Commit Graph

32 Commits

Author SHA1 Message Date
Lisa Cawley bbcb33b519 [DOCS] Security disabled by default (elastic/x-pack-elasticsearch#4288)
Original commit: elastic/x-pack-elasticsearch@110df8a58e
2018-04-05 12:06:43 -07:00
Tim Vernum e69c5d4d48 Add secure_bind_password to LDAP realm (elastic/x-pack-elasticsearch#4192)
Adds a SecureSetting option for the "bind_password" in LDAP/AD realms
and deprecates the non-secure version.

LDAP bind passwords should now be configured with the setting
`xpack.security.authc.realms.REALM_NAME.secure_bind_password`
in the elasticsearch keystore.

Original commit: elastic/x-pack-elasticsearch@1a0cebd77e
2018-03-29 16:31:45 +10:00
Yogesh Gaikwad 0de6376452 [DOCS] `xpack.ssl.client_authentication` setting does not apply to HTTP (elastic/x-pack-elasticsearch#4113)
Fix the documentation to mention the global setting does not apply to HTTP.

relates elastic/x-pack-elasticsearch#3413

Original commit: elastic/x-pack-elasticsearch@f9dc545b4a
2018-03-20 18:45:36 +11:00
Tim Vernum 80b5ac9562 [DOC] SAML documentation (elastic/x-pack-elasticsearch#3657)
Includes:
- docs for new realm type "saml"
- docs for new settings for SAML realms
- a guide for setting up SAML accross ES + Kibana

Original commit: elastic/x-pack-elasticsearch@85f8f6d409
2018-02-05 12:22:54 +11:00
Lisa Cawley 9435ffe64b [DOCS] Clarify PKI realm support (elastic/x-pack-elasticsearch#3703)
Original commit: elastic/x-pack-elasticsearch@55da7a07d1
2018-01-24 08:32:23 -08:00
Lisa Cawley 0ea43c1aa1 [DOCS] Move auditing settings to Elasticsearch Reference (elastic/x-pack-elasticsearch#3608)
Original commit: elastic/x-pack-elasticsearch@a108afd26b
2018-01-18 09:18:24 -08:00
Lisa Cawley da3d9dcf69 [DOCS] Added hide_settings to security settings (elastic/x-pack-elasticsearch#2801)
* [DOCS] Added hide_settings to security settings

* [DOCS] Addressed feedback about hide_settings

Original commit: elastic/x-pack-elasticsearch@6a6d394c71
2017-11-01 09:21:11 -07:00
Lisa Cawley 73e819b0bd [DOCS] Add secure versions of SSL passphrases (elastic/x-pack-elasticsearch#2478)
* [DOCS] Add secure versions of SSL passphrases

* [DOCS] Add secure xpack settings

* [DOCS] Clarify type of keystore

* [DOCS] Added secure settings to security page

* [DOCS] Clarify X-Pack secure settings

* [DOCS] Reformat secure X-Pack settings

Original commit: elastic/x-pack-elasticsearch@efe043fb67
2017-10-24 16:38:37 +01:00
David Roberts 10cc0088e4 [DOCS] Make clearer that xpack.xyz.enabled settings are node settings (elastic/x-pack-elasticsearch#2731)
The discussion in elastic/x-pack-elasticsearch#2697 shows that this was not clear before.

relates elastic/x-pack-elasticsearch#2697

Original commit: elastic/x-pack-elasticsearch@87553faa2c
2017-10-13 09:22:21 +01:00
Jay Modi 53d6d945f0 Update documentation to reflect the latest TLS changes and licensing (elastic/x-pack-elasticsearch#2508)
This commit updates to documentation and adds notes about TLS being required to install a
license.

Relates elastic/x-pack-elasticsearch#2463

Original commit: elastic/x-pack-elasticsearch@0d8bfb98ea
2017-09-15 08:44:03 -06:00
Simon Willnauer 2f5aeb6c6f Remove token passphrase setting (elastic/x-pack-elasticsearch#2318)
This change removes `xpack.security.authc.token.passphrase` entirely since from
6.0 onwards we use randomly generated keys by the master there is no need for
this setting anymore. This setting will be deprecated from 6.0 onwards.

