Commit Graph

52 Commits

Author SHA1 Message Date
Jay Modi 7291eb55fe Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137)
This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM
supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the
unlimited policy file needs to be installed. In order to simplify the work a user would need to do
we can detect this support and automatically enable the AES 256 bit versions of the ciphers we
already enable.

Original commit: elastic/x-pack-elasticsearch@5f23b18a1e
2017-08-01 07:36:35 -06:00
Lisa Cawley af050a2da6 [DOCS] Move Reporting and Security out of X-Pack Reference (elastic/x-pack-elasticsearch#2134)
Original commit: elastic/x-pack-elasticsearch@3e007e0679
2017-07-31 09:55:08 -07:00
Lisa Cawley 2e3d0e9262 [DOCS] Fix read description in indices privileges (elastic/x-pack-elasticsearch#2119)
Original commit: elastic/x-pack-elasticsearch@59884cf832
2017-07-28 09:06:15 -07:00
lcawley 29bb00a7ca [DOCS] Modify SSL settings in Kibana security
Original commit: elastic/x-pack-elasticsearch@927c3c9ed6
2017-07-25 17:25:22 -07:00
Tim Vernum 15f5c5a632 [DOCS] Minor updates to TLS/SSL docs (elastic/x-pack-elasticsearch#2069)
- Fix typo `trustsore` -> `truststore` in several places
- Clarify that enabling TLS requires full restart

Original commit: elastic/x-pack-elasticsearch@0f430a1bea
2017-07-25 13:03:07 +10:00
Deb Adair 3ace57d512 [DOCS] Updates to make GS minidoc build.
Original commit: elastic/x-pack-elasticsearch@04c168e653
2017-07-20 11:24:57 -07:00
Tim Brooks a0fd423db1 Update documentation for bootstrap password work (elastic/x-pack-elasticsearch#2031)
This is related to elastic/x-pack-elasticsearch#1217. The commit adds documenation describing how to
use the bootstrap password and setup-password tool.

Original commit: elastic/x-pack-elasticsearch@1bad8ddb4d
2017-07-20 11:23:20 -05:00
Tim Vernum 1bbc579cf3 [Security] [certgen] Option to generate PKCSelastic/x-pack-elasticsearch#12 (elastic/x-pack-elasticsearch#2013)
Add an option to the ssl certificate generation tool (certgen) that generates PKCSelastic/x-pack-elasticsearch#12 (.p12) files in addition to the certificate (.crt) and key (.key) files.
A PKCSelastic/x-pack-elasticsearch#12 store is a container format for storing multiple crypto objects in a single file, which means we can put the cert and key into the same file.

These format is particularly useful for .NET environments, where .NET Core requires a single into file for PKI authentication.

Also adds documentation for all the command-line options in certgen.

Original commit: elastic/x-pack-elasticsearch@d10f88f12d
2017-07-19 12:04:31 +10:00
Jay Modi 6fdad6039f Allow the Active Directory UPN authenticator to work with suffixes (elastic/x-pack-elasticsearch#1958)
The active directory user principal name format typically takes the form user@domain, which is what
the current implementation expects. However, active directory also allows the definition of other
suffixes that are not actual domains. A user can still authenticate using this user principal name
but the behavior of our realm would cause it to fail as it parsed the suffix as a domain and used it
as the search base for the user. Instead, we should use the default user search base and only look
for entries that have this exact user principal name. In a scenario where a realm is configured for
multiple domains in the same forest, the search base should be the base for the entire forest.

relates elastic/x-pack-elasticsearch#1744

Original commit: elastic/x-pack-elasticsearch@de00c4817e
2017-07-13 10:08:22 -06:00
Colin Goodheart-Smithe 8aec1d4737 [DOCS] Remove reference to field stats in security limitations
Original commit: elastic/x-pack-elasticsearch@9ca673ea36
2017-07-13 12:00:16 +01:00
Tim Vernum a36121a725 [DOCS] [Security] Templates do not use bind_dn (elastic/x-pack-elasticsearch#1979)
Document that user_dn_template mode for LDAP authentication does not support bind_dn

Original commit: elastic/x-pack-elasticsearch@eef72615a8
2017-07-13 14:23:23 +10:00
Jay Modi e686d8a3bf Add active directory bind user and user lookup support (elastic/x-pack-elasticsearch#1956)
This commit adds support for a bind user when using the active directory realm. The addition of a
bind user also enables support for the user lookup mechanism, which is necessary to support the run
as functionality that we provide.

