IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Security overview Encrypting communications in Elasticsearch »

› ›

Configuring security in Elasticsearch

edit

Configuring security in Elasticsearch

edit

X-Pack security enables you to easily secure a cluster. With X-Pack security, you can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and auditing.

To use X-Pack security in Elasticsearch:

Verify that you are using a license that includes the X-Pack security feature.

If you want to try all of the X-Pack features, you can start a 30-day trial. At the end of the trial period, you can purchase a subscription to keep using the full functionality of the X-Pack components. For more information, see https://www.elastic.co/subscriptions and License management.
Verify that the xpack.security.enabled setting is true on each node in your cluster. If you are using a trial license, the default value is false. For more information, see Security settings.
Configure Transport Layer Security (TLS/SSL) for internode-communication.

This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more information, see Encrypting communications.
1. Generate node certificates for each of your Elasticsearch nodes.
2. Enable TLS on each Elasticsearch node.
If it is not already running, start Elasticsearch.
Set the passwords for all built-in users.

X-Pack security provides built-in users to help you get up and running. The elasticsearch-setup-passwords command is the simplest method to set the built-in users' passwords for the first time.

For example, you can run the command in an "interactive" mode, which prompts you to enter new passwords for the built-in users:
```
bin/elasticsearch-setup-passwords interactive
```
For more information about the command options, see elasticsearch-setup-passwords.

The elasticsearch-setup-passwords command uses a transient bootstrap password that is no longer valid after the command runs successfully. You cannot run the elasticsearch-setup-passwords command a second time. Instead, you can update passwords from the Management > Users UI in Kibana or use the security user API.
Choose which types of realms you want to use to authenticate users.

Set up roles and users to control access to Elasticsearch.

For example, to grant John Doe full access to all indices that match the pattern events* and enable him to create visualizations and dashboards for those indices in Kibana, you could create an events_admin role and assign the role to a new johndoe user.

curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -H "Content-Type: application/json" -d '{
  "indices" : [
    {
      "names" : [ "events*" ],
      "privileges" : [ "all" ]
    },
    {
      "names" : [ ".kibana*" ],
      "privileges" : [ "manage", "read", "index" ]
    }
  ]
}'

curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content-Type: application/json" -d '{
  "password" : "userpassword",
  "full_name" : "John Doe",
  "email" : "john.doe@anony.mous",
  "roles" : [ "events_admin" ]
}'

Enable auditing to keep track of attempted and successful interactions with your Elasticsearch cluster:
1. Add the following setting to elasticsearch.yml on all nodes in your cluster:
```
xpack.security.audit.enabled: true
```
  For more information, see Auditing security events and Auditing settings.
2. Restart Elasticsearch.
By default, events are logged to a dedicated elasticsearch-access.log file in ES_HOME/logs. You can also store the events in an Elasticsearch index for easier analysis and control what events are logged.

« Security overview Encrypting communications in Elasticsearch »