Configuring security in Elasticsearch
editConfiguring security in Elasticsearch
editThe Elasticsearch security features enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and auditing.
To use Elasticsearch security features:
-
Verify that you are using a license that includes the security features.
If you want to try all of the platinum features, you can start a 30-day trial. At the end of the trial period, you can purchase a subscription to keep using the full functionality. For more information, see https://www.elastic.co/subscriptions and License Management.
-
Verify that the
xpack.security.enabled
setting istrue
on each node in your cluster. If you are using a trial license, the default value isfalse
. For more information, see Security settings. - If you plan to run Elasticsearch in a Federal Information Processing Standard (FIPS) 140-2 enabled JVM, see FIPS 140-2.
-
Configure Transport Layer Security (TLS/SSL) for internode-communication.
This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more information, see Encrypting communications.
- If it is not already running, start Elasticsearch.
-
Set the passwords for all built-in users.
The Elasticsearch security features provide built-in users to help you get up and running. The
elasticsearch-setup-passwords
command is the simplest method to set the built-in users' passwords for the first time.For example, you can run the command in an "interactive" mode, which prompts you to enter new passwords for the built-in users:
bin/elasticsearch-setup-passwords interactive
For more information about the command options, see elasticsearch-setup-passwords.
The
elasticsearch-setup-passwords
command uses a transient bootstrap password that is no longer valid after the command runs successfully. You cannot run theelasticsearch-setup-passwords
command a second time. Instead, you can update passwords from the Management > Users UI in Kibana or use the security user API. -
Choose which types of realms you want to use to authenticate users.
-
Set up roles and users to control access to Elasticsearch.
For example, to grant John Doe full access to all indices that match the pattern
events*
and enable him to create visualizations and dashboards for those indices in Kibana, you could create anevents_admin
role and assign the role to a newjohndoe
user.curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content-Type: application/json" -d '{ "password" : "userpassword", "full_name" : "John Doe", "email" : "john.doe@anony.mous", "roles" : [ "events_admin" ] }'
-
Enable auditing to keep track of attempted and successful interactions with your Elasticsearch cluster:
-
Add the following setting to
elasticsearch.yml
on all nodes in your cluster:xpack.security.audit.enabled: true
For more information, see Auditing security events and Auditing Settings.
- Restart Elasticsearch.
By default, events are logged to a dedicated
elasticsearch-access.log
file inES_HOME/logs
. You can also store the events in an Elasticsearch index for easier analysis and control what events are logged. [6.7.0] Deprecated in 6.7.0. -