[DOCS] Adds security content in the Elasticsearch Reference (#47596)

This commit is contained in:
Lisa Cawley 2019-10-04 13:11:05 -07:00 committed by GitHub
parent 45f12d18fb
commit f35fcf7204
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 63 additions and 162 deletions

View File

@ -54,7 +54,7 @@ include::data-rollup-transform.asciidoc[]
include::high-availability.asciidoc[] include::high-availability.asciidoc[]
include::security/index.asciidoc[] include::{xes-repo-dir}/security/index.asciidoc[]
include::{xes-repo-dir}/watcher/index.asciidoc[] include::{xes-repo-dir}/watcher/index.asciidoc[]

View File

@ -1,18 +0,0 @@
[[secure-cluster]]
= Secure a cluster
[partintro]
--
The {stack-security-features} enable you to easily secure a cluster. You can
password-protect your data as well as implement more advanced security
measures such as encrypting communications, role-based access control,
IP filtering, and auditing.
* <<elasticsearch-security>>
* <<configuring-security>>
--
include::overview.asciidoc[]
include::{xes-repo-dir}/security/configuring-es.asciidoc[]

View File

@ -18,7 +18,7 @@ The following is a list of the events that can be generated:
realm type. realm type.
| `access_denied` | | | Logged when an authenticated user attempts to execute | `access_denied` | | | Logged when an authenticated user attempts to execute
an action they do not have the necessary an action they do not have the necessary
<<security-reference, privilege>> to perform. <<security-privileges,privilege>> to perform.
| `access_granted` | | | Logged when an authenticated user attempts to execute | `access_granted` | | | Logged when an authenticated user attempts to execute
an action they have the necessary privilege to perform. an action they have the necessary privilege to perform.
When the `system_access_granted` event is included, all system When the `system_access_granted` event is included, all system
@ -28,7 +28,7 @@ The following is a list of the events that can be generated:
another user that they have the necessary privileges to do. another user that they have the necessary privileges to do.
| `run_as_denied` | | | Logged when an authenticated user attempts to <<run-as-privilege, run as>> | `run_as_denied` | | | Logged when an authenticated user attempts to <<run-as-privilege, run as>>
another user action they do not have the necessary another user action they do not have the necessary
<<security-reference, privilege>> to do so. <<security-privileges,privilege>> to do so.
| `tampered_request` | | | Logged when the {security-features} detect that the request has | `tampered_request` | | | Logged when the {security-features} detect that the request has
been tampered with. Typically relates to `search/scroll` been tampered with. Typically relates to `search/scroll`
requests when the scroll ID is believed to have been requests when the scroll ID is believed to have been

View File

@ -11,13 +11,8 @@ include::native-realm.asciidoc[]
include::pki-realm.asciidoc[] include::pki-realm.asciidoc[]
include::saml-realm.asciidoc[] include::saml-realm.asciidoc[]
include::kerberos-realm.asciidoc[] include::kerberos-realm.asciidoc[]
include::custom-realm.asciidoc[]
include::{xes-repo-dir}/security/authentication/custom-realm.asciidoc[] include::anonymous-access.asciidoc[]
include::user-cache.asciidoc[]
include::{xes-repo-dir}/security/authentication/anonymous-access.asciidoc[] include::saml-guide.asciidoc[]
include::oidc-guide.asciidoc[]
include::{xes-repo-dir}/security/authentication/user-cache.asciidoc[]
include::{xes-repo-dir}/security/authentication/saml-guide.asciidoc[]
include::{xes-repo-dir}/security/authentication/oidc-guide.asciidoc[]

View File

@ -552,7 +552,7 @@ OP or a third party (see <<third-party-login>>). In order to do so, you must exp
OpenID Connect authentication endpoint within {kib}, so that the {kib} server will OpenID Connect authentication endpoint within {kib}, so that the {kib} server will
not reject these external messages. not reject these external messages.
[[oidc-without-kibana]]
=== OpenID Connect without {kib} === OpenID Connect without {kib}
The OpenID Connect realm is designed to allow users to authenticate to {kib} and as The OpenID Connect realm is designed to allow users to authenticate to {kib} and as

View File

@ -834,6 +834,7 @@ It is possible to have one or more {kib} instances that use SAML, while other
instances use basic authentication against another realm type (e.g. instances use basic authentication against another realm type (e.g.
<<native-realm, Native>> or <<ldap-realm, LDAP>>). <<native-realm, Native>> or <<ldap-realm, LDAP>>).
[[saml-troubleshooting]]
=== Troubleshooting SAML Realm Configuration === Troubleshooting SAML Realm Configuration
The SAML 2.0 specification offers a lot of options and flexibility for the implementers The SAML 2.0 specification offers a lot of options and flexibility for the implementers

