Commit Graph

82 Commits

Author SHA1 Message Date
Jay Modi d86e7870da Security: add manage_index_templates to the kibana_system role (elastic/x-pack-elasticsearch#3009)
This commit adds the manage_index_templates permission to the kibana_system role that is used by
the kibana system user. This is needed due to an upcoming feature in kibana where a index template
will be used to create the saved objects index.

relates elastic/x-pack-elasticsearch#2937

Original commit: elastic/x-pack-elasticsearch@85a67c73aa
2017-11-21 08:45:07 -07:00
Dimitrios Liappis a89bfe84ba [DOCS] Split long lines in Docker TLS getting-started snippet
and add warning for Windows users not using
PowerShell (e.g. `cmd.exe`) to remove the `\` character and join
lines.

Also fix trailing whitespace character in link back to `docker.asciidoc`.

Relates elastic/x-pack-elasticsearch#2999

Original commit: elastic/x-pack-elasticsearch@fe1c5dbc11
2017-11-14 14:25:52 +02:00
Dimitrios Liappis 00ccac9203 [DOCS] Fix wrapped lines in code blocks of TLS getting started guide
Relates elastic/x-pack-elasticsearch#2970

Original commit: elastic/x-pack-elasticsearch@a279e57270
2017-11-13 20:00:35 +02:00
Lisa Cawley fb769be92e [DOCS] Added TLS configuration info for Docker (elastic/x-pack-elasticsearch#2939)
* [DOCS] Add docker TLS configuration info

* [DOCS] Updated layout of TLS docker page

* [DOCS] Clean up docker TLS pages

* [DOCS] Changed nesting of TLS docker info

* [DOCS] More small updates to TLS docker page

Original commit: elastic/x-pack-elasticsearch@2b0504632a
2017-11-10 09:33:56 -08:00
lcawley b5cb814b32 [DOCS] Add security configuration section
Original commit: elastic/x-pack-elasticsearch@ccae9a84a9
2017-11-09 14:28:56 -08:00
lcawley 61864c3a67 [DOCS] Added troubleshooting for setup-passwords command
Original commit: elastic/x-pack-elasticsearch@6196c1e2bf
2017-11-01 09:35:53 -07:00
Martijn van Groningen 9a1c103bb2 security: Fail search request if profile is used and DLS is active.
Original commit: elastic/x-pack-elasticsearch@b83536460d
2017-10-30 09:12:27 +01:00
Lisa Cawley 215f289a8c [DOCS] Reformatted security troubleshooting pages (elastic/x-pack-elasticsearch#2799)
Original commit: elastic/x-pack-elasticsearch@ec9969ec7a
2017-10-26 13:56:57 -07:00
Martijn van Groningen 62215f1fae security: Fail request if suggesters are used and DLS is active.
Original commit: elastic/x-pack-elasticsearch@056c735e77
2017-10-26 08:02:31 +02:00
lcawley b628815dbe [DOCS] Fixed link to X-Pack transport client
Original commit: elastic/x-pack-elasticsearch@0870334e4b
2017-10-12 13:41:14 +01:00
Lisa Cawley 604229cd4d [DOCS] Added transport client info for X-Pack (elastic/x-pack-elasticsearch#2737)
* [DOCS] Added transport client info for X-Pack

* [DOCS] Relocated X-Pack java client info

* [DOCS] Added transport client deprecation info

Original commit: elastic/x-pack-elasticsearch@416aab1d76
2017-10-12 13:18:44 +01:00
Lisa Cawley 95a5d36289 [DOCS] Add watcher and elevated privilege info (elastic/x-pack-elasticsearch#2632)
Original commit: elastic/x-pack-elasticsearch@2dcbace8a0
2017-09-26 13:26:02 -07:00
Lisa Cawley 64e2f4c93c Update bootstrap security details (elastic/x-pack-elasticsearch#2430)
* [DOCS] Update bootstrap security details

