810 lines
30 KiB
Plaintext
810 lines
30 KiB
Plaintext
[role="xpack"]
|
|
[[security-settings]]
|
|
=== Security Settings in Elasticsearch
|
|
++++
|
|
<titleabbrev>Security Settings</titleabbrev>
|
|
++++
|
|
|
|
You configure `xpack.security` settings to
|
|
<<anonymous-access-settings, enable anonymous access>>
|
|
and perform message authentication,
|
|
<<field-document-security-settings, set up document and field level security>>,
|
|
<<realm-settings, configure realms>>,
|
|
<<ssl-tls-settings, encrypt communications with SSL>>, and
|
|
<<auditing-settings, audit security events>>.
|
|
|
|
All of these settings can be added to the `elasticsearch.yml` configuration file,
|
|
with the exception of the secure settings, which you add to the {es} keystore.
|
|
For more information about creating and updating the {es} keystore, see
|
|
<<secure-settings>>.
|
|
|
|
[float]
|
|
[[general-security-settings]]
|
|
==== General Security Settings
|
|
`xpack.security.enabled`::
|
|
Set to `true` (default) to enable {security} on the node. +
|
|
+
|
|
If set to `false` in `elasticsearch.yml`, {security} is disabled. It also
|
|
affects all {kib} instances that connect to this {es} instance; you do not
|
|
need to disable {security} in those `kibana.yml` files. For more information
|
|
about disabling {security} in specific {kib} instances, see
|
|
{kibana-ref}/security-settings-kb.html[{kib} Security Settings].
|
|
|
|
`xpack.security.hide_settings`::
|
|
A comma-separated list of settings that are omitted from the results of the
|
|
<<cluster-nodes-info,cluster nodes info API>>. You can use wildcards to include
|
|
multiple settings in the list. For example, the following value hides all the
|
|
settings for the ad1 realm: `xpack.security.authc.realms.ad1.*`. The API already
|
|
omits all `ssl` settings, `bind_dn`, and `bind_password` due to the
|
|
sensitive nature of the information.
|
|
|
|
[float]
|
|
[[password-security-settings]]
|
|
==== Default Password Security Settings
|
|
`xpack.security.authc.accept_default_password`::
|
|
In `elasticsearch.yml`, set this to `false` to disable support for the default "changeme" password.
|
|
|
|
[float]
|
|
[[anonymous-access-settings]]
|
|
==== Anonymous Access Settings
|
|
You can configure the following anonymous access settings in
|
|
`elasticsearch.yml`. For more information, see {xpack-ref}/anonymous-access.html[
|
|
Enabling Anonymous Access].
|
|
|
|
`xpack.security.authc.anonymous.username`::
|
|
The username (principal) of the anonymous user. Defaults to `_es_anonymous_user`.
|
|
|
|
`xpack.security.authc.anonymous.roles`::
|
|
The roles to associate with the anonymous user. Required.
|
|
|
|
`xpack.security.authc.anonymous.authz_exception`::
|
|
When `true`, an HTTP 403 response is returned if the anonymous user
|
|
does not have the appropriate permissions for the requested action. The
|
|
user is not prompted to provide credentials to access the requested
|
|
resource. When set to `false`, a HTTP 401 is returned and the user
|
|
can provide credentials with the appropriate permissions to gain
|
|
access. Defaults to `true`.
|
|
|
|
[float]
|
|
[[field-document-security-settings]]
|
|
==== Document and Field Level Security Settings
|
|
|
|
You can set the following document and field level security
|
|
settings in `elasticsearch.yml`. For more information, see
|
|
{xpack-ref}/field-and-document-access-control.html[Setting Up Document and Field
|
|
Level Security].
|
|
|
|
`xpack.security.dls_fls.enabled`::
|
|
Set to `false` to prevent document and field level security
|
|
from being configured. Defaults to `true`.
|
|
|
|
[float]
|
|
[[token-service-settings]]
|
|
==== Token Service Settings
|
|
|
|
You can set the following token service settings in
|
|
`elasticsearch.yml`.
