Commit Graph

202 Commits

Author SHA1 Message Date
Lisa Cawley c4c8a7a43c [DOCS] Merges duplicate pages for PKI realms (#49206) 2019-11-19 10:51:09 -08:00
Lisa Cawley 2f5acae4a9 [DOCS] Groups pages related to encrypting communications (#49324) 2019-11-19 10:10:39 -08:00
Lisa Cawley 62bbe419d3 [DOCS] Removes Beats security page (#49276) 2019-11-19 09:15:30 -08:00
Lisa Cawley abd4a70b10 [DOCS] Merges duplicate pages for Kerberos realms (#49207) 2019-11-18 15:23:06 -08:00
Lisa Cawley b4f82c9cdb [DOCS] Merges duplicate pages for LDAP realms (#49203) 2019-11-18 14:09:24 -08:00
Lisa Cawley b0054eecd6 [DOCS] Merges duplicate pages for file realms (#49200) 2019-11-18 12:02:18 -08:00
Lisa Cawley 48f53efd9a [DOCS] Merges duplicate pages for SAML realms (#49209) 2019-11-18 10:09:29 -08:00
Lisa Cawley 09a9ec4d23 [DOCS] Merges duplicate pages for native realms (#49198) 2019-11-15 15:35:53 -08:00
Ioannis Kakavas e0331e2a0f
Remove limitation for SAML encryption in FIPS mode (#48948) (#49019)
Our documentation regarding FIPS 140 claimed that when using SAML
in a JVM that is configured in FIPS approved only mode, one could
not use encrypted assertions. This stemmed from a wrong
understanding regarding the compliance of RSA-OAEP which is used
as the key wrapping algorithm for encrypting the key with which the
SAML Assertion is encrypted.

However, as stated for instance in
https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.0.pdf
RSA-OAEP is approved for key transport, so this limitation is not
effective.

This change removes the limitation from our FIPS 140 related
documentation.
2019-11-13 12:10:01 +02:00
James Rodewig f1396b6322 [DOCS] Add Java to list of HTTP client libraries for basic authentication (#48647) 2019-11-05 17:09:10 -05:00
Albert Zaharovits 00d3151eea Document allow_restricted_indices for indices privileges (#47514)
Document the allow_restricted_indices role descriptor field.
2019-10-31 11:45:11 +02:00
Lisa Cawley be9df101bf [DOCS] Adds missing references to oidc realms (#48224) 2019-10-29 09:41:34 -07:00
Cris da Rocha 947f89a3a1 Update troubleshooting.asciidoc (#48516) 2019-10-28 18:44:24 -07:00
Peter Dyson eb44a25899 [DOCS] Reorder bullet items in CCS security docs (#48501)
Adjust the last bullet item to be above the code block for better readability and to avoid it being skimmed over
2019-10-25 09:11:49 -04:00
James Rodewig 852622d970 [DOCS] Remove binary gendered language (#48362) 2019-10-23 09:37:12 -05:00
Ioannis Kakavas cece5f24f7
Add sections in SAML Troubleshooting (#47964) (#48387)
- Section about the case where the `principal` user property can't
be mapped.
- Section about when the IdP SAML metadata do not contain a
SingleSignOnService that supports HTTP-Redirect binding.

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
Co-Authored-By: Tim Vernum <tim@adjective.org>
2019-10-23 17:24:04 +03:00
István Zoltán Szabó ecd62934f6 [DOCS] Applies rename of transform related roles and privileges (#48123) 2019-10-17 10:24:56 +02:00
Michael Basnight 74812f78dd Add enrich_user to security docs (#48079) 2019-10-16 12:55:19 -05:00
Alex Pang 09604dbaea [DOCS] Fix truststores typo (#47738) 2019-10-15 15:50:54 -04:00
Ioannis Kakavas 2b1372adfd
File based role mappings vs the role mapping APIs (#47015) (#47978)
Make clear in the docs that the role mapping APIs is the preferred
way to manage role mappings and that the role mappings that are
defined in files cannot be viewed or managed with the APIs
2019-10-14 17:55:46 +03:00
Ioannis Kakavas 33705c4b95
Document SAML APIs (#45105) (#47909)
This change adds documentation for the SAML APIs in Elasticsearch
and adds simple instructions on how these APIs can be used to
authenticate a user with SAML by a custom web application other
than Kibana.