* [DOCS] Addressed feedback about bootstrap

* [DOCS] Update bootstrap password details

* [DOCS] Addressed feedback about setup-passwords

* [DOCS] Update security in x-pack install info

* [DOCS] Remove bootstrap.password details

* [DOCS] Update setup-passwords info

* [DOCS] Re-add bootstrap.password details

Original commit: elastic/x-pack-elasticsearch@04d3ee8509
2017-09-26 08:52:04 -07:00
Lisa Cawley ce7b473741 [DOCS] Added logstash_admin role (elastic/x-pack-elasticsearch#2569)
Original commit: elastic/x-pack-elasticsearch@259bbba6e5
2017-09-22 08:20:31 -07:00
lcawley 0ec98e0190 [DOCS] Fixed broken Kibana link
Original commit: elastic/x-pack-elasticsearch@10db543680
2017-09-20 09:30:02 -07:00
Lisa Cawley 8f1984a86e [DOCS] Enable read-only access for kibana_system user (elastic/x-pack-elasticsearch#2465)
Original commit: elastic/x-pack-elasticsearch@a262acb1b0
2017-09-20 09:25:58 -07:00
Lisa Cawley 4ffaec5173 [DOCS] Remove redundant certgen info (elastic/x-pack-elasticsearch#2542)
Original commit: elastic/x-pack-elasticsearch@6147e32fd1
2017-09-18 14:22:34 -07:00
Lisa Cawley 679ef6a744 [DOCS] Added _xpack_security internal user (elastic/x-pack-elasticsearch#2541)
Original commit: elastic/x-pack-elasticsearch@d1c87af335
2017-09-18 13:32:11 -07:00
jaymode 19de38665e Docs: remove incorrect name attribute from role snippet
relates elastic/x-pack-elasticsearch#2497

Original commit: elastic/x-pack-elasticsearch@ef15a1e36c
2017-09-15 12:51:37 -06:00
Jay Modi 53d6d945f0 Update documentation to reflect the latest TLS changes and licensing (elastic/x-pack-elasticsearch#2508)
This commit updates to documentation and adds notes about TLS being required to install a
license.

Relates elastic/x-pack-elasticsearch#2463

Original commit: elastic/x-pack-elasticsearch@0d8bfb98ea
2017-09-15 08:44:03 -06:00
Lisa Cawley 895d28f462 [DOCS] Remove redundant users command info (elastic/x-pack-elasticsearch#2504)
Original commit: elastic/x-pack-elasticsearch@1c9fa91293
2017-09-14 15:47:21 -07:00
Lisa Cawley 27a8041804 [DOCS] CCS no longer needs local *:* permission (elastic/x-pack-elasticsearch#2445)
Original commit: elastic/x-pack-elasticsearch@fb7f6eaeb2
2017-09-08 08:41:32 -07:00
Lisa Cawley 0cd24a9283 [DOCS] Added kibana_dashboard_only_user role (elastic/x-pack-elasticsearch#2427)
Original commit: elastic/x-pack-elasticsearch@e6ab2238eb
2017-09-05 10:40:58 -07:00
Lisa Cawley a56312a8e9 Update security info in X-Pack installation (elastic/x-pack-elasticsearch#2389)
* [DOCS] Update security info in X-Pack installation

* [DOCS] Remove bootstrap from security info

Original commit: elastic/x-pack-elasticsearch@fc272747b1
2017-08-29 13:17:20 -07:00
Jim Ferenczi 27d8b4c79c Remove the _all metadata field (elastic/x-pack-elasticsearch#2356)
This change removes the `_all` metadata field. This field is deprecated in 6
and cannot be activated for indices created in 6 so it can be safely removed in
the next major version (e.g. 7).

Relates https://github.com/elastic/elasticsearch/pull/26356

Original commit: elastic/x-pack-elasticsearch@a47133c94e
2017-08-28 13:01:27 +02:00
Jason Tedor f3a7d46698 Rename CONF_DIR to ES_PATH_CONF
This commit is following upstream Elasticsearch which has renamed the
environment variable used to specify a custom configuration directory
from CONF_DIR to ES_PATH_CONF.