|
|
|
|
`xpack.security.authc.token.enabled`::
|
|
Set to `false` to disable the built-in token service. Defaults to `true` unless
|
|
`xpack.security.http.ssl.enabled` is `false` and `http.enabled` is `true`.
|
|
This prevents sniffing the token from a connection over plain http.
|
|
|
|
`xpack.security.authc.token.timeout`::
|
|
The length of time that a token is valid for. By default this value is `20m` or
|
|
20 minutes. The maximum value is 1 hour.
|
|
|
|
[float]
|
|
[[realm-settings]]
|
|
==== Realm Settings
|
|
You configure realm settings in the `xpack.security.authc.realms`
|
|
namespace in `elasticsearch.yml`. For example:
|
|
|
|
[source,yaml]
|
|
----------------------------------------
|
|
xpack.security.authc.realms:
|
|
|
|
realm1:
|
|
type: native
|
|
order: 0
|
|
...
|
|
|
|
realm2:
|
|
type: ldap
|
|
order: 1
|
|
...
|
|
|
|
realm3:
|
|
type: active_directory
|
|
order: 2
|
|
...
|
|
...
|
|
----------------------------------------
|
|
|
|
The valid settings vary depending on the realm type. For more
|
|
information, see {xpack-ref}/setting-up-authentication.html[Setting Up Authentication].
|
|
|
|
[float]
|
|
===== Settings Valid for All Realms
|
|
|
|
`type`::
|
|
The type of the realm: `native, `ldap`, `active_directory`, `pki`, or `file`. Required.
|
|
|
|
`order`::
|
|
The priority of the realm within the realm chain. Defaults to `Integer.MAX_VALUE`.
|
|
|
|
`enabled`::
|
|
Enable/disable the realm. Defaults to `true`.
|
|
|
|
[[ref-users-settings]]
|
|
|
|
[float]
|
|
===== File Realm Settings
|
|
|
|
`cache.ttl`::
|
|
The time-to-live for cached user entries--user credentials are cached for
|
|
this configured period of time. Defaults to `20m`. Specify values using the
|
|
standard Elasticsearch {ref}/common-options.html#time-units[time units].
|
|
Defaults to `20m`.
|
|
|
|
`cache.max_users`::
|
|
The maximum number of user entries that can live in the cache at a given time.
|
|
Defaults to 100,000.
|
|
|
|
`cache.hash_algo`::
|
|
(Expert Setting) The hashing algorithm that is used for the in-memory cached
|
|
user credentials. See the {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for
|
|
all possible values. Defaults to `ssha256`.
|
|
|
|
[[ref-ldap-settings]]
|
|
[float]
|
|
===== LDAP Realm Settings
|
|
`url`::
|
|
An LDAP URL in the format `ldap[s]://<server>:<port>`. Required.
|
|
|
|
`load_balance.type`::
|
|
The behavior to use when there are multiple LDAP URLs defined. For supported
|
|
values see {xpack-ref}/ldap-realm.html#ldap-load-balancing[LDAP load balancing and failover types].
|
|
Defaults to `failover`.
|
|
|
|
`load_balance.cache_ttl`::
|
|
When using `dns_failover` or `dns_round_robin` as the load balancing type,
|
|
this setting controls the amount of time to cache DNS lookups. Defaults
|
|
to `1h`.
|
|
|
|
`bind_dn`::
|
|
The DN of the user that will be used to bind to the LDAP and perform searches.
|
|
Only applicable in {xpack-ref}/ldap-realm.html#ldap-user-search[user search mode].
|
|
If this is not specified, an anonymous bind will be attempted.
|
|
Defaults to Empty.
|
|
|
|
`bind_password`::
|
|
The password for the user that will be used to bind to the LDAP.
|
|
Defaults to Empty.
|
|
|
|
`user_dn_templates`::
|
|
The DN template that replaces the user name with the string `{0}`.
|
|
This element is multivalued; you can specify multiple user contexts.
|
|
Required to operate in user template mode. Not valid
|
|
if `user_search.base_dn` is specified. For more information on
|
|
the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms].
|
|
|
|
`user_group_attribute`::
|
|
Specifies the attribute to examine on the user for group membership.
|
|
The default is `memberOf`. This setting will be ignored if any
|
|
`group_search` settings are specified. Defaults to `memberOf`.