Resolves: #40352
2019-10-11 16:34:11 +03:00
Yogesh Gaikwad 1139cce9a3
[DOCS] Add docs for `create_doc` index privilege (#47584) (#47778)
This commit adds documentation for new index privilege
create_doc which only allows indexing of new documents
but no updates to existing documents via Index or Bulk APIs.

Relates: #45806
2019-10-09 21:22:36 +11:00
Lisa Cawley 39ef795085
[DOCS] Cleans up links to security content (#47610) (#47703) 2019-10-07 15:23:19 -07:00
Ioannis Kakavas 36cabbae80
NameID mapping and Single Logout (#47288) (#47561)
Clarify in the documentation that for SAML Single Logout to be
functional, the Identity Provider needs to release a NameID.
2019-10-07 09:19:32 +03:00
Lisa Cawley f35fcf7204
[DOCS] Adds security content in the Elasticsearch Reference (#47596) 2019-10-04 13:11:05 -07:00
Lisa Cawley 9b3e5409c1
[7.x][DOCS] Copies security source files from stack-docs (#47534) 2019-10-04 08:19:10 -07:00
Ioannis Kakavas f785c31531
File based role definition documentation additions (#46304) (#47085)
This commit clarifies and points out that the Role management UI and
the Role management API cannot be used to manage roles that are
defined in roles.yml and that file based role management is
intended to have a small administrative scope and not handle all
possible RBAC use cases.
2019-09-25 13:52:05 +03:00
James Rodewig 2831535cf9 [DOCS] Replace "// CONSOLE" comments with [source,console] (#46679) 2019-09-13 11:44:54 -04:00
Lisa Cawley dae5b22bf8 [DOCS] Fixes link to Kibana security (#46690) 2019-09-12 16:30:43 -07:00
James Rodewig e253ee6ba6
[DOCS] Change // CONSOLE comments to [source,console] (#46440) (#46494) 2019-09-09 12:35:50 -04:00
Aleh Zasypkin 5ee336ff78
[7.x] Document support of OIDC Implicit flow in Kibana. (#46329) 2019-09-04 20:50:15 +02:00
Albert Zaharovits 1a29711b06 DOCS Link to kib reference from es reference on PKI authn (#46260) 2019-09-04 08:17:17 -07:00
Albert Zaharovits 1ebee5bf9b
PKI realm authentication delegation (#45906)
This commit introduces PKI realm delegation. This feature
supports the PKI authentication feature in Kibana.

In essence, this creates a new API endpoint which Kibana must
call to authenticate clients that use certificates in their TLS
connection to Kibana. The API call passes to Elasticsearch the client's
certificate chain. The response contains an access token to be further
used to authenticate as the client. The client's certificates are validated
by the PKI realms that have been explicitly configured to permit
certificates from the proxy (Kibana). The user calling the delegation
API must have the delegate_pki privilege.

