honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-03 17:39:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/docs/en/security/tribe-clients-integrations/monitoring.asciidoc
Tim Brooks f2cbe20ea0 Remove default passwords from reserved users (elastic/x-pack-elasticsearch#1665) 
This is related to elastic/x-pack-elasticsearch#1217. This PR removes the default password of
"changeme" from the reserved users.

This PR adds special behavior for authenticating the reserved users. No
ReservedRealm user can be authenticated until its password is set. The
one exception to this is the elastic user. The elastic user can be
authenticated with an empty password if the action is a rest request
originating from localhost. In this scenario where an elastic user is
authenticated with a default password, it will have metadata indicating
that it is in setup mode. An elastic user in setup mode is only
authorized to execute a change password request.

Original commit: elastic/x-pack-elasticsearch@e1e101a237
2017-06-29 15:27:57 -05:00

181 lines
6.6 KiB
Plaintext
Raw Blame History

[[secure-monitoring]]
=== Monitoring and Security
<<xpack-monitoring, {monitoring}>> consists of two components: an agent
that you install on on each Elasticsearch and Logstash node, and a Monitoring UI
in Kibana. The monitoring agent collects and indexes metrics from the nodes
and you visualize the data through the Monitoring dashboards in Kibana. The agent
can index data on the same Elasticsearch cluster, or send it to an external
monitoring cluster.
To use {monitoring} with {security} enabled, you need to
<<kibana, set up Kibana to work with {security}>> and create at least one user
for the Monitoring UI. If you are using an external monitoring cluster, you also
need to configure a user for the monitoring agent and configure the agent to use
the appropriate credentials when communicating with the monitoring cluster.
[float]
[[monitoring-ui-users]]
==== Setting Up Monitoring UI Users
When {security} is enabled, Kibana users are prompted to log in when they access
the UI. To use the Monitoring UI, a user must have access to the Kibana indices
and permission to read from the monitoring indices.
You set up Monitoring UI users on the cluster where the monitoring data is being
stored. To grant all of the necessary permissions, assign the user the
`monitoring_user` and `kibana_user` roles:
* If you're using the `native` realm, you can assign roles through Kibana or
with the <<managing-native-users, User Management API>>. For example, the following
command creates a user named `jacknich` and assigns him the `kibana_user` and
`monitoring_user` roles:
+
[source,js]
--------------------------------------------------------------------------------
POST /_xpack/security/user/jacknich
{
"password" : "t0pS3cr3t",
"roles" : [ "kibana_user", "monitoring_user" ]
}
--------------------------------------------------------------------------------
* If you are using an LDAP or Active Directory realm, you can either assign roles
on a per user basis, or assign roles to groups of users. By default, role mappings
are configured in <<mapping-roles, `config/x-pack/role_mapping.yml`>>. For example,
the following snippet assigns the user named Jack Nicholson to the `kibana_user`
and `monitoring_user` roles:
+
[source,yaml]
--------------------------------------------------------------------------------
kibana_user:
- "cn=Jack Nicholson,dc=example,dc=com"
monitoring_user:
- "cn=Jack Nicholson,dc=example,dc=com"
--------------------------------------------------------------------------------
[float]
[[configuring-monitoring-agent-security]]
==== Configuring Monitoring Agent to Communicate with a {security}-Enabled Monitoring Cluster
To configure the monitoring agent to communicate with a secured monitoring cluster:
. Configure a user on the monitoring cluster who has the `remote_monitoring_agent`
role, which is <<built-in-roles-remote-monitoring-agent, built-in to {xpack}>>.
For example:
+
[source,js]
--------------------------------------------------------------------------------
POST /_xpack/security/user/agent-user
{
"password" : "t0pS3cr3t",
"roles" : [ "remote_monitoring_agent" ]
}
--------------------------------------------------------------------------------
+
. On each node in the cluster being monitored, configure a Monitoring HTTP exporter
in `elasticsearch.yml` and restart Elasticsearch. In the exporter configuration,
you need to:
+
--
.. Set the `type` to `http`.
.. Specify the location of the monitoring cluster in the `host` setting.
.. Provide the agent user credentials with the `username` and `password` settings.
For example:
[source,yaml]
--------------------------------------------------
xpack.monitoring.exporters:
id1:
type: http
host: ["http://es-mon1:9200", "http://es-mon2:9200"]
auth:
username: agent-user
password: password
--------------------------------------------------
If SSL/TLS is enabled on the monitoring cluster:
.. Specify the HTTPS protocol when setting the monitoring server host.
.. Include the CA certificate in each node's trusted certificates in order to verify
the identities of the nodes in the monitoring cluster.
To add a CA certificate to an Elasticsearch node's trusted certificates, you
can specify the location of the PEM encoded certificate with the
`certificate_authorities` setting:
[source,yaml]
--------------------------------------------------
xpack.monitoring.exporters:
id1:
type: http
host: ["https://es-mon1:9200", "https://es-mon2:9200"]
auth:
username: agent-user
password: password
ssl:
certificate_authorities: [ "/path/to/ca.crt" ]
id2:
type: local
--------------------------------------------------
Alternatively, you can configure trusted certificates using a truststore
(a Java Keystore file that contains the certificates):
[source,yaml]
--------------------------------------------------
xpack.monitoring.exporters:
id1:
type: http
host: ["https://es-mon1:9200", "https://es-mon2:9200"]
auth:
username: agent-user
password: password
ssl:
truststore.path: /path/to/file
truststore.password: password
id2:
type: local
--------------------------------------------------
--
. On each Logstash node being monitored, update `logstash.yml` to:
+
--
.. Specify the location of the monitoring cluster and provide credentials
for the agent user:
[source,yaml]
--------------------------------------------------
xpack.monitoring.elasticsearch.url: ["http://es-mon-1:9200", "http://es-mon2:9200"]
xpack.monitoring.elasticsearch.username: "remote_monitor"
xpack.monitoring.elasticsearch.password: "x-pack-test-password"
--------------------------------------------------
.. If SSL/TLS is enabled on the monitoring cluster:
* Specify the HTTPS protocol when setting the `elasticsearch.url`.
* Include the CA certificate in each node's trusted certificates in order to verify
the identities of the nodes in the monitoring cluster.
To add a CA certificate to an node's trusted certificates, you
can specify the location of the PEM encoded certificate with the
`xpack.monitoring.elasticsearch.ssl.ca` setting:
[source,yaml]
--------------------------------------------------
xpack.monitoring.elasticsearch.ssl.ca: [ "/path/to/ca.crt" ]
--------------------------------------------------
Alternatively, you can configure trusted certificates using a truststore
(a Java Keystore file that contains the certificates):
[source,yaml]
--------------------------------------------------
xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file
xpack.monitoring.elasticsearch.ssl.truststore.password: x-pack-test-password
--------------------------------------------------
--
Reference in New Issue View Git Blame Copy Permalink