[role="xpack"] [[configuring-security]] == Configuring security in {es} ++++ Configuring Security ++++ {security} enables you to easily secure a cluster. With {security}, you can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and auditing. For more information, see {xpack-ref}/xpack-security.html[Securing the Elastic Stack]. To use {security} in {es}: . Verify that you are using a license that includes the {security} feature. + -- If you want to try all of the {xpack} features, you can start a 30-day trial. At the end of the trial period, you can purchase a subscription to keep using the full functionality of the {xpack} components. For more information, see https://www.elastic.co/subscriptions and {xpack-ref}/license-management.html[License Management]. -- . Verify that the `xpack.security.enabled` setting is `true` on each node in your cluster. If you are using a trial license, the default value is `false`. For more information, see {ref}/security-settings.html[Security Settings in {es}]. . Configure Transport Layer Security (TLS/SSL) for internode-communication. + -- NOTE: This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more information, see {xpack-ref}/encrypting-communications.html[Encrypting Communications]. -- .. <>. .. <>. . If it is not already running, start {es}. . Set the passwords for all built-in users. + -- {security} provides {stack-ov}/built-in-users.html[built-in users] to help you get up and running. The +elasticsearch-setup-passwords+ command is the simplest method to set the built-in users' passwords for the first time. For example, you can run the command in an "interactive" mode, which prompts you to enter new passwords for the `elastic`, `kibana`, `beats_system`, and `logstash_system` users: [source,shell] -------------------------------------------------- bin/elasticsearch-setup-passwords interactive -------------------------------------------------- For more information about the command options, see <>. IMPORTANT: The `elasticsearch-setup-passwords` command uses a transient bootstrap password that is no longer valid after the command runs successfully. You cannot run the `elasticsearch-setup-passwords` command a second time. Instead, you can update passwords from the **Management > Users** UI in {kib} or use the security user API. -- . Choose which types of realms you want to use to authenticate users. ** <>. ** <>. ** <>. ** <>. ** <>. ** <>. . Set up roles and users to control access to {es}. For example, to grant _John Doe_ full access to all indices that match the pattern `events*` and enable him to create visualizations and dashboards for those indices in {kib}, you could create an `events_admin` role and and assign the role to a new `johndoe` user. + -- [source,shell] ---------------------------------------------------------- curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content-Type: application/json" -d '{ "password" : "userpassword", "full_name" : "John Doe", "email" : "john.doe@anony.mous", "roles" : [ "events_admin" ] }' ---------------------------------------------------------- // NOTCONSOLE -- [[enable-auditing]] . Enable auditing to keep track of attempted and successful interactions with your {es} cluster: + -- .. Add the following setting to `elasticsearch.yml` on all nodes in your cluster: + [source,yaml] ---------------------------- xpack.security.audit.enabled: true ---------------------------- + For more information, see {xpack-ref}/auditing.html[Auditing Security Events] and <>. .. Restart {es}. By default, events are logged to a dedicated `elasticsearch-access.log` file in `ES_HOME/logs`. You can also store the events in an {es} index for easier analysis and control what events are logged. -- include::securing-communications/securing-elasticsearch.asciidoc[] include::securing-communications/configuring-tls-docker.asciidoc[] include::securing-communications/enabling-cipher-suites.asciidoc[] include::securing-communications/separating-node-client-traffic.asciidoc[] include::authentication/configuring-active-directory-realm.asciidoc[] include::authentication/configuring-file-realm.asciidoc[] include::authentication/configuring-ldap-realm.asciidoc[] include::authentication/configuring-native-realm.asciidoc[] include::authentication/configuring-pki-realm.asciidoc[] include::authentication/configuring-saml-realm.asciidoc[] include::{es-repo-dir}/settings/security-settings.asciidoc[] include::{es-repo-dir}/settings/audit-settings.asciidoc[]