Closes #34396
2019-08-27 14:42:46 +03:00
Ioannis Kakavas 2bee27dd54
Allow Transport Actions to indicate authN realm (#45946)
This commit allows the Transport Actions for the SSO realms to
indicate the realm that should be used to authenticate the
constructed AuthenticationToken. This is useful in the case that
many authentication realms of the same type have been configured
and where the caller of the API(Kibana or a custom web app) already
know which realm should be used so there is no need to iterate all
the realms of the same type.
The realm parameter is added in the relevant REST APIs as optional
so as not to introduce any breaking change.
2019-08-25 19:36:41 +03:00
Mayya Sharipova 22ab389531 Clarify that FLS/DLS disable shard request cache (#45462) 2019-08-13 09:05:57 -04:00
Ioannis Kakavas ac131f986b Document xpack.security.authc.saml.realm for Kibana (#44705)
Since 7.3, it's possible to explicitly configure the SAML realm to
be used in Kibana's configuration. This in turn, eliminates the need
of properly setting `xpack.security.public.*` settings in Kibana
and largely simplifies relevant documentation.
This also changes `xpack.security.authProviders` to
`xpack.security.authc.providers` as the former was deprecated in
favor of the latter in 7.3 in Kibana
2019-07-26 09:38:49 +03:00
James Rodewig ad7c164dd0 [DOCS] Rewrite `regexp` query (#42711) 2019-07-24 08:38:41 -04:00
James Rodewig ac07eef86c [DOCS] Remove :edit_url: overrides. (#44445)
These overrides do not work in Asciidoctor and are no longer needed.
2019-07-16 15:04:44 -04:00
Ioannis Kakavas 475752be75
Make plugin verification FIPS 140 compliant (#44266)
This change makes the process of verifying the signature of
official plugins FIPS 140 compliant by defaulting to use the
BouncyCastle FIPS provider and adding a dependency to bcpg-fips
that implement parts of openPGP in a FIPS compliant manner.

In already FIPS 140 enabled environments that use the 
BouncyCastle FIPS provider, the bcfips dependency is redundant
but doesn't cause an issue as it will be added only in the classpath
 of the cli-tools

This is a backport of #44224
2019-07-12 14:34:15 +03:00
Albert Zaharovits 018d946bba [DOC] Backup & Restore Security Configuration (#42970)
This commit documents the backup and restore of a cluster's
security configuration.

It is not possible to only backup (or only restore) security
configuration, independent to the rest of the cluster's conf,
so this describes how a full configuration backup&restore
will include security as well. Moreover, it explains how part
of the security conf data resides on the special .security
index and how to backup that using regular data snapshot API.

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
Co-Authored-By: Tim Vernum <tim@adjective.org>
2019-07-10 14:53:56 +03:00
marcos ramos 88ee47c9ba Fix OIDC documentation settings (#44115)
Current kibana setting is xpack.security.auth.oidc.realm, 
but the correct  one is xpack.security.authc.oidc.realm
2019-07-09 18:44:35 +03:00
Ioannis Kakavas 440ec4d9f5
[Backport 7.x] OpenID Connect realm guide (#42836)
This commit adds a configuration guide for the newly introduced
OpenID Connect realm. The guide is similar to the style of the
SAML Guide and shares certain parts where applicable (role mapping)
It also contains a short section on how the realm can be used for
authenticating users without Kibana.

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>

Backport of #41423 and #42555
2019-06-04 14:08:41 +03:00
Lisa Cawley fd2d4d761b [DOCS] Updates TLS configuration info (#41983) 2019-05-20 09:13:37 -04:00
Lisa Cawley 9284a70ec8 [DOCS] Updates security configuration overview (#41982) 2019-05-09 07:50:51 -07:00
James Rodewig 66d8549083 [DOCS] Move block delimiter and anchor in 'Configuring Security' for Asciidoctor migration (#41604) 2019-04-30 16:41:26 -04:00
Christoph Büscher 52495843cc [Docs] Fix common word repetitions (#39703) 2019-04-25 20:47:47 +02:00
RomainGeffraye a02f5544fe Update configuring-ldap-realm.asciidoc (#40427) 2019-04-25 13:29:46 -04:00
James Rodewig 122e727d28 [DOCS] Fix broken link to elasticsearch-php security page 2019-04-23 12:43:40 -04:00
Yogesh Gaikwad 280567da8d
Correct documentation link for authorization engine example (#40261) (#40292)
This commit fixes the link for authorization engine example.
2019-03-22 12:38:03 +11:00
Mark Vovchuk a054a9866e Update managing-roles.asciidoc 2019-03-19 08:21:29 -07:00
Lisa Cawley d093205b6a [DOCS] Fixes edit_url attributes that were externalized as text strings (#40161) 2019-03-18 14:32:02 -07:00
Lisa Cawley e050d50759 [DOCS] Removes X-Pack settings section (#39870) 2019-03-14 14:37:37 -07:00
Lisa Cawley f1a7166708 [DOCS] Adds link to list of built-in users (#39529) 2019-03-01 10:32:49 -08:00
Jay Modi 7ca5495d86
Allow custom authorization with an authorization engine (#38358)
For some users, the built in authorization mechanism does not fit their
needs and no feature that we offer would allow them to control the
authorization process to meet their needs. In order to support this,
a concept of an AuthorizationEngine is being introduced, which can be
provided using the security extension mechanism.

