Enable Elasticsearch security features
editEnable Elasticsearch security features
editWhen you use the basic and trial licenses, the Elasticsearch security features are disabled by default. To enable them:
-
Stop Kibana. The method for starting and stopping Kibana varies depending on
how you installed it. For example, if you installed Kibana from an archive
distribution (
.tar.gz
or.zip
), stop it by enteringCtrl-C
on the command line. See Starting and stopping Kibana. -
Stop Elasticsearch. For example, if you installed Elasticsearch from an archive distribution,
enter
Ctrl-C
on the command line. See Stopping Elasticsearch. -
Add the
xpack.security.enabled
setting to theES_PATH_CONF/elasticsearch.yml
file.The
ES_PATH_CONF
environment variable contains the path for the Elasticsearch configuration files. If you installed Elasticsearch using archive distributions (zip
ortar.gz
), it defaults toES_HOME/config
. If you used package distributions (Debian or RPM), it defaults to/etc/elasticsearch
. For more information, see Configuring Elasticsearch.For example, add the following setting:
xpack.security.enabled: true
If you have a basic or trial license, the default value for this setting is
false
. If you have a gold or higher license, the default value istrue
. Therefore, it is a good idea to explicitly add this setting to avoid confusion about whether security features are enabled. -
Enable single-node discovery in the
ES_PATH_CONF/elasticsearch.yml
file.This tutorial involves a single node cluster, but if you had multiple nodes, you would enable Elasticsearch security features on every node in the cluster and configure Transport Layer Security (TLS) for internode-communication, which is beyond the scope of this tutorial. By enabling single-node discovery, we are postponing the configuration of TLS. For example, add the following setting:
discovery.type: single-node
For more information, see Single-node discovery.
When you enable Elasticsearch security features, basic authentication is enabled by default. To communicate with the cluster, you must specify a username and password. Unless you enable anonymous access, all requests that don’t include a user name and password are rejected.