Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 2122da31cd
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
authentication
/
service-accounts.asciidoc

service-accounts.asciidoc 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. [role="xpack"]
    2. 

  2. [[service-accounts]]
    3. 

  3. === Service accounts
    4. 

  4. 

  5. The {stack-security-features} provide _service accounts_ specifically for
    6. 

  6. integration with external services that connect to {es}, such as {fleet} server.
    7. 

  7. Service accounts have a fixed set of privileges and cannot authenticate
    8. 

  8. until you create a service account token for them. Additionally, service
    9. 

  9. accounts are predefined in code, and are always enabled.
    10. 

  10. 

  11. A service account corresponds to a specific external service. You create service
    12. 

  12. account tokens for a service account. The service can then authenticate with the
    13. 

  13. token and perform relevant actions. For example, {fleet} server can use its
    14. 

  14. service token to authenticate with {es} and then manage its own API keys.
    15. 

  15. 

  16. You can create multiple service tokens for the same service account, which
    17. 

  17. prevents credential sharing between multiple instances of the same
    18. 

  18. external service. Each instance can assume the same identity while using
    19. 

  19. their own distinct service token for authentication.
    20. 

  20. 

  21. Service accounts provide flexibility over <<built-in-users,built-in users>>
    22. 

  22. because they:
    23. 

  23. 

  24. * Do not rely on the <<native-realm,internal `native` realm>>, and aren't
    25. 

  25. always required to rely on the `.security` index
    26. 

  26. * Use a <<security-api-create-api-key-request-body,role descriptor>> named after the service account principal instead of
    27. 

  27. traditional roles
    28. 

  28. * Support multiple credentials through service account tokens
    29. 

  29. 

  30. Service accounts are not included in the response of the
    31. 

  31. <<security-api-get-user,get users API>>. To retrieve a service account, use the
    32. 

  32. <<security-api-get-service-accounts,get service accounts API>>. Use the
    33. 

  33. <<security-api-get-service-credentials,get service account credentials API>>
    34. 

  34. to retrieve all service credentials for a service account.
    35. 

  35. 

  36. [discrete]
    37. 

  37. [[service-accounts-explanation]]
    38. 

  38. === Service accounts usage
    39. 

  39. Service accounts have a
    40. 

  40. <<security-api-get-service-accounts-path-params,unique principal>> that takes
    41. 

  41. the format of `<namespace>/<service>`, where the `namespace` is a top-level
    42. 

  42. grouping of service accounts, and `service` is the name of the service and
    43. 

  43. must be unique within its namespace.
    44. 

  44. 

  45. Service accounts are predefined in code. The following service accounts are
    46. 

  46. available:
    47. 

  47. 

  48. `elastic/fleet-server`:: The service account used by the {fleet} server to
    49. 

  49. communicate with {es}.
    50. 

  50. 

  51. `elastic/kibana`:: The service account used by {kib} to communicate with
    52. 

  52. {es}.
    53. 

  53. 

  54. `elastic/enterprise-search-server`:: The service account used by Enterprise Search
    55. 

  55. to communicate with {es}.
    56. 

  56. 

  57. // tag::service-accounts-usage[]
    58. 

  58. IMPORTANT: Do not attempt to use service accounts for authenticating individual
    59. 

  59. users. Service accounts can only be authenticated with service tokens, which are
    60. 

  60. not applicable to regular users.
    61. 

  61. // end::service-accounts-usage[]
    62. 

  62. 

  63. [discrete]
    64. 

  64. [[service-accounts-tokens]]
    65. 

  65. === Service account tokens
    66. 

  66. A service account token, or service token, is a unique string that a
    67. 

  67. service uses to authenticate with {es}. For a given service account, each token
    68. 

  68. must have a unique name. Because tokens include access credentials, they should
    69. 

  69. always be kept secret by whichever client is using them.
    70. 

  70. 

  71. Service tokens can be backed by either the `.security` index (recommended) or
    72. 

  72. the `service_tokens` file. You can create multiple service tokens for a single
    73. 