|
|
|
|
`user_search.base_dn`::
|
|
Specifies a container DN to search for users. Required
|
|
to operated in user search mode. Not valid if
|
|
`user_dn_templates is specified. For more information on
|
|
the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms].
|
|
|
|
`user_search.scope`::
|
|
The scope of the user search. Valid values are `sub_tree`, `one_level` or
|
|
`base`. `one_level` only searches objects directly contained within the
|
|
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
|
|
`base` specifies that the `base_dn` is the user object, and that it is
|
|
the only user considered. Defaults to `sub_tree`.
|
|
|
|
`user_search.filter`::
|
|
Specifies the filter used to search the directory in attempt to match
|
|
an entry with the username provided by the user. Defaults to `(uid={0})`.
|
|
`{0}` is substituted with the username provided when searching.
|
|
|
|
`user_search.attribute`::
|
|
This setting is deprecated; use `user_search.filter` instead.
|
|
The attribute to match with the username presented to. Defaults to `uid`.
|
|
|
|
`user_search.pool.enabled`::
|
|
Enables or disables connection pooling for user search. When
|
|
disabled a new connection is created for every search. The
|
|
default is `true` when `bind_dn` is provided.
|
|
|
|
`user_search.pool.size`::
|
|
The maximum number of connections to the LDAP server to allow in the
|
|
connection pool. Defaults to `20`.
|
|
|
|
`user_search.pool.initial_size`::
|
|
The initial number of connections to create to the LDAP server on startup.
|
|
Defaults to `0`.
|
|
|
|
`user_search.pool.health_check.enabled`::
|
|
Flag to enable or disable a health check on LDAP connections in the connection
|
|
pool. Connections are checked in the background at the specified interval.
|
|
Defaults to `true`.
|
|
|
|
`user_search.pool.health_check.dn`::
|
|
The distinguished name to be retrieved as part of the health check.
|
|
Defaults to the value of `bind_dn` if present, and if
|
|
not falls back to `user_search.base_dn`.
|
|
|
|
`user_search.pool.health_check.interval`::
|
|
The interval to perform background checks of connections in the pool.
|
|
Defaults to `60s`.
|
|
|
|
`group_search.base_dn`::
|
|
The container DN to search for groups in which the user has membership. When
|
|
this element is absent, Security searches for the attribute specified by
|
|
`user_group_attribute` set on the user in order to determine group membership.
|
|
|
|
`group_search.scope`::
|
|
Specifies whether the group search should be `sub_tree`, `one_level` or
|
|
`base`. `one_level` only searches objects directly contained within the
|
|
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
|
|
`base` specifies that the `base_dn` is a group object, and that it is the
|
|
only group considered. Defaults to `sub_tree`.
|
|
|
|
`group_search.filter`::
|
|
When not set, the realm searches for `group`, `groupOfNames`, `groupOfUniqueNames`,
|
|
or `posixGroup` with the attributes `member`, `memberOf`, or `memberUid`. Any
|
|
instance of `{0}` in the filter is replaced by the user attribute defined in
|
|
`group_search.user_attribute`.
|
|
|
|
`group_search.user_attribute`::
|
|
Specifies the user attribute that will be fetched and provided as a parameter to
|
|
the filter. If not set, the user DN is passed into the filter. Defaults to Empty.
|
|
|
|
`unmapped_groups_as_roles`::
|
|
Takes a boolean variable. When this element is set to `true`, the names of any
|
|
LDAP groups that are not referenced in a role-mapping _file_ are used as role
|
|
names and assigned to the user. Defaults to `false`.
|
|
|
|
`files.role_mapping`::
|
|
The {xpack-ref}/security-files.html[location] for the {xpack-ref}/mapping-roles.html#mapping-roles[
|
|
YAML role mapping configuration file]. Defaults to
|
|
`CONFIG_DIR/x-pack/role_mapping.yml`.
|
|
|
|
`follow_referrals`::
|
|
Boolean value that specifies whether Securityshould follow referrals returned
|
|
by the LDAP server. Referrals are URLs returned by the server that are to be
|
|
used to continue the LDAP operation (e.g. search). Defaults to `true`.
