diff --git a/docs/reference/index.asciidoc b/docs/reference/index.asciidoc index 563993f2133..f3676244b3a 100644 --- a/docs/reference/index.asciidoc +++ b/docs/reference/index.asciidoc @@ -54,7 +54,7 @@ include::data-rollup-transform.asciidoc[] include::high-availability.asciidoc[] -include::security/index.asciidoc[] +include::{xes-repo-dir}/security/index.asciidoc[] include::{xes-repo-dir}/watcher/index.asciidoc[] diff --git a/docs/reference/security/index.asciidoc b/docs/reference/security/index.asciidoc deleted file mode 100644 index ed11b5916cb..00000000000 --- a/docs/reference/security/index.asciidoc +++ /dev/null @@ -1,18 +0,0 @@ -[[secure-cluster]] -= Secure a cluster - -[partintro] --- -The {stack-security-features} enable you to easily secure a cluster. You can -password-protect your data as well as implement more advanced security -measures such as encrypting communications, role-based access control, -IP filtering, and auditing. - -* <> -* <> - --- - -include::overview.asciidoc[] - -include::{xes-repo-dir}/security/configuring-es.asciidoc[] diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 19947e40b55..dfa0c72b5e2 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -18,7 +18,7 @@ The following is a list of the events that can be generated: realm type. | `access_denied` | | | Logged when an authenticated user attempts to execute an action they do not have the necessary - <> to perform. + <> to perform. | `access_granted` | | | Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system @@ -28,7 +28,7 @@ The following is a list of the events that can be generated: another user that they have the necessary privileges to do. | `run_as_denied` | | | Logged when an authenticated user attempts to <> another user action they do not have the necessary - <> to do so. + <> to do so. | `tampered_request` | | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been diff --git a/x-pack/docs/en/security/authentication/index.asciidoc b/x-pack/docs/en/security/authentication/index.asciidoc index 298376e291a..8e0fdb8f4a9 100644 --- a/x-pack/docs/en/security/authentication/index.asciidoc +++ b/x-pack/docs/en/security/authentication/index.asciidoc @@ -11,13 +11,8 @@ include::native-realm.asciidoc[] include::pki-realm.asciidoc[] include::saml-realm.asciidoc[] include::kerberos-realm.asciidoc[] - -include::{xes-repo-dir}/security/authentication/custom-realm.asciidoc[] - -include::{xes-repo-dir}/security/authentication/anonymous-access.asciidoc[] - -include::{xes-repo-dir}/security/authentication/user-cache.asciidoc[] - -include::{xes-repo-dir}/security/authentication/saml-guide.asciidoc[] - -include::{xes-repo-dir}/security/authentication/oidc-guide.asciidoc[] \ No newline at end of file +include::custom-realm.asciidoc[] +include::anonymous-access.asciidoc[] +include::user-cache.asciidoc[] +include::saml-guide.asciidoc[] +include::oidc-guide.asciidoc[] \ No newline at end of file diff --git a/x-pack/docs/en/security/authentication/oidc-guide.asciidoc b/x-pack/docs/en/security/authentication/oidc-guide.asciidoc index 032194c365a..ee318a8c3a1 100644 --- a/x-pack/docs/en/security/authentication/oidc-guide.asciidoc +++ b/x-pack/docs/en/security/authentication/oidc-guide.asciidoc @@ -552,7 +552,7 @@ OP or a third party (see <>). In order to do so, you must exp OpenID Connect authentication endpoint within {kib}, so that the {kib} server will not reject these external messages. - +[[oidc-without-kibana]] === OpenID Connect without {kib} The OpenID Connect realm is designed to allow users to authenticate to {kib} and as diff --git a/x-pack/docs/en/security/authentication/saml-guide.asciidoc b/x-pack/docs/en/security/authentication/saml-guide.asciidoc index 48a6b6dbdd7..ab853c9685a 100644 --- a/x-pack/docs/en/security/authentication/saml-guide.asciidoc +++ b/x-pack/docs/en/security/authentication/saml-guide.asciidoc @@ -834,6 +834,7 @@ It is possible to have one or more {kib} instances that use SAML, while other instances use basic authentication against another realm type (e.g. <> or <>). +[[saml-troubleshooting]] === Troubleshooting SAML Realm Configuration The SAML 2.0 specification offers a lot of options and flexibility for the implementers