the hashing algorithm that is used for the
in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms]
`cache.hash_algo`::
(Expert Setting) Specifies the hashing algorithm that is used for the
in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms]
table for all possible values). Defaults to `ssha256`.
[[ref-ad-settings]]
[float]
==== Active Directory Realm Settings
===== Active Directory Realm Settings
`url`::
A URL in the format `ldap[s]://<server>:<port>`. Defaults to `ldap://<domain_name>:389`.
`url`::
A URL in the format `ldap[s]://<server>:<port>`. Defaults to `ldap://<domain_name>:389`.
`load_balance.type`::
The behavior to use when there are multiple LDAP URLs defined. For supported
`load_balance.type`::
The behavior to use when there are multiple LDAP URLs defined. For supported
values see {xpack-ref}/active-directory-realm.html#ad-load-balancing[load balancing and failover types].
Defaults to `failover`.
`load_balance.cache_ttl`::
When using `dns_failover` or `dns_round_robin` as the load balancing type,
`load_balance.cache_ttl`::
When using `dns_failover` or `dns_round_robin` as the load balancing type,
this setting controls the amount of time to cache DNS lookups. Defaults
to `1h`.
`domain_name`::
The domain name of Active Directory. The cluster can derive the URL and
`user_search_dn` fields from values in this element if those fields are not
`domain_name`::
The domain name of Active Directory. The cluster can derive the URL and
`user_search_dn` fields from values in this element if those fields are not
otherwise specified. Required.
`unmapped_groups_as_roles`::
`unmapped_groups_as_roles`::
Takes a boolean variable. When this element is set to `true`, the names of any
LDAP groups that are not referenced in a role-mapping _file_ are used as role
names and assigned to the user. Defaults to `false`.
`files.role_mapping`::
`files.role_mapping`::
The {xpack-ref}/security-files.html[location] for the YAML
role mapping configuration file. Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
role mapping configuration file. Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
`user_search.base_dn`::
The context to search for a user. Defaults to the root
of the Active Directory domain.
`user_search.base_dn`::
The context to search for a user. Defaults to the root
of the Active Directory domain.
`user_search.scope`::
Specifies whether the user search should be `sub_tree`, `one_level` or `base`.
`one_level` only searches users directly contained within the `base_dn`.
`sub_tree` searches all objects contained under `base_dn`. `base`
specifies that the `base_dn` is a user object, and that it is the
`user_search.scope`::
Specifies whether the user search should be `sub_tree`, `one_level` or `base`.
`one_level` only searches users directly contained within the `base_dn`.
`sub_tree` searches all objects contained under `base_dn`. `base`
specifies that the `base_dn` is a user object, and that it is the
only user considered. Defaults to `sub_tree`.
`user_search.filter`::
Specifies a filter to use to lookup a user given a username. The default
filter looks up `user` objects with either `sAMAccountName` or
`user_search.filter`::
Specifies a filter to use to lookup a user given a username. The default
filter looks up `user` objects with either `sAMAccountName` or
`userPrincipalName`.
`user_search.upn_filter`::
@ -396,15 +397,15 @@ Specifies a filter to use to lookup a user given a down level logon name
must be a valid LDAP user search filter, for example
`(&(objectClass=user)(sAMAccountName={0}))`.
`group_search.base_dn`::
The context to search for groups in which the user has membership. Defaults
`group_search.base_dn`::
The context to search for groups in which the user has membership. Defaults
to the root of the Active Directory domain.
`group_search.scope`::
Specifies whether the group search should be `sub_tree`, `one_level` or
`base`. `one_level` searches for groups directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is a group object, and that it is
`group_search.scope`::
Specifies whether the group search should be `sub_tree`, `one_level` or
`base`. `one_level` searches for groups directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is a group object, and that it is
the only group considered. Defaults to `sub_tree`.
`metadata`::
@ -412,17 +413,17 @@ A list of additional LDAP attributes that should be loaded from the
LDAP server and stored in the authenticated user's metadata field.
`timeout.tcp_connect`::
The TCP connect timeout period for establishing an LDAP connection.
The TCP connect timeout period for establishing an LDAP connection.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`timeout.tcp_read`::
The TCP read timeout period after establishing an LDAP connection.
`timeout.tcp_read`::
The TCP read timeout period after establishing an LDAP connection.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`timeout.ldap_search`::
The LDAP Server enforced timeout period for an LDAP search.