Original commit: elastic/x-pack-elasticsearch@37ba90359e
2017-09-12 15:34:41 +02:00
Lisa Cawley e4a008f9ee [DOCS] Update passphrase security setting (elastic/x-pack-elasticsearch#2431)
Original commit: elastic/x-pack-elasticsearch@8834d64f10
2017-09-06 08:13:59 -07:00
Albert Zaharovits 026729e911 TOKEN_SERVICE_ENABLED_SETTING enabled if HTTP_SSL_ENABLED (elastic/x-pack-elasticsearch#2321)
`authc.token.enabled` is true unless `http.ssl.enabled` is `false` and `http.enabled` is `true`.

* TokenService default enabled if HTTP_ENABLED == false

* Fixed tests that need TokenService explicitly enabled

* [DOC] Default value for `xpack.security.authc.token.enabled`

Original commit: elastic/x-pack-elasticsearch@bd154d16eb
2017-08-23 13:21:30 +03:00
lcawley e2f7081693 [DOCS] Add abbreviated titles
Original commit: elastic/x-pack-elasticsearch@a4cf8a363f
2017-08-11 10:00:35 -07:00
Lisa Cawley a6a76f8d2a [DOCS] Clarify xpack.security.enabled info (elastic/x-pack-elasticsearch#2166)
Original commit: elastic/x-pack-elasticsearch@140e330973
2017-08-04 08:59:50 -07:00
Jay Modi 7291eb55fe Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137)
This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM
supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the
unlimited policy file needs to be installed. In order to simplify the work a user would need to do
we can detect this support and automatically enable the AES 256 bit versions of the ciphers we
already enable.

Original commit: elastic/x-pack-elasticsearch@5f23b18a1e
2017-08-01 07:36:35 -06:00
Tim Vernum 9ab6d3cbc3 [Security] Support PKCSelastic/x-pack-elasticsearch#12 keystores (elastic/x-pack-elasticsearch#2066)
Adds support for reading PKCSelastic/x-pack-elasticsearch#12 files as SSL keystores/truststores.

Original commit: elastic/x-pack-elasticsearch@1855ad6173
2017-07-25 17:31:37 +10:00
Tim Vernum 15f5c5a632 [DOCS] Minor updates to TLS/SSL docs (elastic/x-pack-elasticsearch#2069)
- Fix typo `trustsore` -> `truststore` in several places
- Clarify that enabling TLS requires full restart

Original commit: elastic/x-pack-elasticsearch@0f430a1bea
2017-07-25 13:03:07 +10:00
Jay Modi 6fdad6039f Allow the Active Directory UPN authenticator to work with suffixes (elastic/x-pack-elasticsearch#1958)
The active directory user principal name format typically takes the form user@domain, which is what
the current implementation expects. However, active directory also allows the definition of other
suffixes that are not actual domains. A user can still authenticate using this user principal name
but the behavior of our realm would cause it to fail as it parsed the suffix as a domain and used it
as the search base for the user. Instead, we should use the default user search base and only look
for entries that have this exact user principal name. In a scenario where a realm is configured for
multiple domains in the same forest, the search base should be the base for the entire forest.

relates elastic/x-pack-elasticsearch#1744

Original commit: elastic/x-pack-elasticsearch@de00c4817e
2017-07-13 10:08:22 -06:00
Tim Vernum a36121a725 [DOCS] [Security] Templates do not use bind_dn (elastic/x-pack-elasticsearch#1979)
Document that user_dn_template mode for LDAP authentication does not support bind_dn

Original commit: elastic/x-pack-elasticsearch@eef72615a8
2017-07-13 14:23:23 +10:00
Jay Modi e686d8a3bf Add active directory bind user and user lookup support (elastic/x-pack-elasticsearch#1956)
This commit adds support for a bind user when using the active directory realm. The addition of a
bind user also enables support for the user lookup mechanism, which is necessary to support the run
as functionality that we provide.