relates elastic/x-pack-elasticsearch#179

Original commit: elastic/x-pack-elasticsearch@40b07b3422
2017-07-12 14:01:39 -06:00
Jay Modi 03ed2bbbd0 Add setting for the LDAP user search filter and deprecate user attribute (elastic/x-pack-elasticsearch#1959)
This commit adds a setting to allow changing the user search filter. Previously the filter was a
simple equality filter that mapped a given attribute to the value of the username. The default
behavior remains the same with this change but provides additional flexibility to users to who may
need more advanced LDAP searches. The user attribute setting has been deprecated due to the overlap
with the new filter setting.

relates elastic/x-pack-elasticsearch#1861

Original commit: elastic/x-pack-elasticsearch@e9d797e81c
2017-07-11 09:27:24 -06:00
Clinton Gormley 81101b893a Added note to cross cluster search docs to specify minimum node version of 5.5
Original commit: elastic/x-pack-elasticsearch@98e440f1a4
2017-07-11 14:15:23 +02:00
Tim Vernum c5012ac6e8 [DOC] Miscellaneous security doc updates (elastic/x-pack-elasticsearch#1908)
- Document refresh interval for role mapping files
- Fix obsolete shield reference in transport profile example 
- Clarify that AD & PKI don't support run_as
- Fix logstash conf examples
- Clarify interaction of SSL settings and PKI realm settings
- Document PKI DN format, and recommend use of pki_dn metadata
- Provide more details about action.auto_create_index during setup

Original commit: elastic/x-pack-elasticsearch@49ddb12a7e
2017-07-07 13:33:35 +10:00
Tim Brooks 76bf3ba767 Bring back disabling-default-password docs section
There are multiple references to this section in different areas of the
documentation. This commit brings back this section to fix the build.

A more extensive PR updating the documentation for "no default
password" work will follow up.

Original commit: elastic/x-pack-elasticsearch@0378e78c8a
2017-06-29 16:23:58 -05:00
Jay Modi a9707a461d Use a secure setting for the watcher encryption key (elastic/x-pack-elasticsearch#1831)
This commit removes the system key from master and changes watcher to use a secure setting instead
for the encryption key.

Original commit: elastic/x-pack-elasticsearch@5ac95c60ef
2017-06-29 14:58:35 -06:00
Tim Brooks f2cbe20ea0 Remove default passwords from reserved users (elastic/x-pack-elasticsearch#1665)
This is related to elastic/x-pack-elasticsearch#1217. This PR removes the default password of
"changeme" from the reserved users.

This PR adds special behavior for authenticating the reserved users. No
ReservedRealm user can be authenticated until its password is set. The
one exception to this is the elastic user. The elastic user can be
authenticated with an empty password if the action is a rest request
originating from localhost. In this scenario where an elastic user is
authenticated with a default password, it will have metadata indicating
that it is in setup mode. An elastic user in setup mode is only
authorized to execute a change password request.

Original commit: elastic/x-pack-elasticsearch@e1e101a237
2017-06-29 15:27:57 -05:00
lcawley cbf7c32b88 [DOCS] Fix broken link to security API
Original commit: elastic/x-pack-elasticsearch@85fa16e160
2017-06-28 12:00:28 -07:00
Lisa Cawley 08fdac5a93 [DOCS] Move security APIs to Elasticsearch Ref (elastic/x-pack-elasticsearch#1877)
* [DOCS] Move security APIs to Elasticsearch Ref

* [DOCS] Update links to security APIs

* [DOCS] Fix link to security APIs

Original commit: elastic/x-pack-elasticsearch@d7a9d3f1ab
2017-06-28 11:02:40 -07:00
Deb Adair 5a9eb01c3f [DOCS] Fixed broken link to Monitoring Logstash.
Original commit: elastic/x-pack-elasticsearch@bb5dafbd40
2017-06-26 17:33:59 -07:00
Jason Tedor c22494bcb7 Remove path.conf setting
This commit is a response to a change in core removing path.conf as a
valid setting.

Relates elastic/x-pack-elasticsearch#1844

Original commit: elastic/x-pack-elasticsearch@477a7eab71
2017-06-26 15:18:49 -04:00
Deb Adair 806b0bc710 [DOCS] Removed UI and Logstash settings & updated links to that info.
Original commit: elastic/x-pack-elasticsearch@2434e503dd
2017-06-26 09:04:56 -07:00
Deb Adair 7e1d8d5750 [DOCS] Added Kibana CCS section from x-pack-kibana.
Original commit: elastic/x-pack-elasticsearch@1504efc452
2017-06-22 19:48:29 -07:00
Andy Bristol 855c63dbc7 User/role names can be longer with more characters (elastic/x-pack-elasticsearch#1745)
This changes the validation criteria we use for user and role
names in the file realm, native realm, and the
realm-agnostic code in x-pack security. The new criteria is:

A valid username's length must be at least 1 and no more than 1024
characters. It may not contain leading or trailing whitespace. All
characters in the name must be be alphanumeric (`a-z`, `A-Z`, `0-9`),
printable punctuation or symbols in the https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)[Basic Latin (ASCII) block],
or the space character.

