- X-Pack Reference for 6.0-6.2 and 5.x:
- Introduction
- Setting Up X-Pack
- Breaking Changes
- X-Pack APIs
- Graphing Connections in Your Data
- Profiling your Queries and Aggregations
- Reporting from Kibana
- Securing the Elastic Stack
- Getting Started with Security
- How Security Works
- Setting Up User Authentication
- Configuring SAML Single-Sign-On on the Elastic Stack
- Configuring Role-based Access Control
- Auditing Security Events
- Encrypting Communications
- Restricting Connections with IP Filtering
- Cross Cluster Search, Tribe, Clients and Integrations
- Reference
- Monitoring the Elastic Stack
- Alerting on Cluster and Index Events
- Machine Learning in the Elastic Stack
- Troubleshooting
- Getting Help
- X-Pack security
- Can’t log in after upgrading to 6.2.4
- Some settings are not returned via the nodes settings API
- Authorization exceptions
- Users command fails due to extra arguments
- Users are frequently locked out of Active Directory
- Certificate verification fails for curl on Mac
- SSLHandshakeException causes connections to fail
- Common SSL/TLS exceptions
- Internal Server Error in Kibana
- Setup-passwords command fails due to connection failure
- X-Pack Watcher
- X-Pack monitoring
- X-Pack machine learning
- Limitations
- License Management
- Release Notes
WARNING: Version 6.2 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Security Limitations
editSecurity Limitations
editPlugins
editElasticsearch’s plugin infrastructure is extremely flexible in terms of what can be extended. While it opens up Elasticsearch to a wide variety of (often custom) additional functionality, when it comes to security, this high extensibility level comes at a cost. We have no control over the third-party plugins' code (open source or not) and therefore we cannot guarantee their compliance with X-Pack security. For this reason, third-party plugins are not officially supported on clusters with X-Pack security enabled.
Changes in Index Wildcard Behavior
editElasticsearch clusters with X-Pack security enabled apply the /_all
wildcard, and
all other wildcards, to the indices that the current user has privileges for, not
the set of all indices on the cluster.
While creating or retrieving aliases by providing wildcard expressions for alias names, if there are no existing authorized aliases
that match the wildcard expression provided an IndexNotFoundException is returned.
Multi Document APIs
editMulti get and multi term vectors API throw IndexNotFoundException when trying to access non existing indices that the user is not authorized for. By doing that they leak information regarding the fact that the index doesn’t exist, while the user is not authorized to know anything about those indices.
Filtered Index Aliases
editAliases containing filters are not a secure way to restrict access to individual documents, due to the limitations described in Index and Field Names Can Be Leaked When Using Aliases. X-Pack security provides a secure way to restrict access to documents through the document-level security feature.
Field and Document Level Security Limitations
editWhen a user’s role enables document or field level security for an index:
-
The user cannot perform write operations:
- The update API isn’t supported.
- Update requests included in bulk requests aren’t supported.
- The request cache is disabled for search requests.
When a user’s role enables document level security for an index:
- Document level security isn’t applied for APIs that aren’t document based. An example is the field stats API.
- Document level security doesn’t affect global index statistics that relevancy scoring uses. So this means that scores are computed without taking the role query into account. Note that documents not matching with the role query are never returned.
-
The
has_child
andhas_parent
queries aren’t supported as query in the role definition. Thehas_child
andhas_parent
queries can be used in the search API with document level security enabled. -
Any query that makes remote calls to fetch data to query by isn’t supported. The following queries aren’t supported:
-
The
terms
query with terms lookup isn’t supported. -
The
geo_shape
query with indexed shapes isn’t supported. -
The
percolate
query isn’t supported.
-
The
- If suggesters are specified and document level security is enabled then the specified suggesters are ignored.
- A search request cannot be profiled if document level security is enabled.
Index and Field Names Can Be Leaked When Using Aliases
editCalling certain Elasticsearch APIs on an alias can potentially leak information
about indices that the user isn’t authorized to access. For example, when you get
the mappings for an alias with the _mapping
API, the response includes the
index name and mappings for each index that the alias applies to.
Until this limitation is addressed, avoid index and field names that contain confidential or sensitive information.
LDAP Realm
editThe LDAP Realm does not currently support the discovery of nested
LDAP Groups. For example, if a user is a member of group_1
and group_1
is a
member of group_2
, only group_1
will be discovered. However, the
Active Directory Realm does support transitive
group membership.
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now