Commit Graph

18 Commits

Author SHA1 Message Date
Lisa Cawley a6a76f8d2a [DOCS] Clarify xpack.security.enabled info (elastic/x-pack-elasticsearch#2166)
Original commit: elastic/x-pack-elasticsearch@140e330973
2017-08-04 08:59:50 -07:00
Jay Modi 7291eb55fe Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137)
This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM
supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the
unlimited policy file needs to be installed. In order to simplify the work a user would need to do
we can detect this support and automatically enable the AES 256 bit versions of the ciphers we
already enable.

Original commit: elastic/x-pack-elasticsearch@5f23b18a1e
2017-08-01 07:36:35 -06:00
Tim Vernum 9ab6d3cbc3 [Security] Support PKCSelastic/x-pack-elasticsearch#12 keystores (elastic/x-pack-elasticsearch#2066)
Adds support for reading PKCSelastic/x-pack-elasticsearch#12 files as SSL keystores/truststores.

Original commit: elastic/x-pack-elasticsearch@1855ad6173
2017-07-25 17:31:37 +10:00
Tim Vernum 15f5c5a632 [DOCS] Minor updates to TLS/SSL docs (elastic/x-pack-elasticsearch#2069)
- Fix typo `trustsore` -> `truststore` in several places
- Clarify that enabling TLS requires full restart

Original commit: elastic/x-pack-elasticsearch@0f430a1bea
2017-07-25 13:03:07 +10:00
Jay Modi 6fdad6039f Allow the Active Directory UPN authenticator to work with suffixes (elastic/x-pack-elasticsearch#1958)
The active directory user principal name format typically takes the form user@domain, which is what
the current implementation expects. However, active directory also allows the definition of other
suffixes that are not actual domains. A user can still authenticate using this user principal name
but the behavior of our realm would cause it to fail as it parsed the suffix as a domain and used it
as the search base for the user. Instead, we should use the default user search base and only look
for entries that have this exact user principal name. In a scenario where a realm is configured for
multiple domains in the same forest, the search base should be the base for the entire forest.

relates elastic/x-pack-elasticsearch#1744

Original commit: elastic/x-pack-elasticsearch@de00c4817e
2017-07-13 10:08:22 -06:00
Tim Vernum a36121a725 [DOCS] [Security] Templates do not use bind_dn (elastic/x-pack-elasticsearch#1979)
Document that user_dn_template mode for LDAP authentication does not support bind_dn

Original commit: elastic/x-pack-elasticsearch@eef72615a8
2017-07-13 14:23:23 +10:00
Jay Modi e686d8a3bf Add active directory bind user and user lookup support (elastic/x-pack-elasticsearch#1956)
This commit adds support for a bind user when using the active directory realm. The addition of a
bind user also enables support for the user lookup mechanism, which is necessary to support the run
as functionality that we provide.

relates elastic/x-pack-elasticsearch#179

Original commit: elastic/x-pack-elasticsearch@40b07b3422
2017-07-12 14:01:39 -06:00
Jay Modi 03ed2bbbd0 Add setting for the LDAP user search filter and deprecate user attribute (elastic/x-pack-elasticsearch#1959)
This commit adds a setting to allow changing the user search filter. Previously the filter was a
simple equality filter that mapped a given attribute to the value of the username. The default
behavior remains the same with this change but provides additional flexibility to users to who may
need more advanced LDAP searches. The user attribute setting has been deprecated due to the overlap
with the new filter setting.

relates elastic/x-pack-elasticsearch#1861

Original commit: elastic/x-pack-elasticsearch@e9d797e81c
2017-07-11 09:27:24 -06:00
Tim Vernum c5012ac6e8 [DOC] Miscellaneous security doc updates (elastic/x-pack-elasticsearch#1908)
- Document refresh interval for role mapping files
- Fix obsolete shield reference in transport profile example 
- Clarify that AD & PKI don't support run_as
- Fix logstash conf examples
- Clarify interaction of SSL settings and PKI realm settings
- Document PKI DN format, and recommend use of pki_dn metadata
- Provide more details about action.auto_create_index during setup

Original commit: elastic/x-pack-elasticsearch@49ddb12a7e
2017-07-07 13:33:35 +10:00
Tim Brooks c773115c39 Remove doc reference disabling-default-password
This section has been removed from setting-up-authentication. This
commit removes a reference to this section that no longer exists.

Original commit: elastic/x-pack-elasticsearch@43aa0077f9
2017-06-29 16:01:44 -05:00
Lisa Cawley f2e20f86e4 [DOCS] Fix X-Pack settings for Elasticsearch (elastic/x-pack-elasticsearch#1863)
Original commit: elastic/x-pack-elasticsearch@8469db2909
2017-06-27 09:14:35 -07:00
Deb Adair ea9ce967ca [DOCS] Fixed broken links.
Original commit: elastic/x-pack-elasticsearch@7ddf574e38
2017-06-26 12:54:59 -07:00
Deb Adair 0cf3d935eb [DOCS] Fixed xrefs to X-Pack content.
Original commit: elastic/x-pack-elasticsearch@c9ed85e910
2017-06-26 10:35:25 -07:00
Deb Adair 806b0bc710 [DOCS] Removed UI and Logstash settings & updated links to that info.
Original commit: elastic/x-pack-elasticsearch@2434e503dd
2017-06-26 09:04:56 -07:00
Jay Modi 940722d5fe Document settings for the token service (elastic/x-pack-elasticsearch#1381)
relates elastic/x-pack-elasticsearch#1345

Original commit: elastic/x-pack-elasticsearch@87234ad866
2017-06-22 08:45:14 -06:00
Tim Vernum fe37109c3f [DOCS] [Security] Documentation for Role Mapping API (elastic/x-pack-elasticsearch#1474)
Includes:
- Extensive changes to "mapping roles" section
- New section for role mapping API
- Updates to LDAP/AD/PKI realms to refer to API based role mapping 
- Updates to LDAP/AD realms: `unmapped_groups_as_roles` only looks at file-based mappings 
- Updates to LDAP/AD realms: new setting for "metadata"

Original commit: elastic/x-pack-elasticsearch@6349f665f5
2017-06-06 14:12:31 +10:00
Jay Modi f7fb02f21f Ensure we always respect a user specified filter in the AD realm (elastic/x-pack-elasticsearch#1161)
When the active directory realm was refactored to add support for authenticating against multiple
domains, only the default authenticator respected the user_search.filter setting. This commit moves
this down to the base authenticator and also changes the UPN filter to not include sAMAccountName
in the filter.

Original commit: elastic/x-pack-elasticsearch@d2c19c9bee
2017-04-27 10:20:59 -04:00
debadair 9f505d16d4 [DOCS] Migrated settings topics from x-pack repo to x-pack-elasticsearch.
Original commit: elastic/x-pack-elasticsearch@e56dcf6066
2017-04-06 17:39:12 -07:00