diff --git a/x-pack/docs/en/security/authorization/index.asciidoc b/x-pack/docs/en/security/authorization/index.asciidoc index 7f63565ca01..7b5f4a214c0 100644 --- a/x-pack/docs/en/security/authorization/index.asciidoc +++ b/x-pack/docs/en/security/authorization/index.asciidoc @@ -3,7 +3,7 @@ include::overview.asciidoc[] include::built-in-roles.asciidoc[] -include::{xes-repo-dir}/security/authorization/managing-roles.asciidoc[] +include::managing-roles.asciidoc[] include::privileges.asciidoc[] @@ -11,14 +11,14 @@ include::document-level-security.asciidoc[] include::field-level-security.asciidoc[] -include::{xes-repo-dir}/security/authorization/alias-privileges.asciidoc[] +include::alias-privileges.asciidoc[] -include::{xes-repo-dir}/security/authorization/mapping-roles.asciidoc[] +include::mapping-roles.asciidoc[] -include::{xes-repo-dir}/security/authorization/field-and-document-access-control.asciidoc[] +include::field-and-document-access-control.asciidoc[] -include::{xes-repo-dir}/security/authorization/run-as-privilege.asciidoc[] +include::run-as-privilege.asciidoc[] include::configuring-authorization-delegation.asciidoc[] -include::{xes-repo-dir}/security/authorization/custom-authorization.asciidoc[] +include::custom-authorization.asciidoc[] diff --git a/x-pack/docs/en/security/ccs-clients-integrations.asciidoc b/x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc similarity index 80% rename from x-pack/docs/en/security/ccs-clients-integrations.asciidoc rename to x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc index e5a477e3c15..f5c15b72f1d 100644 --- a/x-pack/docs/en/security/ccs-clients-integrations.asciidoc +++ b/x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc @@ -32,14 +32,14 @@ be secured as well, or at least communicate with the cluster in a secured way: * {kibana-ref}/secure-reporting.html[Reporting] * {winlogbeat-ref}/securing-beats.html[Winlogbeat] -include::ccs-clients-integrations/cross-cluster.asciidoc[] +include::cross-cluster.asciidoc[] -include::ccs-clients-integrations/java.asciidoc[] +include::java.asciidoc[] -include::ccs-clients-integrations/http.asciidoc[] +include::http.asciidoc[] -include::ccs-clients-integrations/hadoop.asciidoc[] +include::hadoop.asciidoc[] -include::ccs-clients-integrations/beats.asciidoc[] +include::beats.asciidoc[] -include::ccs-clients-integrations/monitoring.asciidoc[] +include::monitoring.asciidoc[] diff --git a/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc b/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc index 37c7e38f651..45d6296948d 100644 --- a/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc +++ b/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc @@ -1,7 +1,7 @@ [[secure-monitoring]] === Monitoring and security -The <> consist of two components: +The {stack} {monitor-features} consist of two components: an agent that you install on on each {es} and Logstash node, and a Monitoring UI in {kib}. The monitoring agent collects and indexes metrics from the nodes and you visualize the data through the Monitoring dashboards in {kib}. The agent diff --git a/x-pack/docs/en/security/configuring-es.asciidoc b/x-pack/docs/en/security/configuring-es.asciidoc index ea42b971a76..7beb72e4752 100644 --- a/x-pack/docs/en/security/configuring-es.asciidoc +++ b/x-pack/docs/en/security/configuring-es.asciidoc @@ -139,13 +139,13 @@ Events are logged to a dedicated `_audit.json` file in To walk through the configuration of {security-features} in {es}, {kib}, {ls}, and {metricbeat}, see {stack-ov}/security-getting-started.html[Getting started with security]. -include::{es-repo-dir}/security/securing-communications/securing-elasticsearch.asciidoc[] +include::securing-communications/securing-elasticsearch.asciidoc[] -include::{es-repo-dir}/security/securing-communications/configuring-tls-docker.asciidoc[] +include::securing-communications/configuring-tls-docker.asciidoc[] -include::{es-repo-dir}/security/securing-communications/enabling-cipher-suites.asciidoc[] +include::securing-communications/enabling-cipher-suites.asciidoc[] -include::{es-repo-dir}/security/securing-communications/separating-node-client-traffic.asciidoc[] +include::securing-communications/separating-node-client-traffic.asciidoc[] include::authentication/configuring-active-directory-realm.asciidoc[] include::authentication/configuring-file-realm.asciidoc[] @@ -156,6 +156,6 @@ include::authentication/configuring-saml-realm.asciidoc[] include::authentication/configuring-kerberos-realm.asciidoc[] -include::{es-repo-dir}/security/reference/files.asciidoc[] +include::reference/files.asciidoc[] include::fips-140-compliance.asciidoc[] diff --git a/x-pack/docs/en/security/get-started-security.asciidoc b/x-pack/docs/en/security/get-started-security.asciidoc index 2d9c63f437d..a918103a479 100644 --- a/x-pack/docs/en/security/get-started-security.asciidoc +++ b/x-pack/docs/en/security/get-started-security.asciidoc @@ -19,7 +19,7 @@ IMPORTANT: To complete this tutorial, you must install the default {es} and authentication {security-features}. When you install these products, they apply basic licenses with no expiration dates. All of the subsequent steps in this tutorial assume that you are using a basic license. For more information, see -{subscriptions} and <>. +{subscriptions} and {stack-ov}/license-management.html[License-management]. -- diff --git a/x-pack/docs/en/security/index.asciidoc b/x-pack/docs/en/security/index.asciidoc index d40d3340ba3..770eeec3e1c 100644 --- a/x-pack/docs/en/security/index.asciidoc +++ b/x-pack/docs/en/security/index.asciidoc @@ -1,113 +1,42 @@ -[role="xpack"] -[[elasticsearch-security]] -= Securing the {stack} +[[secure-cluster]] += Secure a cluster [partintro] -- The {stack-security-features} enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, -IP filtering, and auditing. This guide describes how to configure the security -features you need, and interact with your secured cluster. - -Security protects Elasticsearch clusters by: - -* <> - with password protection, role-based access control, and IP filtering. -* <> - with message authentication and SSL/TLS encryption. -* <> - so you know who's doing what to your cluster and the data it stores. - -[float] -[[preventing-unauthorized-access]] -=== Preventing unauthorized access - -To prevent unauthorized access to your Elasticsearch cluster, you must have a -way to _authenticate_ users. This simply means that you need a way to validate -that a user is who they claim to be. For example, you have to make sure only -the person named _Kelsey Andorra_ can sign in as the user `kandorra`. The -{es-security-features} provide a standalone authentication mechanism that enables -you to quickly password-protect your cluster. If you're already using -<>, <>, or -<> to manage users in your organization, the {security-features} -are able to integrate with those systems to perform user authentication. - -In many cases, simply authenticating users isn't enough. You also need a way to -control what data users have access to and what tasks they can perform. The -{es-security-features} enable you to _authorize_ users by assigning access -_privileges_ to _roles_ and assigning those roles to users. For example, this -<> mechanism (a.k.a RBAC) enables -you to specify that the user `kandorra` can only perform read operations on the -`events` index and can't do anything at all with other indices. - -The {security-features} also support <>. -You can whitelist and blacklist specific IP addresses or subnets to control -network-level access to a server. - -[float] -[[preserving-data-integrity]] -=== Preserving data integrity - -A critical part of security is keeping confidential data confidential. -Elasticsearch has built-in protections against accidental data loss and -corruption. However, there's nothing to stop deliberate tampering or data -interception. The {stack-security-features} preserve the integrity of your -data by <> to and from nodes. For even -greater protection, you can increase the <> and -<>. - - -[float] -[[maintaining-audit-trail]] -=== Maintaining an audit trail - -Keeping a system secure takes vigilance. By using {stack-security-features} to -maintain an audit trail, you can easily see who is accessing your cluster and -what they're doing. By analyzing access patterns and failed attempts to access -your cluster, you can gain insights into