  73. service account, which enables multiple instances of the same service to run
    74. 

  74. with different credentials.
    75. 

  75. 

  76. You must create a service token to use a service account. You can
    77. 

  77. create a service token using either:
    78. 

  78. 

  79. * The <<security-api-create-service-token,create service account token API>>,
    80. 

  80. which saves the new service token in the `.security` index and returns
    81. 

  81. the bearer token in the HTTP response.
    82. 

  82. * The <<service-tokens-command,elasticsearch-service-tokens>> CLI tool, which
    83. 

  83. saves the new service token in the `$ES_HOME/config/service_tokens` file
    84. 

  84. and outputs the bearer token to your terminal
    85. 

  85. 

  86. We recommend that you create service tokens via the REST API rather than the CLI.
    87. 

  87. The API stores service tokens within the `.security` index which means that the
    88. 

  88. tokens are available for authentication on all nodes, and will be backed up within
    89. 

  89. cluster snapshots.
    90. 

  90. The use of the CLI is intended for cases where there is an external orchestration
    91. 

  91. process (such as {ece-ref}[{ece}] or {eck-ref}[{eck}]) that will manage the
    92. 

  92. creation and distribution of the `service_tokens` file.
    93. 

  93. 

  94. Both of these methods (API and CLI) create a service token with a guaranteed
    95. 

  95. secret string length of `22`.
    96. 

  96. The minimal, acceptable length of a secret string for a service token is `10`.
    97. 

  97. If the secret string doesn't meet this minimal length, authentication with {es}
    98. 

  98. will fail without even checking the value of the service token.
    99. 

  99. 

  100. Service tokens never expire. You must actively
    101. 

  101. <<security-api-delete-service-token,delete>> them if they are no longer needed.
    102. 

  102. 

  103. [discrete]
    104. 

  104. [[authenticate-with-service-account-token]]
    105. 

  105. === Authenticate with service tokens
    106. 

  106. 

  107. NOTE: Service accounts currently do not support basic authentication.
    108. 

  108. 

  109. To use a service account token, include the generated token value in a request
    110. 

  110. with an `Authorization: Bearer` header:
    111. 

  111. 

  112. [source,shell]
    113. 

  113. ----
    114. 

  114. curl -H "Authorization: Bearer AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" http://localhost:9200/_security/_authenticate
    115. 

  115. ----
    116. 

  116. // NOTCONSOLE
    117. 

  117. 

  118. A successful authentication response includes a `token` field, which contains a
    119. 

  119. `name` field for the name of the service token and a `type` field for the
    120. 

  120. type of the service token:
    121. 

  121. 

  122. [source,js]
    123. 

  123. ----
    124. 

  124. {
    125. 

  125.   "username": "elastic/fleet-server",
    126. 

  126.   "roles": [],
    127. 

  127.   "full_name": "Service account - elastic/fleet-server",
    128. 

  128.   "email": null,
    129. 

  129.   "token": {
    130. 

  130.     "name": "token1",                 <1>
    131. 

  131.     "type": "_service_account_index"  <2>
    132. 

  132.   },
    133. 

  133.   "metadata": {
    134. 

  134.     "_elastic_service_account": true
    135. 

  135.   },
    136. 

  136.   "enabled": true,
    137. 

  137.   "authentication_realm": {
    138. 

  138.     "name": "_service_account",
    139. 

  139.     "type": "_service_account"
    140. 

  140.   },
    141. 

  141.   "lookup_realm": {
    142. 

  142.     "name": "_service_account",
    143. 

  143.     "type": "_service_account"
    144. 

  144.   },
    145. 

  145.   "authentication_type": "token"
    146. 

  146. }
    147. 

  147. ----
    148. 

  148. // NOTCONSOLE
    149. 

  149. <1> Name of the service account token.
    150. 

  150. <2> Type of service account token. The value always begins with
    151. 

  151. `_service_account_` and is followed by a string that indicates the service
    152. 

  152. token backend in use (can be either `file` or `index`).
    153.