- Introducing Elasticsearch Add-On for Heroku
- Configuring your deployment
- Securing your deployment
- Monitoring your deployment
- How to set up monitoring
- Access performance metrics
- Keep track of deployment activity
- Diagnose unavailable nodes
- Why are my shards unavailable?
- Why is performance degrading over time?
- Is my cluster really highly available?
- How does high memory pressure affect performance?
- Why are my cluster response times suddenly so much worse?
- How do I resolve deployment health warnings?
- How do I resolve node bootlooping?
- Snapshot and restore
- About
- Subscription levels
- Version policy
- Elasticsearch Add-On for Heroku hardware
- Elasticsearch Add-On for Heroku GCP instance configurations
- Elasticsearch Add-On for Heroku GCP default provider instance configurations
- Elasticsearch Add-On for Heroku AWS instance configurations
- Elasticsearch Add-On for Heroku AWS default provider instance configurations
- Elasticsearch Add-On for Heroku Azure instance configurations
- Elasticsearch Add-On for Heroku Azure default provider instance configurations
- Elasticsearch Add-On for Heroku regions
- Service status
- Getting help
- Restrictions and known problems
- What’s new with the Elastic Stack
Secure your clusters with Kerberos
editSecure your clusters with Kerberos
editYou can secure your Elasticsearch clusters and Kibana instances in a deployment by using the Kerberos-5 protocol to authenticate users.
Before you begin
editThe steps in this section require an understanding of Kerberos. To learn more about Kerberos, check our documentation on configuring Elasticsearch for Kerberos authentication.
Configure the cluster to use Kerberos
editWith a custom bundle containing the Kerberos files and changes to the cluster configuration, you can enforce user authentication through the Kerberos protocol.
- Create or use an existing deployment that includes a Kibana instance.
-
Create a custom bundle that contains your
krb5.conf
andkeytab
files, and add it to your cluster.You should use these exact filenames for Elasticsearch Add-On for Heroku to recognize the file in the bundle.
-
Edit your cluster configuration, sometimes also referred to as the deployment plan, to define Kerberos settings as described in Elasticsearch documentation.
xpack.security.authc.realms.kerberos.cloud-krb: order: 2 keytab.path: es.keytab remove_realm_name: false
The name of the realm must be
cloud-krb
, and the order must be 2:xpack.security.authc.realms.kerberos.cloud-krb.order: 2
-
Update Kibana in the user settings configuration to use Kerberos as the authentication provider:
xpack.security.authc.providers: kerberos.kerberos1: order: 0
This configuration disables all other realms and only allows users to authenticate with Kerberos. If you wish to allow your native realm users to authenticate, you need to also enable the
basic
provider
like this: - Use the Kibana endpoint URL to log in.