`timeout.ldap_search`::
The LDAP Server enforced timeout period for an LDAP search.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
@ -469,27 +470,27 @@ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
`cache.ttl`::
`cache.ttl`::
Specifies the time-to-live for cached user entries (user
credentials are cached for this configured period of time). Use the
credentials are cached for this configured period of time). Use the
standard Elasticsearch {ref}/common-options.html#time-units[time units]).
Defaults to `20m`.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
Defaults to `100000`.
`cache.hash_algo`::
(Expert Setting) Specifies the hashing algorithm that will be used for
`cache.hash_algo`::
(Expert Setting) Specifies the hashing algorithm that will be used for
the in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for all possible values). Defaults to `ssha256`.
[[ref-pki-settings]]
[float]
==== PKI Realm Settings
===== PKI Realm Settings
`username_pattern`::
The regular expression pattern used to extract the username from the
certificate DN. The first match group is the used as the username.
`username_pattern`::
The regular expression pattern used to extract the username from the
certificate DN. The first match group is the used as the username.
Defaults to `CN=(.*?)(?:,\|$)`
`certificate_authorities`::
@ -497,25 +498,25 @@ List of PEM certificate files that should be used to authenticate a
user's certificate as trusted. Defaults to the trusted certificates configured for SSL.
This setting may not be used with `truststore.path`.
`truststore.path`::
`truststore.path`::
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
This setting may not be used with `certificate_authorities`.
`truststore.password`::
`truststore.password`::
The password for the truststore. Must be provided if `truststore.path` is set.
`truststore.algorithm`::
`truststore.algorithm`::
Algorithm for the trustsore. Defaults to `SunX509`.
`files.role_mapping`::
Specifies the {xpack-ref}/security-files.html[location] of the
`files.role_mapping`::
Specifies the {xpack-ref}/security-files.html[location] of the
{xpack-ref}/mapping-roles.html[YAML role mapping configuration file].
Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
[float]
[[ssl-tls-settings]]
=== Default TLS/SSL Settings
You can configure the following TLS/SSL settings in
==== Default TLS/SSL Settings
You can configure the following TLS/SSL settings in
`elasticsearch.yml`. For more information, see
{xpack-ref}/encrypting-communications.html[Encrypting Communications]. These settings will be used
for all of {xpack} unless they have been overridden by more specific
@ -545,7 +546,7 @@ Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_A
[float]
[[tls-ssl-key-settings]]
==== Default TLS/SSL Key and Trusted Certificate Settings
===== Default TLS/SSL Key and Trusted Certificate Settings
The following settings are used to specify a private key, certificate, and the
trusted certificates that should be used when communicating over an SSL/TLS connection.
@ -615,7 +616,7 @@ include::ssl-settings.asciidoc[]
[[ssl-tls-profile-settings]]
[float]
==== Transport Profile TLS/SSL Settings
===== Transport Profile TLS/SSL Settings
The same settings that are available for the <<transport-tls-ssl-settings, default transport>>
are also available for each transport profile. By default, the settings for a
transport profile will be the same as the default transport unless they
@ -629,7 +630,7 @@ setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.enabled`.
[float]
[[ip-filtering-settings]]
=== IP Filtering Settings
==== IP Filtering Settings
You can configure the following settings for {xpack-ref}/ip-filtering.html[IP filtering].
`xpack.security.transport.filter.allow`::

11
docs/en/settings/ssl-settings.asciidoc
View File

@ -1,5 +1,5 @@
[float]
=== {component} TLS/SSL Settings
==== {component} TLS/SSL Settings
You can configure the following TLS/SSL settings. If the settings are not configured,
the {ref}/security-settings.html#ssl-tls-settings[Default TLS/SSL Settings]
are used.
@ -39,8 +39,8 @@ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
[float]
==== {component} TLS/SSL Key and Trusted Certificate Settings
===== {component} TLS/SSL Key and Trusted Certificate Settings
The following settings are used to specify a private key, certificate, and the
trusted certificates that should be used when communicating over an SSL/TLS connection.
@ -54,7 +54,7 @@ authentication.
endif::server[]
If none of the settings below are specified, the {ref}/security-settings.html#ssl-tls-settings[Default TLS/SSL Settings] are used.
[float]
===== PEM Encoded Files
When using PEM encoded files, use the following settings:
@ -73,7 +73,6 @@ that will be presented when requested.
+{ssl-prefix}.ssl.certificate_authorities+::
List of paths to the PEM encoded certificate files that should be trusted.
[float]
===== Java Keystore Files
When using Java keystore files (JKS), which contain the private key, certificate