View File

@ -3,7 +3,7 @@ include::overview.asciidoc[]
include::built-in-roles.asciidoc[] include::built-in-roles.asciidoc[]
include::{xes-repo-dir}/security/authorization/managing-roles.asciidoc[] include::managing-roles.asciidoc[]
include::privileges.asciidoc[] include::privileges.asciidoc[]
@ -11,14 +11,14 @@ include::document-level-security.asciidoc[]
include::field-level-security.asciidoc[] include::field-level-security.asciidoc[]
include::{xes-repo-dir}/security/authorization/alias-privileges.asciidoc[] include::alias-privileges.asciidoc[]
include::{xes-repo-dir}/security/authorization/mapping-roles.asciidoc[] include::mapping-roles.asciidoc[]
include::{xes-repo-dir}/security/authorization/field-and-document-access-control.asciidoc[] include::field-and-document-access-control.asciidoc[]
include::{xes-repo-dir}/security/authorization/run-as-privilege.asciidoc[] include::run-as-privilege.asciidoc[]
include::configuring-authorization-delegation.asciidoc[] include::configuring-authorization-delegation.asciidoc[]
include::{xes-repo-dir}/security/authorization/custom-authorization.asciidoc[] include::custom-authorization.asciidoc[]

View File

@ -32,14 +32,14 @@ be secured as well, or at least communicate with the cluster in a secured way:
* {kibana-ref}/secure-reporting.html[Reporting] * {kibana-ref}/secure-reporting.html[Reporting]
* {winlogbeat-ref}/securing-beats.html[Winlogbeat] * {winlogbeat-ref}/securing-beats.html[Winlogbeat]
include::ccs-clients-integrations/cross-cluster.asciidoc[] include::cross-cluster.asciidoc[]
include::ccs-clients-integrations/java.asciidoc[] include::java.asciidoc[]
include::ccs-clients-integrations/http.asciidoc[] include::http.asciidoc[]
include::ccs-clients-integrations/hadoop.asciidoc[] include::hadoop.asciidoc[]
include::ccs-clients-integrations/beats.asciidoc[] include::beats.asciidoc[]
include::ccs-clients-integrations/monitoring.asciidoc[] include::monitoring.asciidoc[]

View File

@ -1,7 +1,7 @@
[[secure-monitoring]] [[secure-monitoring]]
=== Monitoring and security === Monitoring and security
The <<xpack-monitoring,{stack} {monitor-features}>> consist of two components: The {stack} {monitor-features} consist of two components:
an agent that you install on on each {es} and Logstash node, and a Monitoring UI an agent that you install on on each {es} and Logstash node, and a Monitoring UI
in {kib}. The monitoring agent collects and indexes metrics from the nodes in {kib}. The monitoring agent collects and indexes metrics from the nodes
and you visualize the data through the Monitoring dashboards in {kib}. The agent and you visualize the data through the Monitoring dashboards in {kib}. The agent

View File

@ -139,13 +139,13 @@ Events are logged to a dedicated `<clustername>_audit.json` file in
To walk through the configuration of {security-features} in {es}, {kib}, {ls}, and {metricbeat}, see To walk through the configuration of {security-features} in {es}, {kib}, {ls}, and {metricbeat}, see
{stack-ov}/security-getting-started.html[Getting started with security]. {stack-ov}/security-getting-started.html[Getting started with security].
include::{es-repo-dir}/security/securing-communications/securing-elasticsearch.asciidoc[] include::securing-communications/securing-elasticsearch.asciidoc[]
include::{es-repo-dir}/security/securing-communications/configuring-tls-docker.asciidoc[] include::securing-communications/configuring-tls-docker.asciidoc[]
include::{es-repo-dir}/security/securing-communications/enabling-cipher-suites.asciidoc[] include::securing-communications/enabling-cipher-suites.asciidoc[]
include::{es-repo-dir}/security/securing-communications/separating-node-client-traffic.asciidoc[] include::securing-communications/separating-node-client-traffic.asciidoc[]
include::authentication/configuring-active-directory-realm.asciidoc[] include::authentication/configuring-active-directory-realm.asciidoc[]
include::authentication/configuring-file-realm.asciidoc[] include::authentication/configuring-file-realm.asciidoc[]
@ -156,6 +156,6 @@ include::authentication/configuring-saml-realm.asciidoc[]
include::authentication/configuring-kerberos-realm.asciidoc[] include::authentication/configuring-kerberos-realm.asciidoc[]
include::{es-repo-dir}/security/reference/files.asciidoc[] include::reference/files.asciidoc[]
include::fips-140-compliance.asciidoc[] include::fips-140-compliance.asciidoc[]

