Commit Graph

128 Commits

Author SHA1 Message Date
Jay Modi 502bc6c572 Clarify index operations for create privilege (elastic/x-pack-elasticsearch#4337)
The `create` privilege can be misleading based on a user's
interpretation of the meaning of the privilege. The create privilege
grants the user access to the index api and the put mapping api. The
index api allows for a document to be created but it also allows for
an existing document to be overwritten (assuming the CREATE operation
type is not used). However, the name `create` implies the ability to
only create a document and not be able to modify an existing document,
which may not be clear to users unfamiliar with the index API.

This commit adds a small note under the privilege in the documentation
that should add some clarity to the operations allowed by this
privilege.

Original commit: elastic/x-pack-elasticsearch@24596c41b0
2018-04-19 08:52:30 -06:00
Lisa Cawley dcedffb0f0 [DOCS] Replaces InetSocketTransportAddress in code samples (elastic/x-pack-elasticsearch#4404)
Original commit: elastic/x-pack-elasticsearch@85b11cccc7
2018-04-18 09:15:43 -07:00
Lisa Cawley 4c38e610fd [DOCS] Adds enabled parameter to user management API (elastic/x-pack-elasticsearch#4364)
Original commit: elastic/x-pack-elasticsearch@166bef4702
2018-04-17 16:15:54 -07:00
Lisa Cawley ed2c6ead7f [DOCS] Move monitoring security and configuration information to Elasticsearch Reference (elastic/x-pack-elasticsearch#4370)
Original commit: elastic/x-pack-elasticsearch@5ff35f7ec6
2018-04-17 10:27:31 -07:00
Shaunak Kashyap 31b118552f Give the logstash_admin role cluster:monitor/main privilege (elastic/x-pack-elasticsearch#4318)
This is required so the Logstash Centralized Configuration Management UI in Kibana may make the GET / request to Elasticsearch and retrieve the cluster UUID. It then uses this cluster UUID to make a call to a Kibana Monitoring API to retrieve a list of pipelines from Monitoring. In order for the Kibana Monitoring API request to succeed, the logged-in user needs to have the built-in monitoring_user role anyway, so we give this role the cluster:monitor/main privilege.

Original commit: elastic/x-pack-elasticsearch@bf6ad5c1df
2018-04-16 10:47:01 -07:00
Lisa Cawley 5742ec92b2 [DOCS] Adds links to Getting Started with Security (elastic/x-pack-elasticsearch#4349)
Original commit: elastic/x-pack-elasticsearch@28148bd72e
2018-04-16 10:37:45 -07:00
Yogesh Gaikwad 1701934dd4 SAML: Support multiple decryption keys for SP (elastic/x-pack-elasticsearch#4289)
- Changes in build SAML SP metadata to support multiple
  encryption keys.
- Changes in Saml metadata command to support the use of
   protected keystores.
- Changes to export and set proper usage type in key
   descriptors of SP saml metadata XML.
- Changes in SAML realm to create chaining key info
   credential resolver backed by Collection of encryption
   keys as per SP configuration.
- Unit tests and test enhancements

relates elastic/x-pack-elasticsearch#3980,elastic/x-pack-elasticsearch#4293

Original commit: elastic/x-pack-elasticsearch@e02ebcc9e6
2018-04-16 17:17:39 +10:00
lcawley 614d28cee7 [DOCS] Fixed xpack.monitoring.elasticsearch.ssl.ca setting
Original commit: elastic/x-pack-elasticsearch@ce453e1a0c
2018-04-13 11:27:31 -07:00
lcawley c09c9e13d7 [DOCS] Removes redundant role examples
Original commit: elastic/x-pack-elasticsearch@ac17cbbdfd
2018-04-12 16:47:45 -07:00
Tim Vernum 411f683521 Document ssl.verification_mode (elastic/x-pack-elasticsearch#4253)
It is common for users to wish to adjust the verification_mode in SSL
settings, usually with the intention of skipping hostname
verification. This has been supported for a long time, but the
relevant configuration setting was not clearly documented, which would
sometimes lead users to set `verification_mode` to `none`, and disable
more checks than they intended.