|
|
|
|
`metadata`::
|
|
A list of additional LDAP attributes that should be loaded from the
|
|
LDAP server and stored in the authenticated user's metadata field.
|
|
|
|
`timeout.tcp_connect`::
|
|
The TCP connect timeout period for establishing an LDAP connection.
|
|
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
|
Defaults to `5s` (5 seconds ).
|
|
|
|
`timeout.tcp_read`::
|
|
The TCP read timeout period after establishing an LDAP connection.
|
|
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
|
Defaults to `5s` (5 seconds ).
|
|
|
|
`timeout.ldap_search`::
|
|
The LDAP Server enforced timeout period for an LDAP search.
|
|
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
|
Defaults to `5s` (5 seconds ).
|
|
|
|
`ssl.key`::
|
|
Path to a PEM encoded file containing the private key.
|
|
|
|
`ssl.key_passphrase`::
|
|
The passphrase that is used to decrypt the private key. This value is
|
|
optional as the key may not be encrypted.
|
|
|
|
`ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
|
|
The passphrase that is used to decrypt the private key.
|
|
|
|
`ssl.certificate`::
|
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
|
that will be presented to clients when they connect.
|
|
|
|
`ssl.certificate_authorities`::
|
|
List of paths to PEM encoded certificate files that should be trusted.
|
|
|
|
`ssl.keystore.path`::
|
|
The path to the Java Keystore file that contains a private key and certificate.
|
|
`ssl.key` and `ssl.keystore.path` may not be used at the same time.
|
|
|
|
`ssl.keystore.type`::
|
|
The format of the keystore file. Should be either `jks` to use the Java
|
|
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
|
|
|
`ssl.keystore.password`::
|
|
The password to the keystore.
|
|
|
|
`ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
|
The password to the keystore.
|
|
|
|
`ssl.keystore.key_password`::
|
|
The password for the key in the keystore. Defaults to the keystore password.
|
|
|
|
`ssl.keystore.secure_key_password`::
|
|
The password for the key in the keystore. Defaults to the keystore password.
|
|
|
|
`ssl.truststore.path`::
|
|
The path to the Java Keystore file that contains the certificates to trust.
|
|
`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time.
|
|
|
|
`ssl.truststore.password`::
|
|
The password to the truststore.
|
|
|
|
`ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
|
The password to the truststore.
|
|
|
|
`ssl.truststore.type`::
|
|
The format of the keystore file. Should be either `jks` to use the Java
|
|
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
|
|
|
`ssl.verification_mode`::
|
|
Indicates the type of verification when using `ldaps` to protect against man
|
|
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
|
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
|
|
|
|
`ssl.supported_protocols`::
|
|
Supported protocols with versions. Defaults to the value of
|
|
`xpack.ssl.supported_protocols`.
|
|
|
|
`ssl.cipher_suites`
|
|
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
|
Java Cryptography Architecture documentation]. Defaults to the value of
|
|
`xpack.ssl.cipher_suites`.
|
|
|
|
`cache.ttl`::
|
|
Specifies the time-to-live for cached user entries (a user and its credentials
|
|
are cached for this period of time). Use the standard Elasticsearch
|
|
{ref}/common-options.html#time-units[time units]). Defaults to `20m`.
|
|
|
|
`cache.max_users`::
|
|
Specifies the maximum number of user entries that the cache can contain.
|
|
Defaults to `100000`.
|
|
|
|
`cache.hash_algo`::
|
|
(Expert Setting) Specifies the hashing algorithm that is used for the
|
|
in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms]
|
|
table for all possible values). Defaults to `ssha256`.
|
|
|
|
[[ref-ad-settings]]
|
|
[float]
|
|
===== Active Directory Realm Settings
|
|
|
|
`url`::
|
|
A URL in the format `ldap[s]://<server>:<port>`. Defaults to `ldap://<domain_name>:389`.
|
|
|
|
`load_balance.type`::
|
|
The behavior to use when there are multiple LDAP URLs defined. For supported
|
|
values see {xpack-ref}/active-directory-realm.html#ad-load-balancing[load balancing and failover types].
