honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-07 13:38:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/docs/en/security/tribe-clients-integrations/beats.asciidoc
Tim Brooks f2cbe20ea0 Remove default passwords from reserved users (elastic/x-pack-elasticsearch#1665) 
This is related to elastic/x-pack-elasticsearch#1217. This PR removes the default password of
"changeme" from the reserved users.

This PR adds special behavior for authenticating the reserved users. No
ReservedRealm user can be authenticated until its password is set. The
one exception to this is the elastic user. The elastic user can be
authenticated with an empty password if the action is a rest request
originating from localhost. In this scenario where an elastic user is
authenticated with a default password, it will have metadata indicating
that it is in setup mode. An elastic user in setup mode is only
authorized to execute a change password request.

Original commit: elastic/x-pack-elasticsearch@e1e101a237
2017-06-29 15:27:57 -05:00

187 lines
6.8 KiB
Plaintext
Raw Blame History

[[beats]]
=== Beats and Security
To send data to a secured cluster through the `elasticsearch` output,
a Beat needs to authenticate as a user who can manage index templates,
monitor the cluster, create indices, and read, and write to the indices
it creates.
If encryption is enabled on the cluster, you also need to enable HTTPS in the
Beat configuration.
In addition to configuring authentication credentials for the Beat itself, you
need to grant authorized users permission to access the indices it creates.
[float]
[[beats-basic-auth]]
==== Configuring Authentication Credentials for a Beat
When sending data to a secured cluster through the `elasticsearch`
output, a Beat must either provide basic authentication credentials
or present a client certificate.
To configure authentication credentials for a Beat:
. Create a role that has the `manage_index_templates` and
`monitor` cluster privileges, and `read`, `write`, and `create_index`
privileges for the indices the Beat creates. You can create roles from the
**Management / Roles** UI in Kibana or through the `role` API.
For example, the following request creates a `packetbeat_writer` role:
+
[source, sh]
---------------------------------------------------------------
POST _xpack/security/role/packetbeat_writer
{
"cluster": ["manage_index_templates", "monitor"],
"indices": [
{
"names": [ "packetbeat-*" ], <1>
"privileges": ["write","create_index"]
}
]
}
---------------------------------------------------------------
<1> If you use a custom Packetbeat index pattern, specify that pattern
instead of the default `packetbeat-*` pattern.
. Assign the writer role to the user the Beat is going to use to
connect to Elasticsearch:
.. To authenticate as a native user, create a user for the Beat
to use internally and assign it the writer role. You can create
users from the **Management / Users** UI in Kibana or through the
`user` API. For example, the following request creates a
`packetbeat_internal` user that has the `packetbeat_writer` role:
+
[source, sh]
---------------------------------------------------------------
POST /_xpack/security/user/packetbeat_internal
{
"password" : "x-pack-test-password",
"roles" : [ "packetbeat_writer"],
"full_name" : "Internal Packetbeat User"
}
---------------------------------------------------------------
.. To authenticate using PKI authentication, assign the writer role
to the internal Beat user in the <<mapping-roles,`role_mapping.yml`>>
configuration file. Specify the user by the distinguished name that
appears in its certificate.
+
[source, yaml]
---------------------------------------------------------------
packetbeat_writer:
- "cn=Internal Packetbeat User,ou=example,o=com"
---------------------------------------------------------------
. Configure authentication credentials for the `elasticsearch` output
in the Beat configuration file:
.. To use basic authentication, configure the `username` and `password`
settings. For example, the following Packetbeat output configuration
uses the native `packetbeat_internal` user to connect to Elasticsearch:
+
[source,js]
--------------------------------------------------
output.elasticsearch:
hosts: ["localhost:9200"]
index: "packetbeat"
username: "packetbeat_internal"
password: "x-pack-test-password"
--------------------------------------------------
.. To use PKI authentication, configure the `certificate` and
`key` settings:
+
[source,js]
--------------------------------------------------
output.elasticsearch:
hosts: ["localhost:9200"]
index: "packetbeat"
ssl.certificate: "/etc/pki/client/cert.pem" <1>
ssl.key: "/etc/pki/client/cert.key"
--------------------------------------------------
<1> The distinguished name (DN) in the certificate must be mapped to
the writer role in the `role_mapping.yml` configuration file on each
node in the Elasticsearch cluster.
[float]
[[beats-user-access]]
==== Granting Users Access to Beats Indices
To enable users to access the indices a Beat creates, grant them `read` and
`view_index_metadata` privileges on the Beat indices:
. Create a role that has the `read` and `view_index_metadata`
privileges for the Beat indices. You can create roles from the
**Management > Roles** UI in Kibana or through the `role` API.
For example, the following request creates a `packetbeat_reader`
role:
+
[source, sh]
---------------------------------------------------------------
POST _xpack/security/role/packetbeat_reader
{
"indices": [
{
"names": [ "packetbeat-*" ], <1>
"privileges": ["read","view_index_metadata"]
}
]
}
---------------------------------------------------------------
<1> If you use a custom Packetbeat index pattern, specify that pattern
instead of the default `packetbeat-*` pattern.
. Assign your users the reader role so they can access the Beat indices:
.. If you're using the `native` realm, you can assign roles with the
**Management > Users** UI in Kibana or through the `user` API. For
example, the following request grants `packetbeat_user`
the `packetbeat_reader` role:
+
[source, sh]
---------------------------------------------------------------
POST /_xpack/security/user/packetbeat_user
{
"password" : "x-pack-test-password",
"roles" : [ "packetbeat_reader"],
"full_name" : "Packetbeat User"
}
---------------------------------------------------------------
.. If you're using the LDAP, Active Directory, or PKI realms, you
assign the roles in the <<mapping-roles,`role_mapping.yml`>> configuration
file. For example, the following snippet grants `Packetbeat User`
the `packetbeat_reader` role:
+
[source, yaml]
---------------------------------------------------------------
packetbeat_reader:
- "cn=Packetbeat User,dc=example,dc=com"
---------------------------------------------------------------
[float]
[[beats-tls]]
===== Configuring Beats to use Encrypted Connections
If encryption is enabled on the Elasticsearch cluster, you need to
connect to Elasticsearch via HTTPS. If the CA that signed your node certificates
is not in the host system's trusted certificate authorities list, you also need
to add the path to the `.pem` file that contains your CA's certificate to the
Beat configuration.
To configure a Beat to connect to Elasticsearch via HTTPS, add the `https` protocol
to all host URLs:
[source,js]
--------------------------------------------------
output.elasticsearch:
hosts: ["https://localhost:9200"] <1>
index: "packetbeat"
ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] <2>
--------------------------------------------------
<1> Specify the `https` protocol to connect the Elasticsearch cluster.
<2> Specify the path to the local `.pem` file that contains your Certificate
Authority's certificate. This is generally only needed if you use your
own CA to sign your node certificates.
Reference in New Issue View Git Blame Copy Permalink