This commit adds clearer documentation regarding the options available
for `verification_mode` and actively discourages the use of `none`.

Original commit: elastic/x-pack-elasticsearch@2fdf53b42f
2018-04-10 20:27:23 +10:00
Lee Hinman 218e9a57bb Correct documentation for number of salt generation rounds (elastic/x-pack-elasticsearch#4322)
For the user cache, the crypt option rounds are actually the log2 of the number
of rounds. This commits updates the documentation to reflect this.

Original commit: elastic/x-pack-elasticsearch@d3cc2b7f29
2018-04-09 10:59:06 -06:00
Lisa Cawley b6d901f530 [DOCS] Augmented security configuration steps (elastic/x-pack-elasticsearch#4316)
Original commit: elastic/x-pack-elasticsearch@48b47b19ae
2018-04-06 11:48:03 -07:00
Yogesh Gaikwad ed6a6af64c SAML: Make alias for signing key optional (elastic/x-pack-elasticsearch#4248)
We specify an alias for signing key, but when we just have
a single key in key store this is an additional setting which
is annoying. This PR addresses this issue by making it optional.

- Changes in SamlRealmSettings to make signing/encryption
  key alias optional
- Checks if none of the keys are useful for given operation
  signing or encryption throws an error.
- Checks for no of aliases in key-store, if more than one and alias
  is not specified throws error.
- If an alias is not specified and there is just one alias in
  keystore then use it as the credential.
- Unit Tests

Note: A side effect of this change the above-mentioned behavior is
it's also applicable for encryption keys currently, but it is going
to change when fixing elastic/x-pack-elasticsearch#3980 for supporting multiple encryption keys.

relates elastic/x-pack-elasticsearch#3981

Original commit: elastic/x-pack-elasticsearch@2b5af1d8a8
2018-04-06 10:43:35 +10:00
Lisa Cawley bbcb33b519 [DOCS] Security disabled by default (elastic/x-pack-elasticsearch#4288)
Original commit: elastic/x-pack-elasticsearch@110df8a58e
2018-04-05 12:06:43 -07:00
Tim Vernum e69c5d4d48 Add secure_bind_password to LDAP realm (elastic/x-pack-elasticsearch#4192)
Adds a SecureSetting option for the "bind_password" in LDAP/AD realms
and deprecates the non-secure version.

LDAP bind passwords should now be configured with the setting
`xpack.security.authc.realms.REALM_NAME.secure_bind_password`
in the elasticsearch keystore.

Original commit: elastic/x-pack-elasticsearch@1a0cebd77e
2018-03-29 16:31:45 +10:00
Tim Vernum bc95ad80ce Add beats_system user to security (elastic/x-pack-elasticsearch#4103)
This creates a new "beats_system" user and role with the same
privileges as the existing "logstash_system" user/role.

The "beat_system" user is also added as a managed user within
the "setup-passwords" command.

Users who upgrade from an earlier version of Elasticsearch/X-Pack
will need to manually set a password for the beats_system user via
the change password API (or Kibana UI)

Original commit: elastic/x-pack-elasticsearch@6087d3a18e
2018-03-20 17:01:53 +10:00
Yogesh Gaikwad 10bb78c3d6 X-Pack-Security: Correct attribute_patterns regex in saml guide (elastic/x-pack-elasticsearch#4159)
X-Pack-Security: Correct attribute_patterns regex in saml guide

relates elastic/x-pack-elasticsearch#4157

Original commit: elastic/x-pack-elasticsearch@546d408e5a
2018-03-20 17:37:05 +11:00
David Roberts 783cabbd2f [DOCS] Reflect recent improvements in notes on watch/datafeed privileges (elastic/x-pack-elasticsearch#4116)
Following elastic/x-pack-elasticsearch#3254 security for ML datafeeds has been improved.  The same goes
for watches since elastic/x-pack-elasticsearch#2808.

This change updates a section of the docs that was missed in those changes.
(The majority of the docs changes were made at the appropriate time.)