View File

@ -19,7 +19,7 @@ IMPORTANT: To complete this tutorial, you must install the default {es} and
authentication {security-features}. When you install these products, they apply authentication {security-features}. When you install these products, they apply
basic licenses with no expiration dates. All of the subsequent steps in this basic licenses with no expiration dates. All of the subsequent steps in this
tutorial assume that you are using a basic license. For more information, see tutorial assume that you are using a basic license. For more information, see
{subscriptions} and <<license-management>>. {subscriptions} and {stack-ov}/license-management.html[License-management].
-- --

View File

@ -1,113 +1,42 @@
[role="xpack"] [[secure-cluster]]
[[elasticsearch-security]] = Secure a cluster
= Securing the {stack}
[partintro] [partintro]
-- --
The {stack-security-features} enable you to easily secure a cluster. You can The {stack-security-features} enable you to easily secure a cluster. You can
password-protect your data as well as implement more advanced security password-protect your data as well as implement more advanced security
measures such as encrypting communications, role-based access control, measures such as encrypting communications, role-based access control,
IP filtering, and auditing. This guide describes how to configure the security IP filtering, and auditing.
features you need, and interact with your secured cluster.
Security protects Elasticsearch clusters by:
* <<preventing-unauthorized-access, Preventing unauthorized access>>
with password protection, role-based access control, and IP filtering.
* <<preserving-data-integrity, Preserving the integrity of your data>>
with message authentication and SSL/TLS encryption.
* <<maintaining-audit-trail, Maintaining an audit trail>>
so you know who's doing what to your cluster and the data it stores.
[float]
[[preventing-unauthorized-access]]
=== Preventing unauthorized access
To prevent unauthorized access to your Elasticsearch cluster, you must have a
way to _authenticate_ users. This simply means that you need a way to validate
that a user is who they claim to be. For example, you have to make sure only
the person named _Kelsey Andorra_ can sign in as the user `kandorra`. The
{es-security-features} provide a standalone authentication mechanism that enables
you to quickly password-protect your cluster. If you're already using
<<ldap-realm, LDAP>>, <<active-directory-realm, Active Directory>>, or
<<pki-realm, PKI>> to manage users in your organization, the {security-features}
are able to integrate with those systems to perform user authentication.
In many cases, simply authenticating users isn't enough. You also need a way to
control what data users have access to and what tasks they can perform. The
{es-security-features} enable you to _authorize_ users by assigning access
_privileges_ to _roles_ and assigning those roles to users. For example, this
<<authorization,role-based access control>> mechanism (a.k.a RBAC) enables
you to specify that the user `kandorra` can only perform read operations on the
`events` index and can't do anything at all with other indices.
The {security-features} also support <<ip-filtering, IP-based authorization>>.
You can whitelist and blacklist specific IP addresses or subnets to control
network-level access to a server.
[float]
[[preserving-data-integrity]]
=== Preserving data integrity
A critical part of security is keeping confidential data confidential.
Elasticsearch has built-in protections against accidental data loss and
corruption. However, there's nothing to stop deliberate tampering or data
interception. The {stack-security-features} preserve the integrity of your
data by <<ssl-tls, encrypting communications>> to and from nodes. For even
greater protection, you can increase the <<ciphers, encryption strength>> and
<<separating-node-client-traffic, separate client traffic from node-to-node communications>>.
[float]
[[maintaining-audit-trail]]
=== Maintaining an audit trail
Keeping a system secure takes vigilance. By using {stack-security-features} to
maintain an audit trail, you can easily see who is accessing your cluster and
what they're doing. By analyzing access patterns and failed attempts to access
your cluster, you can gain insights into attempted attacks and data breaches.
Keeping an auditable log of the activity in your cluster can also help diagnose
operational issues.
[float]
=== Where to Go Next
* <<security-getting-started, Getting Started>>
steps through how to install and start using Security for basic authentication.
* <<how-security-works, How Security Works>>
provides more information about how Security supports user authentication,
authorization, and encryption.
* <<elasticsearch-security>>
* <<configuring-security>>
* <<how-security-works>>
* <<setting-up-authentication>>
* <<saml-guide>>
* <<oidc-guide>>
* <<authorization>>
* <<auditing>>
* <<encrypting-communications>>
* <<ip-filtering>>
* <<ccs-clients-integrations>> * <<ccs-clients-integrations>>
shows you how to interact with an Elasticsearch cluster protected by the * <<security-getting-started>>
{stack-security-features}. * <<encrypting-internode-communications>>
* <<security-troubleshooting>>
* <<security-limitations>>
[float]
=== Have Comments, Questions, or Feedback?
Head over to our {security-forum}[Security Discussion Forum]
to share your experience, questions, and suggestions.
-- --
include::overview.asciidoc[]
include::configuring-es.asciidoc[]
include::how-security-works.asciidoc[] include::how-security-works.asciidoc[]
include::authentication/index.asciidoc[] include::authentication/index.asciidoc[]
include::authorization/index.asciidoc[] include::authorization/index.asciidoc[]
include::auditing/index.asciidoc[]
include::{xes-repo-dir}/security/auditing/index.asciidoc[] include::securing-communications/index.asciidoc[]
include::using-ip-filtering.asciidoc[]
include::{xes-repo-dir}/security/securing-communications.asciidoc[] include::ccs-clients-integrations/index.asciidoc[]
include::{xes-repo-dir}/security/using-ip-filtering.asciidoc[]
include::{xes-repo-dir}/security/ccs-clients-integrations.asciidoc[]
include::get-started-security.asciidoc[] include::get-started-security.asciidoc[]
include::securing-communications/tutorial-tls-intro.asciidoc[] include::securing-communications/tutorial-tls-intro.asciidoc[]
include::troubleshooting.asciidoc[] include::troubleshooting.asciidoc[]
include::limitations.asciidoc[] include::limitations.asciidoc[]