An AuthorizationEngine is responsible for making the authorization
decisions about a request. The engine is responsible for knowing how to
authorize and can be backed by whatever mechanism a user wants. The
default mechanism is one backed by roles to provide the authorization
decisions. The AuthorizationEngine will be called by the
AuthorizationService, which handles more of the internal workings that
apply in general to authorization within Elasticsearch.

In order to support external authorization services that would back an
authorization engine, the entire authorization process has become
asynchronous, which also includes all calls to the AuthorizationEngine.

The use of roles also leaked out of the AuthorizationService in our
existing code that is not specifically related to roles so this also
needed to be addressed. RequestInterceptor instances sometimes used a
role to ensure a user was not attempting to escalate their privileges.
Addressing this leakage of roles meant that the RequestInterceptor
execution needed to move within the AuthorizationService and that
AuthorizationEngines needed to support detection of whether a user has
more privileges on a name than another. The second area where roles
leaked to the user is in the handling of a few privilege APIs that
could be used to retrieve the user's privileges or ask if a user has
privileges to perform an action. To remove the leakage of roles from
these actions, the AuthorizationService and AuthorizationEngine gained
methods that enabled an AuthorizationEngine to return the response for
these APIs.

Ultimately this feature is the work included in:
#37785
#37495
#37328
#36245
#38137
#38219

Closes #32435
2019-02-05 13:39:29 -07:00
Przemyslaw Gomulka 4f4113e964
Rename security audit.log to _audit.json (#37916)
in order to keep json logs consistent the security audit logs are renamed from .log to .json
relates #32850
2019-01-29 14:53:55 +01:00
Albert Zaharovits b6936e3c1e
Remove index audit output type (#37707)
This commit removes the Index Audit Output type, following its deprecation
in 6.7 by 8765a31d4e6770. It also adds the migration notice (settings notice).

In general, the problem with the index audit output is that event indexing
can be slower than the rate with which audit events are generated,
especially during the daily rollovers or the rolling cluster upgrades.
In this situation audit events will be lost which is a terrible failure situation
for an audit system.
Besides of the settings under the `xpack.security.audit.index` namespace, the
`xpack.security.audit.outputs` setting has also been deprecated and will be
removed in 7. Although explicitly configuring the logfile output does not touch
any deprecation bits, this setting is made redundant in 7 so this PR deprecates
it as well.

Relates #29881
2019-01-24 12:36:10 +02:00
Christoph Büscher 34f2d2ec91
Remove remaining occurances of "include_type_name=true" in docs (#37646) 2019-01-22 15:13:52 +01:00
Albert Zaharovits a88c050a05
Docs be explicit on how to turn off deprecated auditing (#37316)
Just be explicit about turning off the deprecated audit log appender
because we really want people to turn it off.
2019-01-15 14:29:32 +02:00
Julie Tibshirani 36a3b84fc9
Update the default for include_type_name to false. (#37285)
* Default include_type_name to false for get and put mappings.

* Default include_type_name to false for get field mappings.

* Add a constant for the default include_type_name value.

* Default include_type_name to false for get and put index templates.

* Default include_type_name to false for create index.

* Update create index calls in REST documentation to use include_type_name=true.

* Some minor clean-ups around the get index API.

* In REST tests, use include_type_name=true by default for index creation.

* Make sure to use 'expression == false'.

* Clarify the different IndexTemplateMetaData toXContent methods.

* Fix FullClusterRestartIT#testSnapshotRestore.

* Fix the ml_anomalies_default_mappings test.

