[role="xpack"] [[configuring-security]] == Configuring security in {es} ++++ Configuring security ++++ The {es} {security-features} enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and auditing. For more information, see <>. . Verify that you are using a license that includes the specific {security-features} you want. + -- For more information, see https://www.elastic.co/subscriptions and {stack-ov}/license-management.html[License management]. -- . Verify that the `xpack.security.enabled` setting is `true` on each node in your cluster. If you are using basic or trial licenses, the default value is `false`. For more information, see <>. . If you plan to run {es} in a Federal Information Processing Standard (FIPS) 140-2 enabled JVM, see <>. . <>. + -- NOTE: This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more information, see <>. -- . If it is not already running, start {es}. . Set the passwords for all built-in users. + -- The {es} {security-features} provide <> to help you get up and running. The +elasticsearch-setup-passwords+ command is the simplest method to set the built-in users' passwords for the first time. For example, you can run the command in an "interactive" mode, which prompts you to enter new passwords for the built-in users: [source,shell] -------------------------------------------------- bin/elasticsearch-setup-passwords interactive -------------------------------------------------- For more information about the command options, see <>. IMPORTANT: The `elasticsearch-setup-passwords` command uses a transient bootstrap password that is no longer valid after the command runs successfully. You cannot run the `elasticsearch-setup-passwords` command a second time. Instead, you can update passwords from the **Management > Users** UI in {kib} or use the security user API. -- . Choose which types of realms you want to use to authenticate users. + -- TIP: The types of authentication realms that you can enable varies according to your subscription. For more information, see https://www.elastic.co/subscriptions. -- ** <> ** <> ** <> ** <> ** <> ** <> ** <> . Set up roles and users to control access to {es}. + -- For example, to grant _John Doe_ full access to all indices that match the pattern `events*` and enable them to create visualizations and dashboards for those indices in {kib}, you could create an `events_admin` role and assign the role to a new `johndoe` user. [source,shell] ---------------------------------------------------------- curl -XPOST -u elastic 'localhost:9200/_security/role/events_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type: application/json" -d '{ "password" : "userpassword", "full_name" : "John Doe", "email" : "john.doe@anony.mous", "roles" : [ "events_admin" ] }' ---------------------------------------------------------- // NOTCONSOLE -- . [[enable-auditing]](Optional) Enable auditing to keep track of attempted and successful interactions with your {es} cluster: + -- TIP: Audit logging is available with specific subscriptions. For more information, see https://www.elastic.co/subscriptions. .. Add the following setting to `elasticsearch.yml` on all nodes in your cluster: + [source,yaml] ---------------------------- xpack.security.audit.enabled: true ---------------------------- + For more information, see <> and <>. .. Restart {es}. Events are logged to a dedicated `_audit.json` file in `ES_HOME/logs`, on each cluster node. -- To walk through the configuration of {security-features} in {es}, {kib}, {ls}, and {metricbeat}, see <>. include::securing-communications/separating-node-client-traffic.asciidoc[] include::reference/files.asciidoc[] include::fips-140-compliance.asciidoc[]