Original commit: elastic/x-pack-elasticsearch@f77640f269
2017-06-22 13:05:56 -07:00
Lisa Cawley 8103a1bf8b [DOCS] Fix broken links (elastic/x-pack-elasticsearch#1799)
Original commit: elastic/x-pack-elasticsearch@7ff7ff1dbc
2017-06-20 17:41:16 -07:00
Lisa Cawley 1b3b7f2944 [DOCS] Update links in X-Pack Reference for Reporting info (elastic/x-pack-elasticsearch#1584)
* [DOCS] Update links to Reporting docs

* [DOCS] Fix incomplete link

Original commit: elastic/x-pack-elasticsearch@c3ccafb191
2017-06-20 15:38:27 -07:00
jaymode d299592c9d Docs: clean up incorrect path in certgen output in the SSL docs
Original commit: elastic/x-pack-elasticsearch@0d2102094c
2017-06-14 14:31:17 -06:00
Clinton Gormley fff33e753a Corrected syntax for adding IDs to definition lists in built-in roles
Relates to elastic/x-pack-elasticsearch#5040

Original commit: elastic/x-pack-elasticsearch@693c4adfb5
2017-06-13 14:00:56 +02:00
Clinton Gormley 5a0ffb4b3a Fixed bad asciidoc link
relates elastic/x-pack-elasticsearch#5040

Original commit: elastic/x-pack-elasticsearch@feb5afbee4
2017-06-13 11:54:06 +02:00
Ryan Ernst c1a3f50e19 Convert script uses to use source/id keys (elastic/x-pack-elasticsearch#1670)
This is the xpack side of
https://github.com/elastic/elasticsearch/pull/25127

Original commit: elastic/x-pack-elasticsearch@e25bd90825
2017-06-09 08:29:36 -07:00
Tim Vernum fe37109c3f [DOCS] [Security] Documentation for Role Mapping API (elastic/x-pack-elasticsearch#1474)
Includes:
- Extensive changes to "mapping roles" section
- New section for role mapping API
- Updates to LDAP/AD/PKI realms to refer to API based role mapping 
- Updates to LDAP/AD realms: `unmapped_groups_as_roles` only looks at file-based mappings 
- Updates to LDAP/AD realms: new setting for "metadata"

Original commit: elastic/x-pack-elasticsearch@6349f665f5
2017-06-06 14:12:31 +10:00
Clinton Gormley c4845bc095 The nexus.png image should not be inline - was creating a folder called ":images"
Original commit: elastic/x-pack-elasticsearch@f935e44b04
2017-06-03 15:12:36 +02:00
David Pilato 39cabad4d0 Fix bad link for Nexus OSS
Related to elastic/x-pack-elasticsearch#1301

Original commit: elastic/x-pack-elasticsearch@2273e8ba24
2017-05-31 10:36:09 +02:00
David Pilato 7f0bc5dff4 Add documentation about configuring an enterprise Nexus instance (elastic/x-pack-elasticsearch#1301)
Original commit: elastic/x-pack-elasticsearch@cb10936aa7
2017-05-29 11:21:32 +02:00
Clinton Gormley 844a97586e Updated docs for cross-cluster search (elastic/x-pack-elasticsearch#1478)
* Updated docs for cross-cluster search

Wildcards are now supported in both cluster alias and index name,
and the "view_index_metadata" privilege is automatically conferred
by the "read_cross_cluster" role.

* For now, best to allow users permissions to query all indices on all remote clusters

Original commit: elastic/x-pack-elasticsearch@31959f78f4
2017-05-23 19:18:03 +02:00
Tim Vernum 9f7f8ffb4d Outstanding docs for 5.4 changes (elastic/x-pack-elasticsearch#1280)
Docs for security features in 5.4

- `has_privileges` API
-  ldap metadata.

Original commit: elastic/x-pack-elasticsearch@22c733c814
2017-05-12 16:51:47 +10:00
Tim Vernum 441589e21f [DOCS] Clarify built-in and internal uses/roles (elastic/x-pack-elasticsearch#1269)
- Describe internal users (_system, _xpack)
- Explain that built-in users are not the same as native users
- More clarification around logstash_system role and kibana_system role.