* Fix GetFieldMappingsResponseTests and GetIndexTemplateResponseTests.

We make sure to specify include_type_name=true during xContent parsing,
so we continue to test the legacy typed responses. XContent generation
for the typeless responses is currently only covered by REST tests,
but we will be adding unit test coverage for these as we implement
each typeless API in the Java HLRC.

This commit also refactors GetMappingsResponse to follow the same appraoch
as the other mappings-related responses, where we read include_type_name
out of the xContent params, instead of creating a second toXContent method.
This gives better consistency in the response parsing code.

* Fix more REST tests.

* Improve some wording in the create index documentation.

* Add a note about types removal in the create index docs.

* Fix SmokeTestMonitoringWithSecurityIT#testHTTPExporterWithSSL.

* Make sure to mention include_type_name in the REST docs for affected APIs.

* Make sure to use 'expression == false' in FullClusterRestartIT.

* Mention include_type_name in the REST templates docs.
2019-01-14 13:08:01 -08:00
Jay Modi f3edbe2911
Security: remove SSL settings fallback (#36846)
This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.

Closes #29797
2019-01-14 14:06:22 -07:00
Albert Zaharovits 6fd57d90da
Security Audit includes HTTP method for requests (#37322)
Adds another field, named "request.method", to the structured logfile audit.
This field is present for all events associated with a REST request (not a
transport request) and the value is one of GET, POST, PUT, DELETE, OPTIONS,
HEAD, PATCH, TRACE and CONNECT.
2019-01-13 15:26:23 +02:00
Ioannis Kakavas 80084138dd [DOCS] Fix link to role mapping doc 2019-01-11 09:22:40 +02:00
Josh Soref edb48321ba [DOCS] Various spelling corrections (#37046) 2019-01-07 14:44:12 +01:00
Ioannis Kakavas 3c12c372d0
[DOCS] Adjust role mapping docs for SAML (#37083)
Explicitly mention that file based role mappings cannot be used with
the SAML realm.
2019-01-04 08:26:41 +02:00
lcawl 8b8121279a [DOCS] Fix typos 2018-12-19 15:28:25 -08:00
Ioannis Kakavas c4e12f06d7
Link to the SAML troubleshooting doc from guide (#36754)
Explicitly call out the existence of the troubleshooting guide so
that hopefully users can solve common and easy problems with their
initial configuration
2018-12-20 01:11:55 +02:00
Lisa Cawley 4140b9eede
[DOCS] Update X-Pack terminology in security docs (#36564) 2018-12-19 14:53:37 -08:00
Albert Zaharovits 63aa8756b2
Add X-Forwarded-For to the logfile audit (#36427)
Extracts the value of the X-Forwarded-For HTTP request header and
places it in the audit entries from the logfile output.
2018-12-19 14:56:40 +02:00
lcawl a8387592db [DOCS] Fixes broken links to tcp_tranport_profiles 2018-12-18 14:43:58 -08:00
Tim Brooks 47a9a8de49
Update transport docs and settings for changes (#36786)
This is related to #36652. In 7.0 we plan to deprecate a number of
settings that make reference to the concept of a tcp transport. We
mostly just have a single transport type now (based on tcp). Settings
should only reference tcp if they are referring to socket options. This
commit updates the settings in the docs. And removes string usages of
the old settings. Additionally it adds a missing remote compress setting
to the docs.
2018-12-18 13:09:58 -07:00
Ioannis Kakavas d7c5d8049a
Deprecate /_xpack/security/* in favor of /_security/* (#36293)
* This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs.

- REST API docs
- HLRC docs and doc tests
- Handle REST actions with deprecation warnings
- Changed endpoints in rest-api-spec and relevant file names
2018-12-11 11:13:10 +02:00
Lisa Cawley e1fb1505f9
[DOCS] Moves security config file info (#36232) 2018-12-04 13:18:54 -08:00
Lisa Cawley 46962308aa
[DOCS] Replace deprecated ldap setting (#36022) 2018-11-30 16:58:19 -08:00
Albert Zaharovits 36819f78ef
DOCS Audit event attributes in new format (#35510)
Accounts for the `Structured Audit Entries` in the format
documentation.
2018-11-28 01:24:03 +02:00
lcawl 3a232d7897 [DOCS] Adds anchor for SAML Kibana basic info 2018-11-19 11:42:45 -08:00
Albert Zaharovits 617f91bb0f
DOCS Auditing search queries (#35301)
This documents how to include the search queries in the audit log.