Relates elastic/x-pack-elasticsearch#2261

Original commit: elastic/x-pack-elasticsearch@9ae29941e5
2017-08-15 06:19:39 +09:00
Lisa Cawley ea05ddd513 [DOCS] Fix principal access_granted attribute (elastic/x-pack-elasticsearch#2257)
Original commit: elastic/x-pack-elasticsearch@9c33afce9f
2017-08-11 16:53:21 -07:00
Lisa Cawley cc7c9aeddb [DOCS] Remove redundant Logstash security page (elastic/x-pack-elasticsearch#2239)
Original commit: elastic/x-pack-elasticsearch@8f66e85fb0
2017-08-10 15:31:41 -07:00
Lisa Cawley e500fba354 [DOCS] Update links to Kibana security (elastic/x-pack-elasticsearch#2235)
Original commit: elastic/x-pack-elasticsearch@88f29b3321
2017-08-10 12:56:03 -07:00
Lisa Cawley ccf0b6f2ed [DOCS] Fix typo (elastic/x-pack-elasticsearch#2211)
Original commit: elastic/x-pack-elasticsearch@6efb78c1b2
2017-08-08 12:52:52 -07:00
Jay Modi 7291eb55fe Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137)
This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM
supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the
unlimited policy file needs to be installed. In order to simplify the work a user would need to do
we can detect this support and automatically enable the AES 256 bit versions of the ciphers we
already enable.

Original commit: elastic/x-pack-elasticsearch@5f23b18a1e
2017-08-01 07:36:35 -06:00
Lisa Cawley af050a2da6 [DOCS] Move Reporting and Security out of X-Pack Reference (elastic/x-pack-elasticsearch#2134)
Original commit: elastic/x-pack-elasticsearch@3e007e0679
2017-07-31 09:55:08 -07:00
Lisa Cawley 2e3d0e9262 [DOCS] Fix read description in indices privileges (elastic/x-pack-elasticsearch#2119)
Original commit: elastic/x-pack-elasticsearch@59884cf832
2017-07-28 09:06:15 -07:00
lcawley 29bb00a7ca [DOCS] Modify SSL settings in Kibana security
Original commit: elastic/x-pack-elasticsearch@927c3c9ed6
2017-07-25 17:25:22 -07:00
Tim Vernum 15f5c5a632 [DOCS] Minor updates to TLS/SSL docs (elastic/x-pack-elasticsearch#2069)
- Fix typo `trustsore` -> `truststore` in several places
- Clarify that enabling TLS requires full restart

Original commit: elastic/x-pack-elasticsearch@0f430a1bea
2017-07-25 13:03:07 +10:00
Deb Adair 3ace57d512 [DOCS] Updates to make GS minidoc build.
Original commit: elastic/x-pack-elasticsearch@04c168e653
2017-07-20 11:24:57 -07:00
Tim Brooks a0fd423db1 Update documentation for bootstrap password work (elastic/x-pack-elasticsearch#2031)
This is related to elastic/x-pack-elasticsearch#1217. The commit adds documenation describing how to
use the bootstrap password and setup-password tool.

Original commit: elastic/x-pack-elasticsearch@1bad8ddb4d
2017-07-20 11:23:20 -05:00
Tim Vernum 1bbc579cf3 [Security] [certgen] Option to generate PKCSelastic/x-pack-elasticsearch#12 (elastic/x-pack-elasticsearch#2013)
Add an option to the ssl certificate generation tool (certgen) that generates PKCSelastic/x-pack-elasticsearch#12 (.p12) files in addition to the certificate (.crt) and key (.key) files.
A PKCSelastic/x-pack-elasticsearch#12 store is a container format for storing multiple crypto objects in a single file, which means we can put the cert and key into the same file.

These format is particularly useful for .NET environments, where .NET Core requires a single into file for PKI authentication.

Also adds documentation for all the command-line options in certgen.

Original commit: elastic/x-pack-elasticsearch@d10f88f12d
2017-07-19 12:04:31 +10:00
Jay Modi 6fdad6039f Allow the Active Directory UPN authenticator to work with suffixes (elastic/x-pack-elasticsearch#1958)
The active directory user principal name format typically takes the form user@domain, which is what
the current implementation expects. However, active directory also allows the definition of other
suffixes that are not actual domains. A user can still authenticate using this user principal name
but the behavior of our realm would cause it to fail as it parsed the suffix as a domain and used it
as the search base for the user. Instead, we should use the default user search base and only look
for entries that have this exact user principal name. In a scenario where a realm is configured for
multiple domains in the same forest, the search base should be the base for the entire forest.

relates elastic/x-pack-elasticsearch#1744

Original commit: elastic/x-pack-elasticsearch@de00c4817e
2017-07-13 10:08:22 -06:00
Colin Goodheart-Smithe 8aec1d4737 [DOCS] Remove reference to field stats in security limitations
Original commit: elastic/x-pack-elasticsearch@9ca673ea36
2017-07-13 12:00:16 +01:00
Tim Vernum a36121a725 [DOCS] [Security] Templates do not use bind_dn (elastic/x-pack-elasticsearch#1979)
Document that user_dn_template mode for LDAP authentication does not support bind_dn