Closes: elastic/x-pack-elasticsearch#734
Closes: elastic/x-pack-elasticsearch#268
Closes: elastic/x-pack-elasticsearch#1116

Original commit: elastic/x-pack-elasticsearch@2ecbd3419f
2017-05-12 15:41:44 +10:00
Lisa Cawley 9b2fb6ac16 [DOCS] Change "data feed" to "datafeed" in Machine Learning documentation (elastic/x-pack-elasticsearch#1277)
* [DOCS] Add xpackml attribute to XPack Reference

* [DOCS] Use attribute for datafeed terms

Original commit: elastic/x-pack-elasticsearch@f37bf48ee4
2017-05-02 12:45:42 -07:00
Jay Modi f7fb02f21f Ensure we always respect a user specified filter in the AD realm (elastic/x-pack-elasticsearch#1161)
When the active directory realm was refactored to add support for authenticating against multiple
domains, only the default authenticator respected the user_search.filter setting. This commit moves
this down to the base authenticator and also changes the UPN filter to not include sAMAccountName
in the filter.

Original commit: elastic/x-pack-elasticsearch@d2c19c9bee
2017-04-27 10:20:59 -04:00
Clinton Gormley 16177d46d3 Updated cross-cluster search docs to mention lack of support of wildcards
Also updated the required permissions.

Original commit: elastic/x-pack-elasticsearch@cd10ef2f81
2017-04-27 13:32:40 +02:00
Clinton Gormley 61f7adbfc9 Documented privileges required to use cross cluster search with Security
Original commit: elastic/x-pack-elasticsearch@ae410fdb16
2017-04-21 13:37:45 +02:00
lcawley f64c608159 [DOCS] Sort list of built-in roles
Original commit: elastic/x-pack-elasticsearch@5684860ea8
2017-04-20 09:40:31 -07:00
Lisa Cawley bf110ba05e [DOCS] Document machine_learning_admin and machine_learning_user roles (elastic/x-pack-elasticsearch#1132)
* [DOCS] Document machine_learning_admin and machine_learning_user roles

* [DOCS] Fix auth requrements for ML result APIs

* [DOCS] Update authorization.asciidoc based on elastic/x-pack-elasticsearch#1132

Original commit: elastic/x-pack-elasticsearch@1bf563e8d7
2017-04-20 08:45:30 -07:00
Ali Beyad 7def5ac01d [DOCS] Documentation for Custom Roles Providers
relates elastic/x-pack-elasticsearch#721

Original commit: elastic/x-pack-elasticsearch@67fdba706c
2017-04-19 11:10:33 -04:00
Lisa Cawley 5223acdd9f [DOCS] Multiple fixes related to privileges in ML documentation (elastic/x-pack-elasticsearch#1110)
* [DOCS] Add privilege requirements to ML API docs

* [DOCS] Document ML cluster-level privileges

Original commit: elastic/x-pack-elasticsearch@221c67d395
2017-04-18 15:13:21 -07:00
debadair ac441fab57 [DOCS] Migrating images to separate x-pack repos.
Original commit: elastic/x-pack-elasticsearch@80317c063b
2017-04-18 13:13:12 -07:00
Jay Modi b59b6bbdd4 Remove SecuredString and use SecureString from elasticsearch core (elastic/x-pack-elasticsearch#1092)
This commit removes the SecuredString class that was previously used throughout the security code
and replaces it with the SecureString class from core that was added as part of the new secure
settings infrastructure.

relates elastic/x-pack-elasticsearch#421

Original commit: elastic/x-pack-elasticsearch@e9cd117ca1
2017-04-17 13:28:46 -04:00
Lisa Cawley 398d5c13c9 [DOCS] Fix ordered list in Getting Started with Security (elastic/x-pack-elasticsearch#1070)
Original commit: elastic/x-pack-elasticsearch@9c8929a079
2017-04-12 13:30:01 -07:00
Alexander Reelsen 71852c7215 Security: Add watcher_user and watcher_admin role (elastic/x-pack-elasticsearch#983)
This built-in watcher_admin role is able to execute all watcher actions,
read the watch history indices and read the watches index
index. The watcher_user role allows to GET a watch and to get the stats and thats it.

relates elastic/x-pack-elasticsearch#978

Original commit: elastic/x-pack-elasticsearch@11b33a413b
2017-04-11 16:28:55 +01:00