|
|
Defaults to `failover`.
|
|
|
|
`load_balance.cache_ttl`::
|
|
When using `dns_failover` or `dns_round_robin` as the load balancing type,
|
|
this setting controls the amount of time to cache DNS lookups. Defaults
|
|
to `1h`.
|
|
|
|
`domain_name`::
|
|
The domain name of Active Directory. The cluster can derive the URL and
|
|
`user_search_dn` fields from values in this element if those fields are not
|
|
otherwise specified. Required.
|
|
|
|
`bind_dn`::
|
|
The DN of the user that will be used to bind to Active Directory and perform searches.
|
|
Defaults to Empty.
|
|
|
|
`bind_password`::
|
|
The password for the user that will be used to bind to Active Directory.
|
|
Defaults to Empty.
|
|
|
|
`unmapped_groups_as_roles`::
|
|
Takes a boolean variable. When this element is set to `true`, the names of any
|
|
LDAP groups that are not referenced in a role-mapping _file_ are used as role
|
|
names and assigned to the user. Defaults to `false`.
|
|
|
|
`files.role_mapping`::
|
|
The {xpack-ref}/security-files.html[location] for the YAML
|
|
role mapping configuration file. Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
|
|
|
|
`user_search.base_dn`::
|
|
The context to search for a user. Defaults to the root
|
|
of the Active Directory domain.
|
|
|
|
`user_search.scope`::
|
|
Specifies whether the user search should be `sub_tree`, `one_level` or `base`.
|
|
`one_level` only searches users directly contained within the `base_dn`.
|
|
`sub_tree` searches all objects contained under `base_dn`. `base`
|
|
specifies that the `base_dn` is a user object, and that it is the
|
|
only user considered. Defaults to `sub_tree`.
|
|
|
|
`user_search.filter`::
|
|
Specifies a filter to use to lookup a user given a username. The default
|
|
filter looks up `user` objects with either `sAMAccountName` or
|
|
`userPrincipalName`.
|
|
|
|
`user_search.upn_filter`::
|
|
Specifies a filter to use to lookup a user given a user principal name.
|
|
The default filter looks up `user` objects with
|
|
a matching `userPrincipalName`. If specified, this
|
|
must be a valid LDAP user search filter, for example
|
|
`(&(objectClass=user)(userPrincipalName={1}))`. `{1}` is the full user principal name
|
|
provided by the user.
|
|
|
|
`user_search.down_level_filter`::
|
|
Specifies a filter to use to lookup a user given a down level logon name
|
|
(DOMAIN\user). The default filter looks up `user` objects with a matching
|
|
`sAMAccountName` in the domain provided. If specified, this
|
|
must be a valid LDAP user search filter, for example
|
|
`(&(objectClass=user)(sAMAccountName={0}))`.
|
|
|
|
`user_search.pool.enabled`::
|
|
Enables or disables connection pooling for user search. When
|
|
disabled a new connection is created for every search. The
|
|
default is `true` when `bind_dn` is provided.
|
|
|
|
`user_search.pool.size`::
|
|
The maximum number of connections to the Active Directory server to allow in the
|
|
connection pool. Defaults to `20`.
|
|
|
|
`user_search.pool.initial_size`::
|
|
The initial number of connections to create to the Active Directory server on startup.
|
|
Defaults to `0`.
|
|
|
|
`user_search.pool.health_check.enabled`::
|
|
Flag to enable or disable a health check on Active Directory connections in the connection
|
|
pool. Connections are checked in the background at the specified interval.
|
|
Defaults to `true`.
|
|
|
|
`user_search.pool.health_check.dn`::
|
|
The distinguished name to be retrieved as part of the health check.
|
|
Defaults to the value of `bind_dn` if it is a distinguished name.
|
|
|
|
`user_search.pool.health_check.interval`::
|
|
The interval to perform background checks of connections in the pool.
|
|
Defaults to `60s`.
|
|
|
|
`group_search.base_dn`::
|
|
The context to search for groups in which the user has membership. Defaults
|
|
to the root of the Active Directory domain.