Original commit: elastic/x-pack-elasticsearch@eef72615a8
2017-07-13 14:23:23 +10:00
Jay Modi e686d8a3bf Add active directory bind user and user lookup support (elastic/x-pack-elasticsearch#1956)
This commit adds support for a bind user when using the active directory realm. The addition of a
bind user also enables support for the user lookup mechanism, which is necessary to support the run
as functionality that we provide.

relates elastic/x-pack-elasticsearch#179

Original commit: elastic/x-pack-elasticsearch@40b07b3422
2017-07-12 14:01:39 -06:00
Jay Modi 03ed2bbbd0 Add setting for the LDAP user search filter and deprecate user attribute (elastic/x-pack-elasticsearch#1959)
This commit adds a setting to allow changing the user search filter. Previously the filter was a
simple equality filter that mapped a given attribute to the value of the username. The default
behavior remains the same with this change but provides additional flexibility to users to who may
need more advanced LDAP searches. The user attribute setting has been deprecated due to the overlap
with the new filter setting.

relates elastic/x-pack-elasticsearch#1861

Original commit: elastic/x-pack-elasticsearch@e9d797e81c
2017-07-11 09:27:24 -06:00
Clinton Gormley 81101b893a Added note to cross cluster search docs to specify minimum node version of 5.5
Original commit: elastic/x-pack-elasticsearch@98e440f1a4
2017-07-11 14:15:23 +02:00
Tim Vernum c5012ac6e8 [DOC] Miscellaneous security doc updates (elastic/x-pack-elasticsearch#1908)
- Document refresh interval for role mapping files
- Fix obsolete shield reference in transport profile example 
- Clarify that AD & PKI don't support run_as
- Fix logstash conf examples
- Clarify interaction of SSL settings and PKI realm settings
- Document PKI DN format, and recommend use of pki_dn metadata
- Provide more details about action.auto_create_index during setup

Original commit: elastic/x-pack-elasticsearch@49ddb12a7e
2017-07-07 13:33:35 +10:00
Tim Brooks 76bf3ba767 Bring back disabling-default-password docs section
There are multiple references to this section in different areas of the
documentation. This commit brings back this section to fix the build.

A more extensive PR updating the documentation for "no default
password" work will follow up.

Original commit: elastic/x-pack-elasticsearch@0378e78c8a
2017-06-29 16:23:58 -05:00
Jay Modi a9707a461d Use a secure setting for the watcher encryption key (elastic/x-pack-elasticsearch#1831)
This commit removes the system key from master and changes watcher to use a secure setting instead
for the encryption key.

Original commit: elastic/x-pack-elasticsearch@5ac95c60ef
2017-06-29 14:58:35 -06:00
Tim Brooks f2cbe20ea0 Remove default passwords from reserved users (elastic/x-pack-elasticsearch#1665)
This is related to elastic/x-pack-elasticsearch#1217. This PR removes the default password of
"changeme" from the reserved users.

This PR adds special behavior for authenticating the reserved users. No
ReservedRealm user can be authenticated until its password is set. The
one exception to this is the elastic user. The elastic user can be
authenticated with an empty password if the action is a rest request
originating from localhost. In this scenario where an elastic user is
authenticated with a default password, it will have metadata indicating
that it is in setup mode. An elastic user in setup mode is only
authorized to execute a change password request.

Original commit: elastic/x-pack-elasticsearch@e1e101a237
2017-06-29 15:27:57 -05:00
lcawley cbf7c32b88 [DOCS] Fix broken link to security API
Original commit: elastic/x-pack-elasticsearch@85fa16e160
2017-06-28 12:00:28 -07:00
Lisa Cawley 08fdac5a93 [DOCS] Move security APIs to Elasticsearch Ref (elastic/x-pack-elasticsearch#1877)
* [DOCS] Move security APIs to Elasticsearch Ref

* [DOCS] Update links to security APIs

* [DOCS] Fix link to security APIs

Original commit: elastic/x-pack-elasticsearch@d7a9d3f1ab
2017-06-28 11:02:40 -07:00