Original commit: elastic/x-pack-elasticsearch@b3b24ca483
2018-03-15 10:26:56 +00:00
Ioannis Kakavas 1cc20c4c59 [DOCS] Explain possible values for IDP EntityID (elastic/x-pack-elasticsearch#3875)
Resolves elastic/x-pack-elasticsearch#3865

Original commit: elastic/x-pack-elasticsearch@9102bc1a61
2018-03-09 14:07:51 +02:00
lcawley 39c1dd085a [DOCS] Added link to security commands
Original commit: elastic/x-pack-elasticsearch@168167517b
2018-03-07 13:11:32 -08:00
Tim Vernum c4582cdcd0 Additional settings for SAML NameID policy (elastic/x-pack-elasticsearch#3969)
* Additional settings for SAML NameID policy

We should not be populating SPNameQualifier by default as it is
intended to be used to specify an alternate SP EntityID rather than
our own. Some IdPs (ADFS) fail when presented with this value.

This commit
- makes the SPNameQualifier a setting that defaults to blank
- adds a setting for "AllowCreate"
- documents the above

Original commit: elastic/x-pack-elasticsearch@093557e88f
2018-02-20 13:51:42 +11:00
lcawley 5a445c82fb [DOCS] Fixed broken role mapping link
Original commit: elastic/x-pack-elasticsearch@97b8fae993
2018-02-16 09:59:36 -08:00
Lisa Cawley 3890875a88 [DOCS] Role Mapping API improvements (elastic/x-pack-elasticsearch#3951)
Original commit: elastic/x-pack-elasticsearch@d300c96c7a
2018-02-16 09:29:19 -08:00
lcawley 90b1dec14b [DOCS] Fixed broken TLS link
Original commit: elastic/x-pack-elasticsearch@34ec651dc9
2018-02-15 12:32:37 -08:00
Lisa Cawley 42f9a990d1 [DOCS] Split TLS instructions for HTTP and transport layers (elastic/x-pack-elasticsearch#3895)
Original commit: elastic/x-pack-elasticsearch@77fe30f7d3
2018-02-15 11:41:01 -08:00
Tim Vernum 736cc05d72 [DOCS] Fix broken format in SAML guide
Original commit: elastic/x-pack-elasticsearch@6d268e91f0
2018-02-08 12:37:08 +11:00
Tim Vernum 80b5ac9562 [DOC] SAML documentation (elastic/x-pack-elasticsearch#3657)
Includes:
- docs for new realm type "saml"
- docs for new settings for SAML realms
- a guide for setting up SAML accross ES + Kibana

Original commit: elastic/x-pack-elasticsearch@85f8f6d409
2018-02-05 12:22:54 +11:00
Simon Willnauer 570411c2dc Remove all tribe related code, comments and documentation (elastic/x-pack-elasticsearch#3784)
Relates to elastic/elasticsearch#28443

Original commit: elastic/x-pack-elasticsearch@5c4e7fccc7
2018-01-30 20:40:46 +01:00
Simon Willnauer 730e7075ab Remove XPackExtension in favor of SecurityExtensions (elastic/x-pack-elasticsearch#3734)
This change removes the XPackExtension mechanism in favor of
SecurityExtension that can be loaded via SPI and doesn't need
another (duplicate) plugin infrastructure

Original commit: elastic/x-pack-elasticsearch@f39e62a040
2018-01-26 16:14:11 +01:00
Lisa Cawley 2428e98976 [DOCS] Clarify document level security (elastic/x-pack-elasticsearch#3701)
Original commit: elastic/x-pack-elasticsearch@b4bfe5706c
2018-01-24 09:07:21 -08:00
Lisa Cawley 9435ffe64b [DOCS] Clarify PKI realm support (elastic/x-pack-elasticsearch#3703)
Original commit: elastic/x-pack-elasticsearch@55da7a07d1
2018-01-24 08:32:23 -08:00
Jason Tedor c0790d6a49 Move x-pack-core to core package (elastic/x-pack-elasticsearch#3678)
This commit moves the source file in x-pack-core to a org.elasticsearch.xpack.core package. This is to prevent issues where we have compile-time success reaching through packages that will cross module boundaries at runtime (due to being in different classloaders). By moving these to a separate package, we have compile-time safety. Follow-ups can consider build time checking that only this package is defined in x-pack-core, or sealing x-pack-core until modules arrive for us.