|
|
|
|
`group_search.scope`::
|
|
Specifies whether the group search should be `sub_tree`, `one_level` or
|
|
`base`. `one_level` searches for groups directly contained within the
|
|
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
|
|
`base` specifies that the `base_dn` is a group object, and that it is
|
|
the only group considered. Defaults to `sub_tree`.
|
|
|
|
`metadata`::
|
|
A list of additional LDAP attributes that should be loaded from the
|
|
LDAP server and stored in the authenticated user's metadata field.
|
|
|
|
`timeout.tcp_connect`::
|
|
The TCP connect timeout period for establishing an LDAP connection.
|
|
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
|
Defaults to `5s` (5 seconds ).
|
|
|
|
`timeout.tcp_read`::
|
|
The TCP read timeout period after establishing an LDAP connection.
|
|
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
|
Defaults to `5s` (5 seconds ).
|
|
|
|
`timeout.ldap_search`::
|
|
The LDAP Server enforced timeout period for an LDAP search.
|
|
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
|
Defaults to `5s` (5 seconds ).
|
|
|
|
`ssl.certificate`::
|
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
|
that will be presented to clients when they connect.
|
|
|
|
`ssl.certificate_authorities`::
|
|
List of paths to PEM encoded certificate files that should be trusted.
|
|
|
|
`ssl.key`::
|
|
Path to the PEM encoded file containing the private key.
|
|
|
|
`ssl.key_passphrase`::
|
|
The passphrase that is used to decrypt the private key. This value is
|
|
optional as the key might not be encrypted.
|
|
|
|
`ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
|
|
The passphrase that is used to decrypt the private key. This value is
|
|
optional as the key might not be encrypted.
|
|
|
|
`ssl.keystore.key_password`::
|
|
The password for the key in the keystore. Defaults to the keystore password.
|
|
|
|
`ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
|
The password for the key in the keystore. Defaults to the keystore password.
|
|
|
|
`ssl.keystore.password`::
|
|
The password to the keystore.
|
|
|
|
`ssl.secure_keystore.password` (<<secure-settings,Secure>>)::
|
|
The password to the keystore.
|
|
|
|
`ssl.keystore.path`::
|
|
The path to the Java Keystore file that contains a private key and certificate.
|
|
|
|
`ssl.keystore.type`::
|
|
The format of the keystore file. Should be either `jks` to use the Java
|
|
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
|
|
|
`ssl.truststore.password`::
|
|
The password to the truststore.
|
|
|
|
`ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
|
The password to the truststore.
|
|
|
|
`ssl.truststore.path`::
|
|
The path to the Java Keystore file that contains the certificates to trust.
|
|
|
|
`ssl.truststore.type`::
|
|
The format of the truststore file. Should be either `jks` to use the Java
|
|
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
|
|
|
`ssl.verification_mode`::
|
|
Indicates the type of verification when using `ldaps` to protect against man
|
|
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
|
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
|
|
|
|
`ssl.supported_protocols`::
|
|
Supported protocols with versions. Defaults to the value of
|
|
`xpack.ssl.supported_protocols`.
|
|
|
|
`ssl.cipher_suites`::
|
|
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
|
Java Cryptography Architecture documentation]. Defaults to the value of
|
|
`xpack.ssl.cipher_suites`.
|
|
|
|
`cache.ttl`::
|
|
Specifies the time-to-live for cached user entries (user
|
|
credentials are cached for this configured period of time). Use the
|
|
standard Elasticsearch {ref}/common-options.html#time-units[time units]).
|
|
Defaults to `20m`.
|
|
|
|
`cache.max_users`::
|
|
Specifies the maximum number of user entries that the cache can contain.
|
|
Defaults to `100000`.
|
|
|
|
`cache.hash_algo`::
|
|
(Expert Setting) Specifies the hashing algorithm that will be used for
|
|
the in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for all possible values). Defaults to `ssha256`.
|
|
|
|
[[ref-pki-settings]]
|
|
[float]
|
|
===== PKI Realm Settings
|
|
|
|
`username_pattern`::
|
|
The regular expression pattern used to extract the username from the
|
|
certificate DN. The first match group is the used as the username.