There is a catch, that even if enabling `emit_request_body`, which should
output queries included in request bodies, search queries were not output
because, implicitly, no REST layer audit event type was included.

This folk knowledge is herein imprinted.
2018-11-09 11:38:45 +02:00
Tim Vernum 574ec6686e
Include realm type in Security Realm setting keys (#30241)
This moves all Realm settings to an Affix definition.
However, because different realm types define different settings
(potentially conflicting settings) this requires that the realm type
become part of the setting key.

Thus, we now need to define realm settings as:

    xpack.security.authc.realms:
      file.file1:
        order: 0

      native.native1:
        order: 1

- This is a breaking change to realm config
- This is also a breaking change to custom security realms (SecurityExtension)
2018-11-06 14:56:50 +11:00
Jake Landis c2766b65cf
ingest: raise visibility of ingest plugin documentation (#35048)
* move the set security user processor to the main documentation
* link to plugin processors

part of #33188
2018-11-05 11:44:10 -06:00
Albert Zaharovits 3f1fec1813
[Docs] audit logfile structured format (#34584)
Documents the new structured logfile format for auditing
that was introduced by #31931. Most changes herein
are for 6.x . In 7.0 the deprecated format is gone and a
follow-up PR is in order.
2018-10-26 15:19:35 +03:00
Jason Tedor 8bed0c68e2
Fix remote clusters section link
This commit fixes the remote clusters section link by changing some
underscores to dashes.
2018-10-20 11:16:39 -04:00
Jason Tedor 77d23a2007
Fix remote clusters section link
This fixes a link to the configuring remote clusters section of the
docs.
2018-10-20 10:28:25 -04:00
Jason Tedor 19ee5da037
Fix reference to remote clusters configuration
This commit fixes a reference to configuring a remote cluster in the
cross-cluster search and security docs.
2018-10-20 09:35:24 -04:00
Ioannis Kakavas fe41b2cc0b
Change wording for FIPS 140-2 (#34471)
Changes wording in the FIPS 140-2 related documentation. 

Co-authored-by: derickson <dave@elastic.co>
2018-10-18 18:22:46 +03:00
Shivaank121 ff2bbdf765 [Docs] Correct typo in configuring-es.asciidoc (#34064) 2018-09-26 16:35:44 +02:00
Lisa Cawley 9706584836
[DOCS] Moves security reference to docs folder (#33643) 2018-09-14 13:09:47 -07:00
Yogesh Gaikwad d810f1b094
[Kerberos] Add realm name & UPN to user metadata (#33338)
We have a Kerberos setting to remove realm part from the user
principal name (remove_realm_name). If this is true then
the realm name is removed to form username but in the process,
the realm name is lost. For scenarios like Kerberos cross-realm
authentication, one could make use of the realm name to determine
role mapping for users coming from different realms.
This commit adds user metadata for kerberos_realm and
kerberos_user_principal_name.
2018-09-14 17:17:53 +10:00
Lisa Cawley c3a817957d
[DOCS] Moves securing-communications to docs (#33640) 2018-09-13 10:42:26 -07:00
lcawl cd4bdde328 [DOCS] Moves troubleshooting and limitations to stack-docs 2018-09-06 10:00:29 -07:00
Jason Tedor d71ced1b00
Generalize search.remote settings to cluster.remote (#33413)
With features like CCR building on the CCS infrastructure, the settings
prefix search.remote makes less sense as the namespace for these remote
cluster settings than does a more general namespace like
cluster.remote. This commit replaces these settings with cluster.remote
with a fallback to the deprecated settings search.remote.
2018-09-05 20:43:44 -04:00
Tim Vernum 273c82d7c9
Add support for "authorization_realms" (#33262)
Authorization Realms allow an authenticating realm to delegate the task
of constructing a User object (with name, roles, etc) to one or more
other realms.