Original commit: elastic/x-pack-elasticsearch@232e156e0e
2018-01-23 12:43:58 -06:00
Lisa Cawley c0edf2197b [DOCS] Replaced settings with links (elastic/x-pack-elasticsearch#3626)
Original commit: elastic/x-pack-elasticsearch@4ad018521e
2018-01-22 15:15:31 -08:00
Albert Zaharovits 0a1e352c5d [DOCS] for audit filtering (elastic/x-pack-elasticsearch#3594)
This documents the changes merged in elastic/x-pack-elasticsearch#3005 and elastic/x-pack-elasticsearch#3100 .

Original commit: elastic/x-pack-elasticsearch@d1702f0480
2018-01-22 11:45:12 +02:00
Lisa Cawley 0ea43c1aa1 [DOCS] Move auditing settings to Elasticsearch Reference (elastic/x-pack-elasticsearch#3608)
Original commit: elastic/x-pack-elasticsearch@a108afd26b
2018-01-18 09:18:24 -08:00
Yogesh Gaikwad 29663c1f38 Fix for Issue elastic/x-pack-elasticsearch#3403 - Predictable ordering of security realms (elastic/x-pack-elasticsearch#3533)
* Security Realms: Predictable ordering for realms

To have predictable ordering of realms, by having secondary
sorting on realm name resulting in stable and consistent documentation.
Documentation update describing how ordering of realms is determined.
Testing done by adding unit test for the change, ran gradle clean check locally.

relates elastic/x-pack-elasticsearch#3403

Original commit: elastic/x-pack-elasticsearch@98c42a8c51
2018-01-17 10:29:00 +11:00
lcawley 56b0f28aa3 [DOCS] More broken link fixes
Original commit: elastic/x-pack-elasticsearch@dd52976660
2018-01-12 13:52:19 -08:00
lcawley d7f81fd95e [DOCS] Fixed broken TLS links
Original commit: elastic/x-pack-elasticsearch@d99a0be781
2018-01-12 11:59:15 -08:00
Lisa Cawley 1369a49b9f [DOCS] Move appropriate TLS content to Elasticsearch Ref (elastic/x-pack-elasticsearch#3416)
Original commit: elastic/x-pack-elasticsearch@a5f96bd7a2
2018-01-12 11:35:16 -08:00
Lisa Cawley 923428e19f [DOCS] Add links to Beats security pages (elastic/x-pack-elasticsearch#3514)
* [DOCS] Added link to new content location

* [DOCS] Add links to Beats security pages

Original commit: elastic/x-pack-elasticsearch@f54f0ef076
2018-01-09 13:33:53 -08:00
Lisa Cawley dc3d5d67a1 [DOCS] Change certgen references to certutil (elastic/x-pack-elasticsearch#3415)
* [DOCS] Change certgen references to certutil

* [DOCS] Updated TLS page with certutil info

* [DOCS] Added certutil examples to TLS page

* [DOCS] Clarified PEM requirement in TLS setup

* [DOCS] Updated certificate instructions

* [DOCS] Fixed security typo

Original commit: elastic/x-pack-elasticsearch@3a326fc87d
2018-01-08 10:14:51 -08:00
lcawley d5e03f9bff [DOCS] Fixed troubleshooting titles
Original commit: elastic/x-pack-elasticsearch@4338580de6
2017-12-15 11:05:20 -08:00
Luca Cavanna 55a19ed394 Deprecate the transport client in favour of the high-level REST client (elastic/x-pack-elasticsearch#2779)
Original commit: elastic/x-pack-elasticsearch@2aeef5df3f
2017-12-01 12:24:26 +01:00
Lisa Cawley 9f59ef6697 [DOCS] Move migrate tool reference (elastic/x-pack-elasticsearch#3011)
* [DOCS] Move migrate tool reference