|
|
Defaults to `CN=(.*?)(?:,\|$)`
|
|
|
|
`certificate_authorities`::
|
|
List of PEM certificate files that should be used to authenticate a
|
|
user's certificate as trusted. Defaults to the trusted certificates configured for SSL.
|
|
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
|
This setting may not be used with `truststore.path`.
|
|
|
|
`truststore.algorithm`::
|
|
Algorithm for the truststore. Defaults to `SunX509`.
|
|
|
|
`truststore.password`::
|
|
The password for the truststore. Must be provided if `truststore.path` is set.
|
|
|
|
`truststore.secure_password` (<<secure-settings,Secure>>)::
|
|
The password for the truststore.
|
|
|
|
`truststore.path`::
|
|
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
|
|
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
|
This setting may not be used with `certificate_authorities`.
|
|
|
|
`files.role_mapping`::
|
|
Specifies the {xpack-ref}/security-files.html[location] of the
|
|
{xpack-ref}/mapping-roles.html[YAML role mapping configuration file].
|
|
Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
|
|
|
|
[float]
|
|
[[ssl-tls-settings]]
|
|
==== Default TLS/SSL Settings
|
|
You can configure the following TLS/SSL settings in
|
|
`elasticsearch.yml`. For more information, see
|
|
{xpack-ref}/encrypting-communications.html[Encrypting Communications]. These settings will be used
|
|
for all of {xpack} unless they have been overridden by more specific
|
|
settings such as those for HTTP or Transport.
|
|
|
|
`xpack.ssl.supported_protocols`::
|
|
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
|
|
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
|
|
`TLSv1`.
|
|
|
|
`xpack.ssl.client_authentication`::
|
|
Controls the server's behavior in regard to requesting a certificate
|
|
from client connections. Valid values are `required`, `optional`, and `none`.
|
|
`required` forces a client to present a certificate, while `optional`
|
|
requests a client certificate but the client is not required to present one.
|
|
Defaults to `required`.
|
|
|
|
`xpack.ssl.verification_mode`::
|
|
Controls the verification of certificates. Valid values are `none`,
|
|
`certificate`, and `full`. Defaults to `full`.
|
|
|
|
`xpack.ssl.cipher_suites`::
|
|
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
|
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
|
|
`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`. If the _Java Cryptography Extension (JCE) Unlimited Strength
|
|
Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
|
|
`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`.
|
|
|
|
[float]
|
|
[[tls-ssl-key-settings]]
|
|
===== Default TLS/SSL Key and Trusted Certificate Settings
|
|
|
|
The following settings are used to specify a private key, certificate, and the
|
|
trusted certificates that should be used when communicating over an SSL/TLS connection.
|
|
If none of the settings below are specified, this will default to the <<ssl-tls-settings, {xpack}
|
|
defaults>>. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be
|
|
trusted along with the certificate(s) from the <<tls-ssl-key-settings, key settings>>. The key and certificate must be in place
|
|
for connections that require client authentication or when acting as a SSL enabled server.
|
|
|
|
[float]
|
|
===== PEM Encoded Files
|
|
|
|
When using PEM encoded files, use the following settings:
|
|
|
|
`xpack.ssl.key`::
|
|
Path to the PEM encoded file containing the private key.
|
|
|
|
`xpack.ssl.key_passphrase`::
|
|
The passphrase that is used to decrypt the private key. This value is
|
|
optional as the key might not be encrypted.
|
|
|
|
`xpack.ssl.secure_key_passphrase` ({<<secure-settings,Secure>>)::
|
|
The passphrase that is used to decrypt the private key. This value is
|
|
optional as the key might not be encrypted.
|
|
|
|
`xpack.ssl.certificate`::
|
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
|
that will be presented to clients when they connect.
|
|
|
|
`xpack.ssl.certificate_authorities`::
|
|
List of paths to the PEM encoded certificate files that should be trusted.
|
|
|
|
[float]
|
|
===== Java Keystore Files
|
|
|
|
When using Java keystore files (JKS), which contain the private key, certificate
|
|
and certificates that should be trusted, use the following settings:
|
|
|
|
`xpack.ssl.keystore.path`::
|
|
Path to the keystore that holds the private key and certificate.
