Enable Elasticsearch security features

edit

When you use the basic and trial licenses, the Elasticsearch security features are disabled by default. To enable them:

  1. Stop Kibana. The method for starting and stopping Kibana varies depending on how you installed it. For example, if you installed Kibana from an archive distribution (.tar.gz or .zip), stop it by entering Ctrl-C on the command line. See Starting and stopping Kibana.
  2. Stop Elasticsearch. For example, if you installed Elasticsearch from an archive distribution, enter Ctrl-C on the command line. See Stopping Elasticsearch.
  3. Add the xpack.security.enabled setting to the ES_PATH_CONF/elasticsearch.yml file.

    The ES_PATH_CONF environment variable contains the path for the Elasticsearch configuration files. If you installed Elasticsearch using archive distributions (zip or tar.gz), it defaults to ES_HOME/config. If you used package distributions (Debian or RPM), it defaults to /etc/elasticsearch. For more information, see Configuring Elasticsearch.

    For example, add the following setting:

    xpack.security.enabled: true

    If you have a basic or trial license, the default value for this setting is false. If you have a gold or higher license, the default value is true. Therefore, it is a good idea to explicitly add this setting to avoid confusion about whether security features are enabled.

  4. Enable single-node discovery in the ES_PATH_CONF/elasticsearch.yml file.

    This tutorial involves a single node cluster, but if you had multiple nodes, you would enable Elasticsearch security features on every node in the cluster and configure Transport Layer Security (TLS) for internode-communication, which is beyond the scope of this tutorial. By enabling single-node discovery, we are postponing the configuration of TLS. For example, add the following setting:

    discovery.type: single-node

    For more information, see Single-node discovery.

When you enable Elasticsearch security features, basic authentication is enabled by default. To communicate with the cluster, you must specify a username and password. Unless you enable anonymous access, all requests that don’t include a user name and password are rejected.