attempted attacks and data breaches. -Keeping an auditable log of the activity in your cluster can also help diagnose -operational issues. - -[float] -=== Where to Go Next - -* <> - steps through how to install and start using Security for basic authentication. - -* <> - provides more information about how Security supports user authentication, - authorization, and encryption. +IP filtering, and auditing. +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> * <> - shows you how to interact with an Elasticsearch cluster protected by the - {stack-security-features}. +* <> +* <> +* <> +* <> -[float] -=== Have Comments, Questions, or Feedback? - -Head over to our {security-forum}[Security Discussion Forum] -to share your experience, questions, and suggestions. -- +include::overview.asciidoc[] +include::configuring-es.asciidoc[] include::how-security-works.asciidoc[] - include::authentication/index.asciidoc[] - include::authorization/index.asciidoc[] - -include::{xes-repo-dir}/security/auditing/index.asciidoc[] - -include::{xes-repo-dir}/security/securing-communications.asciidoc[] - -include::{xes-repo-dir}/security/using-ip-filtering.asciidoc[] - -include::{xes-repo-dir}/security/ccs-clients-integrations.asciidoc[] - +include::auditing/index.asciidoc[] +include::securing-communications/index.asciidoc[] +include::using-ip-filtering.asciidoc[] +include::ccs-clients-integrations/index.asciidoc[] include::get-started-security.asciidoc[] - include::securing-communications/tutorial-tls-intro.asciidoc[] - include::troubleshooting.asciidoc[] - include::limitations.asciidoc[] + diff --git a/docs/reference/security/overview.asciidoc b/x-pack/docs/en/security/overview.asciidoc similarity index 100% rename from docs/reference/security/overview.asciidoc rename to x-pack/docs/en/security/overview.asciidoc diff --git a/docs/reference/security/reference/files.asciidoc b/x-pack/docs/en/security/reference/files.asciidoc similarity index 100% rename from docs/reference/security/reference/files.asciidoc rename to x-pack/docs/en/security/reference/files.asciidoc diff --git a/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc b/x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/configuring-tls-docker.asciidoc rename to x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc diff --git a/docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc b/x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc similarity index 96% rename from docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc rename to x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc index 51d5e5f6de6..4e51f5e43ff 100644 --- a/docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc +++ b/x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[ciphers]] -=== Enabling Cipher Suites for Stronger Encryption +=== Enabling cipher suites for stronger encryption The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to increase the strength of diff --git a/x-pack/docs/en/security/securing-communications.asciidoc b/x-pack/docs/en/security/securing-communications/index.asciidoc similarity index 67% rename from x-pack/docs/en/security/securing-communications.asciidoc rename to x-pack/docs/en/security/securing-communications/index.asciidoc index 2ccea2c5365..e4e9d1b4788 100644 --- a/x-pack/docs/en/security/securing-communications.asciidoc +++ b/x-pack/docs/en/security/securing-communications/index.asciidoc @@ -17,14 +17,4 @@ This section shows how to: The authentication of new nodes helps prevent a rogue node from joining the cluster and receiving data through replication. -include::{es-repo-dir}/security/securing-communications/setting-up-ssl.asciidoc[] - -[[ciphers]] -=== Enabling cipher suites for stronger encryption - -See {ref}/ciphers.html[Enabling Cipher Suites for Stronger Encryption]. - -[[separating-node-client-traffic]] -=== Separating node-to-node and client traffic - -See {ref}/separating-node-client-traffic.html[Separating node-to-node and client traffic]. +include::setting-up-ssl.asciidoc[] diff --git a/docs/reference/security/securing-communications/node-certificates.asciidoc b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/node-certificates.asciidoc rename to x-pack/docs/en/security/securing-communications/node-certificates.asciidoc diff --git a/docs/reference/security/securing-communications/securing-elasticsearch.asciidoc b/x-pack/docs/en/security/securing-communications/securing-elasticsearch.