|
|
|
|
`xpack.ssl.keystore.password`::
|
|
Password to the keystore.
|
|
|
|
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
|
Password to the keystore.
|
|
|
|
`xpack.ssl.keystore.key_password`::
|
|
Password for the private key in the keystore. Defaults to the
|
|
same value as `xpack.ssl.keystore.password`.
|
|
|
|
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
|
Password for the private key in the keystore.
|
|
|
|
`xpack.ssl.truststore.path`::
|
|
Path to the truststore file.
|
|
|
|
`xpack.ssl.truststore.password`::
|
|
Password to the truststore.
|
|
|
|
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
|
Password to the truststore.
|
|
|
|
[float]
|
|
===== PKCS#12 Files
|
|
|
|
When using PKCS#12 container files (`.p12` or `.pfx`), which contain the
|
|
private key, certificate, and certificates that should be trusted, use
|
|
the following settings:
|
|
|
|
`xpack.ssl.keystore.path`::
|
|
Path to the PKCS#12 file that holds the private key and certificate.
|
|
|
|
`xpack.ssl.keystore.type`::
|
|
Set this to `PKCS12`.
|
|
|
|
`xpack.ssl.keystore.password`::
|
|
Password to the PKCS#12 file.
|
|
|
|
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
|
Password to the PKCS#12 file.
|
|
|
|
`xpack.ssl.keystore.key_password`::
|
|
Password for the private key in the PKCS12 file.
|
|
Defaults to the same value as `xpack.ssl.keystore.password`.
|
|
|
|
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
|
Password for the private key in the PKCS12 file.
|
|
|
|
`xpack.ssl.truststore.path`::
|
|
Path to the truststore file.
|
|
|
|
`xpack.ssl.truststore.type`::
|
|
Set this to `PKCS12`.
|
|
|
|
`xpack.ssl.truststore.password`::
|
|
Password to the truststore.
|
|
|
|
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
|
Password to the truststore.
|
|
|
|
[[http-tls-ssl-settings]]
|
|
:ssl-prefix: xpack.security.http
|
|
:component: HTTP
|
|
:client-auth-default: none
|
|
:verifies!:
|
|
:server:
|
|
|
|
include::ssl-settings.asciidoc[]
|
|
|
|
[[transport-tls-ssl-settings]]
|
|
:ssl-prefix: xpack.security.transport
|
|
:component: Transport
|
|
:client-auth-default!:
|
|
:verifies:
|
|
:server:
|
|
|
|
include::ssl-settings.asciidoc[]
|
|
|
|
[[ssl-tls-profile-settings]]
|
|
[float]
|
|
===== Transport Profile TLS/SSL Settings
|
|
The same settings that are available for the <<transport-tls-ssl-settings, default transport>>
|
|
are also available for each transport profile. By default, the settings for a
|
|
transport profile will be the same as the default transport unless they
|
|
are specified.
|
|
|
|
As an example, lets look at the key setting. For the default transport
|
|
this is `xpack.security.transport.ssl.key`. In order to use this setting in a
|
|
transport profile, use the prefix `transport.profiles.$PROFILE.xpack.security.` and
|
|
append the portion of the setting after `xpack.security.transport.`. For the key
|
|
setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`.
|
|
|
|
[float]
|
|
[[ip-filtering-settings]]
|
|
==== IP Filtering Settings
|
|
You can configure the following settings for {xpack-ref}/ip-filtering.html[IP filtering].
|
|
|
|
`xpack.security.transport.filter.allow`::
|
|
List of IP addresses to allow.
|
|
|
|
`xpack.security.transport.filter.deny`::
|
|
List of IP addresses to deny.
|
|
|
|
`xpack.security.http.filter.allow`::
|
|
List of IP addresses to allow just for HTTP.
|
|
|
|
`xpack.security.http.filter.deny`::
|
|
List of IP addresses to deny just for HTTP.
|
|
|
|
`transport.profiles.$PROFILE.xpack.security.filter.allow`::
|
|
List of IP addresses to allow for this profile.
|
|
|
|
`transport.profiles.$PROFILE.xpack.security.filter.deny`::
|
|
List of IP addresses to deny for this profile.
|