E.g. A client could authenticate using PKI, but then delegate to an LDAP
realm. The LDAP realm performs a "lookup" by principal, and then does
regular role-mapping from the discovered user.

This commit includes:
- authorization_realm support in the pki, ldap, saml & kerberos realms
- docs for authorization_realms
- checks that there are no "authorization chains"
   (whereby "realm-a" delegates to "realm-b", but "realm-b" delegates to "realm-c")

Authorization realms is a platinum feature.
2018-08-31 13:25:27 +10:00
Ioannis Kakavas 557eabf7b5
[DOCS] TLS file resources are reloadable (#33258)
Make clearer that file resources that are used as key trust material
are polled and will be reloaded upon modification.
2018-08-30 13:59:19 +03:00
Shaunak Kashyap 1779d3376a
APM server monitoring (#32515)
* Adding new MonitoredSystem for APM server

* Teaching Monitoring template utils about APM server monitoring indices

* Documenting new monitoring index for APM server

* Adding monitoring index template for APM server

* Copy pasta typo

* Removing metrics.libbeat.config section from mapping

* Adding built-in user and role for APM server user

* Actually define the role :)

* Adding missing import

* Removing index template and system ID for apm server

* Shortening line lengths

* Updating expected number of built-in users in integration test

* Removing "system" from role and user names

* Rearranging users to make tests pass
2018-08-27 08:42:40 -04:00
Tim Vernum a211d24bda [DOCS] Add docs for Application Privileges (#32635) 2018-08-23 18:04:02 -07:00
Ioannis Kakavas 0a4b55c9c0
[DOCS] Add RequestedAuthnContext Documentation (#32946)
Add documentation for #31238

- Add documentation for the req_authn_context_class_ref setting
- Add a section in SAML Guide regarding the use of SAML
  Authentication Context.
2018-08-22 08:37:50 +03:00
Ioannis Kakavas 1b583978e9
[DOCS] Add FIPS 140-2 documentation (#32928)
* Add relevant documentation for FIPS 140-2 compliance.
* Introduce `fips_mode` setting.
* Discuss necessary configuration for FIPS 140-2
* Discuss introduced limitations by FIPS 140-2
2018-08-21 16:20:00 +03:00
Ioannis Kakavas 65d4f27873
[DOCS] Add configurable password hashing docs (#32849)
* [DOCS] Add configurable password hashing docs

Adds documentation about the newly introduced configuration option
for setting the password hashing algorithm to be used for the users
cache and for storing credentials for the native and file realm.
2018-08-21 12:05:42 +03:00
Yogesh Gaikwad 38886e8f23
[DOCS] Add Kerberos troubleshooting documentation (#32803)
This commit adds troubleshooting section for Kerberos.
Most of the times the problems seen are caused due to invalid
configurations like keytab missing principals or credentials
not up to date. Time synchronization is an important part for
Kerberos infrastructure and the time skew can cause problems.
To debug further documentation explains how to enable JAAS
Kerberos login module debugging and Kerberos/SPNEGO debugging
by setting JVM system properties.
2018-08-21 16:30:28 +10:00
Lisa Cawley 2feda8aae0
[DOC] Splits role mapping APIs into separate pages (#32797) 2018-08-20 14:30:42 -07:00
Yogesh Gaikwad e143cce865
[Kerberos] Add documentation for Kerberos realm (#32662)
This commit adds documentation for configuring Kerberos realm.
Configuring Kerberos realm documentation highlights important
terminology and requirements before creating Kerberos realm.
Most of the documentation is centered around configuration from
Elasticsearch rather than go deep into Kerberos implementation.
Kerberos realm settings are mentioned in the security settings
for Kerberos realm.
2018-08-20 17:23:14 +10:00
lcawl 1efee66d16 [DOCS] Creates redirects for role management APIs page 2018-08-17 21:55:18 -07:00