* [DOCS] Fixed link to migration tool

* [DOCS] Small edits to the migrate tool parameters

* [DOCS] Fixed migrate tool example

Original commit: elastic/x-pack-elasticsearch@0ff40ebdcc
2017-11-27 14:58:18 -08:00
Lisa Cawley 5507c46257 [DOCS] Fixed cross cluster search docs issue (elastic/x-pack-elasticsearch#3113)
Original commit: elastic/x-pack-elasticsearch@023d220082
2017-11-27 07:56:38 -08:00
Igor Kupczyński 18103fae7f Invalid value in the docs for transport.profiles...client_authentication (elastic/x-pack-elasticsearch#3091)
The 6.x and 6.0 versions of the documentation show

```yml
transport.profiles.client.xpack.security.ssl.client_authentication: no
```

Which results in 
```
2017-11-22T11:13:33,225][ERROR][org.elasticsearch.bootstrap.Bootstrap] Exception
java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.XPackPlugin]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:142) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.node.Node.<init>(Node.java:302) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.node.Node.<init>(Node.java:245) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:130) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:121) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:69) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.0.0.jar:6.0.0]
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_144]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.0.0.jar:6.0.0]
	... 14 more
Caused by: java.lang.IllegalArgumentException: could not resolve ssl client auth. unknown value [no]
	at org.elasticsearch.xpack.ssl.SSLClientAuth.parse(SSLClientAuth.java:78) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLConfigurationSettings.lambda$null$27(SSLConfigurationSettings.java:183) ~[?:?]
	at org.elasticsearch.common.settings.Setting.get(Setting.java:352) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.common.settings.Setting.get(Setting.java:346) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.xpack.ssl.SSLConfiguration.<init>(SSLConfiguration.java:80) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService.lambda$loadSSLConfigurations$1(SSLService.java:462) ~[?:?]
	at java.util.ArrayList.forEach(ArrayList.java:1249) ~[?:1.8.0_144]
	at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:461) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService.<init>(SSLService.java:87) ~[?:?]
	at org.elasticsearch.xpack.XPackPlugin.<init>(XPackPlugin.java:237) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_144]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.0.0.jar:6.0.0]
	... 14 more
```

I think the valid value there is `none`, so

```yml
transport.profiles.client.xpack.security.ssl.client_authentication: none
```

The tests seem to confirm that https://github.com/elastic/x-pack-elasticsearch/blob/elastic/x-pack-elasticsearch@4860e92d906e046a23aa07b39ee6ef637f011dc1/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLServiceTests.java#L269

Original commit: elastic/x-pack-elasticsearch@a35b3ac8c9
2017-11-22 17:09:06 +00:00
Jay Modi d86e7870da Security: add manage_index_templates to the kibana_system role (elastic/x-pack-elasticsearch#3009)
This commit adds the manage_index_templates permission to the kibana_system role that is used by
the kibana system user. This is needed due to an upcoming feature in kibana where a index template
will be used to create the saved objects index.

relates elastic/x-pack-elasticsearch#2937

Original commit: elastic/x-pack-elasticsearch@85a67c73aa
2017-11-21 08:45:07 -07:00
Dimitrios Liappis a89bfe84ba [DOCS] Split long lines in Docker TLS getting-started snippet
and add warning for Windows users not using
PowerShell (e.g. `cmd.exe`) to remove the `\` character and join
lines.

Also fix trailing whitespace character in link back to `docker.asciidoc`.

Relates elastic/x-pack-elasticsearch#2999

Original commit: elastic/x-pack-elasticsearch@fe1c5dbc11
2017-11-14 14:25:52 +02:00
Dimitrios Liappis 00ccac9203 [DOCS] Fix wrapped lines in code blocks of TLS getting started guide
Relates elastic/x-pack-elasticsearch#2970

Original commit: elastic/x-pack-elasticsearch@a279e57270
2017-11-13 20:00:35 +02:00
Lisa Cawley fb769be92e [DOCS] Added TLS configuration info for Docker (elastic/x-pack-elasticsearch#2939)
* [DOCS] Add docker TLS configuration info

* [DOCS] Updated layout of TLS docker page

* [DOCS] Clean up docker TLS pages

* [DOCS] Changed nesting of TLS docker info

* [DOCS] More small updates to TLS docker page

Original commit: elastic/x-pack-elasticsearch@2b0504632a
2017-11-10 09:33:56 -08:00