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/securing-elasticsearch.asciidoc rename to x-pack/docs/en/security/securing-communications/securing-elasticsearch.asciidoc diff --git a/docs/reference/security/securing-communications/separating-node-client-traffic.asciidoc b/x-pack/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/separating-node-client-traffic.asciidoc rename to x-pack/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc diff --git a/docs/reference/security/securing-communications/setting-up-ssl.asciidoc b/x-pack/docs/en/security/securing-communications/setting-up-ssl.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/setting-up-ssl.asciidoc rename to x-pack/docs/en/security/securing-communications/setting-up-ssl.asciidoc diff --git a/docs/reference/security/securing-communications/tls-ad.asciidoc b/x-pack/docs/en/security/securing-communications/tls-ad.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-ad.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-ad.asciidoc diff --git a/docs/reference/security/securing-communications/tls-http.asciidoc b/x-pack/docs/en/security/securing-communications/tls-http.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-http.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-http.asciidoc diff --git a/docs/reference/security/securing-communications/tls-ldap.asciidoc b/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-ldap.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc diff --git a/docs/reference/security/securing-communications/tls-transport.asciidoc b/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-transport.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-transport.asciidoc diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc index d32edb7eea9..020d2e8dbc6 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc @@ -152,7 +152,7 @@ command from the {es} directory: NOTE: If you already configured passwords for these users in other tutorials, you can skip this step. -include::{stack-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users] +include::{xes-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users] After you setup the password for the `kibana` built-in user, <>. @@ -160,7 +160,7 @@ After you setup the password for the `kibana` built-in user, For example, run the following commands to create the {kib} keystore and add the `kibana` built-in user and its password in secure settings: -include::{stack-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user] +include::{xes-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user] -- . Start {kib}. diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc index 31bed2f3a0e..2809c7fcd5e 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc @@ -40,7 +40,7 @@ IMPORTANT: To complete this tutorial, you must install the default {es} and When you install these products, they apply basic licenses with no expiration dates. All of the subsequent steps in this tutorial assume that you are using a basic license. For more information, see {subscriptions} and -<>. +{stack-ov}/license-management.html[License-management]. include::tutorial-tls-certificates.asciidoc[] include::tutorial-tls-internode.asciidoc[] diff --git a/x-pack/docs/en/security/troubleshooting.asciidoc b/x-pack/docs/en/security/troubleshooting.asciidoc index e1cd06f37dd..31412708399 100644 --- a/x-pack/docs/en/security/troubleshooting.asciidoc +++ b/x-pack/docs/en/security/troubleshooting.asciidoc @@ -22,7 +22,11 @@ answers for frequently asked questions. * <> -include::{stack-repo-dir}/help.asciidoc[tag=get-help] +For issues that you cannot fix yourself … we’re here to help. +If you are an existing Elastic customer with a support contract, please create +a ticket in the +https://support.elastic.co/customers/s/login/[Elastic Support portal]. +Or post in the https://discuss.elastic.co/[Elastic forum]. [[security-trb-settings]] === Some settings are not returned via the nodes settings API