mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-03 17:39:15 +00:00
f2cbe20ea0
This is related to elastic/x-pack-elasticsearch#1217. This PR removes the default password of "changeme" from the reserved users. This PR adds special behavior for authenticating the reserved users. No ReservedRealm user can be authenticated until its password is set. The one exception to this is the elastic user. The elastic user can be authenticated with an empty password if the action is a rest request originating from localhost. In this scenario where an elastic user is authenticated with a default password, it will have metadata indicating that it is in setup mode. An elastic user in setup mode is only authorized to execute a change password request. Original commit: elastic/x-pack-elasticsearch@e1e101a237
46 lines
1.8 KiB
Plaintext
46 lines
1.8 KiB
Plaintext
[[secure-reporting]]
|
|
=== Reporting and Security
|
|
|
|
Reporting operates by creating and updating documents in Elasticsearch in
|
|
response to user actions in Kibana.
|
|
|
|
To use Reporting with {security} enabled, you need to <<kibana, set up Kibana
|
|
to work with {security}>>. If you are automatically generating reports with
|
|
<<xpack-alerting, {watcher}>>, you also need to configure {watcher} to trust the
|
|
Kibana server's certificate.
|
|
//TO-DO: Add link:
|
|
//For more information, see {kibana-ref}/securing-reporting.html[Securing Reporting].
|
|
|
|
[[reporting-app-users]]
|
|
To enable users to generate reports, assign them the built in `reporting_user`
|
|
and `kibana_user` roles:
|
|
|
|
* If you're using the `native` realm, you can assign roles through
|
|
**Management / Users** UI in Kibana or with the `user` API. For example,
|
|
the following request creates a `reporter` user that has the
|
|
`reporting_user` and `kibana_user` roles:
|
|
+
|
|
[source, sh]
|
|
---------------------------------------------------------------
|
|
POST /_xpack/security/user/reporter
|
|
{
|
|
"password" : "x-pack-test-password",
|
|
"roles" : ["kibana_user", "reporting_user"],
|
|
"full_name" : "Reporting User"
|
|
}
|
|
---------------------------------------------------------------
|
|
|
|
* If you are using an LDAP or Active Directory realm, you can either assign
|
|
roles on a per user basis, or assign roles to groups of users. By default, role
|
|
mappings are configured in <<mapping-roles, `config/shield/role_mapping.yml`>>.
|
|
For example, the following snippet assigns the user named Bill Murray the
|
|
`kibana_user` and `reporting_user` roles:
|
|
+
|
|
[source,yaml]
|
|
--------------------------------------------------------------------------------
|
|
kibana_user:
|
|
- "cn=Bill Murray,dc=example,dc=com"
|
|
reporting_user:
|
|
- "cn=Bill Murray,dc=example,dc=com"
|
|
--------------------------------------------------------------------------------
|