View File

@ -1,6 +1,6 @@
[role="xpack"] [role="xpack"]
[[ciphers]] [[ciphers]]
=== Enabling Cipher Suites for Stronger Encryption === Enabling cipher suites for stronger encryption
The TLS and SSL protocols use a cipher suite that determines the strength of The TLS and SSL protocols use a cipher suite that determines the strength of
encryption used to protect the data. You may want to increase the strength of encryption used to protect the data. You may want to increase the strength of

View File

@ -17,14 +17,4 @@ This section shows how to:
The authentication of new nodes helps prevent a rogue node from joining the The authentication of new nodes helps prevent a rogue node from joining the
cluster and receiving data through replication. cluster and receiving data through replication.
include::{es-repo-dir}/security/securing-communications/setting-up-ssl.asciidoc[] include::setting-up-ssl.asciidoc[]
[[ciphers]]
=== Enabling cipher suites for stronger encryption
See {ref}/ciphers.html[Enabling Cipher Suites for Stronger Encryption].
[[separating-node-client-traffic]]
=== Separating node-to-node and client traffic
See {ref}/separating-node-client-traffic.html[Separating node-to-node and client traffic].

View File

@ -152,7 +152,7 @@ command from the {es} directory:
NOTE: If you already configured passwords for these users in other tutorials, NOTE: If you already configured passwords for these users in other tutorials,
you can skip this step. you can skip this step.
include::{stack-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users] include::{xes-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users]
After you setup the password for the `kibana` built-in user, After you setup the password for the `kibana` built-in user,
<<get-started-kibana-user,configure {kib} to use it>>. <<get-started-kibana-user,configure {kib} to use it>>.
@ -160,7 +160,7 @@ After you setup the password for the `kibana` built-in user,
For example, run the following commands to create the {kib} keystore and add the For example, run the following commands to create the {kib} keystore and add the
`kibana` built-in user and its password in secure settings: `kibana` built-in user and its password in secure settings:
include::{stack-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user] include::{xes-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user]
-- --
. Start {kib}. . Start {kib}.

View File

@ -40,7 +40,7 @@ IMPORTANT: To complete this tutorial, you must install the default {es} and
When you install these products, they apply basic licenses with no expiration When you install these products, they apply basic licenses with no expiration
dates. All of the subsequent steps in this tutorial assume that you are using a dates. All of the subsequent steps in this tutorial assume that you are using a
basic license. For more information, see {subscriptions} and basic license. For more information, see {subscriptions} and
<<license-management>>. {stack-ov}/license-management.html[License-management].
include::tutorial-tls-certificates.asciidoc[] include::tutorial-tls-certificates.asciidoc[]
include::tutorial-tls-internode.asciidoc[] include::tutorial-tls-internode.asciidoc[]

View File

@ -22,7 +22,11 @@ answers for frequently asked questions.
* <<trb-security-path>> * <<trb-security-path>>
include::{stack-repo-dir}/help.asciidoc[tag=get-help] For issues that you cannot fix yourself … were here to help.
If you are an existing Elastic customer with a support contract, please create
a ticket in the
https://support.elastic.co/customers/s/login/[Elastic Support portal].
Or post in the https://discuss.elastic.co/[Elastic forum].
[[security-trb-settings]] [[security-trb-settings]]
=== Some settings are not returned via the nodes settings API === Some settings are not returned via the nodes settings API