relates elastic/x-pack-elasticsearch#179

Original commit: elastic/x-pack-elasticsearch@40b07b3422
2017-07-12 14:01:39 -06:00
Jay Modi 03ed2bbbd0 Add setting for the LDAP user search filter and deprecate user attribute (elastic/x-pack-elasticsearch#1959)
This commit adds a setting to allow changing the user search filter. Previously the filter was a
simple equality filter that mapped a given attribute to the value of the username. The default
behavior remains the same with this change but provides additional flexibility to users to who may
need more advanced LDAP searches. The user attribute setting has been deprecated due to the overlap
with the new filter setting.

relates elastic/x-pack-elasticsearch#1861

Original commit: elastic/x-pack-elasticsearch@e9d797e81c
2017-07-11 09:27:24 -06:00
Tim Vernum c5012ac6e8 [DOC] Miscellaneous security doc updates (elastic/x-pack-elasticsearch#1908)
- Document refresh interval for role mapping files
- Fix obsolete shield reference in transport profile example 
- Clarify that AD & PKI don't support run_as
- Fix logstash conf examples
- Clarify interaction of SSL settings and PKI realm settings
- Document PKI DN format, and recommend use of pki_dn metadata
- Provide more details about action.auto_create_index during setup

Original commit: elastic/x-pack-elasticsearch@49ddb12a7e
2017-07-07 13:33:35 +10:00
Tim Brooks c773115c39 Remove doc reference disabling-default-password
This section has been removed from setting-up-authentication. This
commit removes a reference to this section that no longer exists.

Original commit: elastic/x-pack-elasticsearch@43aa0077f9
2017-06-29 16:01:44 -05:00
Lisa Cawley f2e20f86e4 [DOCS] Fix X-Pack settings for Elasticsearch (elastic/x-pack-elasticsearch#1863)
Original commit: elastic/x-pack-elasticsearch@8469db2909
2017-06-27 09:14:35 -07:00
Deb Adair ea9ce967ca [DOCS] Fixed broken links.
Original commit: elastic/x-pack-elasticsearch@7ddf574e38
2017-06-26 12:54:59 -07:00
Deb Adair 0cf3d935eb [DOCS] Fixed xrefs to X-Pack content.
Original commit: elastic/x-pack-elasticsearch@c9ed85e910
2017-06-26 10:35:25 -07:00
Deb Adair 806b0bc710 [DOCS] Removed UI and Logstash settings & updated links to that info.
Original commit: elastic/x-pack-elasticsearch@2434e503dd
2017-06-26 09:04:56 -07:00
Jay Modi 940722d5fe Document settings for the token service (elastic/x-pack-elasticsearch#1381)
relates elastic/x-pack-elasticsearch#1345

Original commit: elastic/x-pack-elasticsearch@87234ad866
2017-06-22 08:45:14 -06:00
Tim Vernum fe37109c3f [DOCS] [Security] Documentation for Role Mapping API (elastic/x-pack-elasticsearch#1474)
Includes:
- Extensive changes to "mapping roles" section
- New section for role mapping API
- Updates to LDAP/AD/PKI realms to refer to API based role mapping 
- Updates to LDAP/AD realms: `unmapped_groups_as_roles` only looks at file-based mappings 
- Updates to LDAP/AD realms: new setting for "metadata"

Original commit: elastic/x-pack-elasticsearch@6349f665f5
2017-06-06 14:12:31 +10:00
Jay Modi f7fb02f21f Ensure we always respect a user specified filter in the AD realm (elastic/x-pack-elasticsearch#1161)
When the active directory realm was refactored to add support for authenticating against multiple
domains, only the default authenticator respected the user_search.filter setting. This commit moves
this down to the base authenticator and also changes the UPN filter to not include sAMAccountName
in the filter.

Original commit: elastic/x-pack-elasticsearch@d2c19c9bee
2017-04-27 10:20:59 -04:00
debadair 9f505d16d4 [DOCS] Migrated settings topics from x-pack repo to x-pack-elasticsearch.
Original commit: elastic/x-pack-elasticsearch@e56dcf6066
2017-04-06 17:39:12 -07:00