Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 2fc3d40a13
Branches Tags
elasticsearch
/
docs
/
reference
/
high-availability
/
backup-and-restore-security-config.asciidoc

backup-and-restore-security-config.asciidoc 6.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. [role="xpack"]
    2. 

  2. [testenv="basic"]
    3. 

  3. [[security-backup]]
    4. 

  4. === Back up a cluster's security configuration
    5. 

  5. ++++
    6. 

  6. <titleabbrev>Back up the security configuration</titleabbrev>
    7. 

  7. ++++
    8. 

  8. 

  9. Security configuration information resides in two places:
    10. 

  10. <<backup-security-file-based-configuration,files>> and
    11. 

  11. <<backup-security-index-configuration,indices>>.
    12. 

  12. 

  13. [discrete]
    14. 

  14. [[backup-security-file-based-configuration]]
    15. 

  15. ==== Back up file-based security configuration
    16. 

  16. 

  17. {es} {security-features} are configured using the <<security-settings,
    18. 

  18. `xpack.security` namespace>> inside the `elasticsearch.yml` and
    19. 

  19. `elasticsearch.keystore` files. In addition there are several other
    20. 

  20. <<security-files, extra configuration files>> inside the same `ES_PATH_CONF`
    21. 

  21. directory. These files define roles and role mappings and configure the
    22. 

  22. <<file-realm,file realm>>. Some of the
    23. 

  23. settings specify file paths to security-sensitive data, such as TLS keys and
    24. 

  24. certificates for the HTTP client and inter-node communication and private key files for
    25. 

  25. <<ref-saml-settings, SAML>>, <<ref-oidc-settings, OIDC>> and the
    26. 

  26. <<ref-kerberos-settings, Kerberos>> realms. All these are also stored inside
    27. 

  27. `ES_PATH_CONF`; the path settings are relative.
    28. 

  28. 

  29. IMPORTANT: The `elasticsearch.keystore`, TLS keys and SAML, OIDC, and Kerberos
    30. 

  30. realms private key files require confidentiality. This is crucial when files
    31. 

  31. are copied to the backup location, as this increases the surface for malicious
    32. 

  32. snooping.
    33. 

  33. 

  34. To back up all this configuration you can use a <<backup-cluster-configuration,
    35. 

  35. conventional file-based backup>>, as described in the previous section.
    36. 

  36. 

  37. [NOTE]
    38. 

  38. ====
    39. 

  39. 

  40. * File backups must run on every cluster node.
    41. 

  41. * File backups will store non-security configuration as well. Backing-up
    42. 

  42. only {security-features} configuration is not supported. A backup is a
    43. 

  43. point in time record of state of the complete configuration.
    44. 

  44. 

  45. ====
    46. 

  46. 

  47. [discrete]
    48. 

  48. [[backup-security-index-configuration]]
    49. 

  49. ==== Back up index-based security configuration
    50. 

  50. 

  51. {es} {security-features} store system configuration data inside a
    52. 

  52. dedicated index. This index is named `.security-6` in the {es} 6.x versions and
    53. 

  53. `.security-7` in the 7.x releases. The `.security` alias always points to the
    54. 

  54. appropriate index. This index contains the data which is not available in
    55. 

  55. configuration files and *cannot* be reliably backed up using standard
    56. 

  56. filesystem tools. This data describes:
    57. 

  57. 

  58. * the definition of users in the native realm (including hashed passwords)
    59. 

  59. * role definitions (defined via the <<security-api-put-role,create roles API>>)
    60. 

  60. * role mappings (defined via the
    61. 

  61.   <<security-api-put-role-mapping,create role mappings API>>)
    62. 

  62. * application privileges
    63. 

  63. * API keys
    64. 

  64. 

  65. The `.security` index thus contains resources and definitions in addition to
    66. 

  66. configuration information. All of that information is required in a complete
    67. 

  67. {security-features} backup.
    68. 

  68. 

  69. Use the <<modules-snapshots, standard {es} snapshot functionality>> to backup
    70. 

  70. `.security`, as you would for any <<backup-cluster-data, other data index>>.
    71. 

  71. For convenience, here are the complete steps:
    72. 

  72. 

  73. . Create a repository that you can use to backup the `.security` index.
    74. 

  74. It is preferable to have a <<backup-security-repos, dedicated repository>> for
    75. 

  75. this special index. If you wish, you can also snapshot the system indices for other {stack} components to this repository. 
    76. 

  76. +
    77. 

  77. --
    78. 

  78. [source,console]
    79. 

  79. -----------------------------------
    80. 

  80. PUT /_snapshot/my_backup
    81. 

  81. {
    82. 

  82.   "type": "fs",
    83. 

  83.   "settings": {
    84. 

  84.     "location": "my_backup_location"
    85. 

  85.   }
    86. 

  86. }
    87. 

  87. -----------------------------------
    88. 

  88. 

  89. The user calling this API must have the elevated `manage` cluster privilege to
    90. 

  90. prevent non-administrators exfiltrating data.
    91. 

  91. 

  92. --
    93. 

  93. 

  94. . Create a user and assign it only the built-in `snapshot_user` role.
    95. 

  95. +
    96. 

  96. --
    97. 

  97. The following example creates a new user `snapshot_user` in the
    98. 

  98. <<native-realm,native realm>>, but it is not important which
    99. 

  99. realm the user is a member of:
    100. 

  100. 

  101. [source,console]
    102. 

  102. --------------------------------------------------
    103. 

  103. POST /_security/user/snapshot_user
    104. 

  104. {
    105. 

  105.   "password" : "secret",
    106. 

  106.   "roles" : [ "snapshot_user" ]
    107. 

  107. }
    108. 

  108. --------------------------------------------------
    109. 

  109. // TEST[skip:security is not enabled in this fixture]
    110. 

  110. 

  111. --
    112. 

  112. 

  113. . Create incremental snapshots authorized as `snapshot_user`.
    114. 

  114. +
    115. 

  115. --
    116. 

  116. The following example shows how to use the create snapshot API to backup
    117. 

  117. the `.security` index to the `my_backup` repository:
    118. 

  118. 

  119. [source,console]
    120. 

  120. --------------------------------------------------
    121. 

  121. PUT /_snapshot/my_backup/snapshot_1
    122. 

  122. {
    123. 

  123.   "indices": ".security",
    124. 

  124.   "include_global_state": true <1>
    125. 

  125. }
    126. 

  126. --------------------------------------------------
    127. 

  127. // TEST[continued]
    128. 

  128. 

  129. <1> This parameter value captures all the persistent settings stored in the
    130. 

  130. global cluster metadata as well as other configurations such as aliases and
    131. 

  131. stored scripts. Note that this includes non-security configuration and that it complements but does not replace the
    132. 

  132. <<backup-cluster-configuration, filesystem configuration files backup>>.
    133. 

  133. 

  134. --
    135. 

  135. 

  136. IMPORTANT: The index format is only compatible within a single major version,
    137. 

  137. and cannot be restored onto a version earlier than the version from which it
    138. 

  138. originated. For example, you can restore a security snapshot from 6.6.0 into a
    139. 

  139. 6.7.0 cluster, but you cannot restore it to a cluster running {es} 6.5.0 or 7.0.0.
    140. 

  140. 

  141. [discrete]
    142. 

  142. [[backup-security-repos]]
    143. 

  143. ===== Controlling access to the backup repository
    144. 

  144. 

  145. The snapshot of the security index will typically contain sensitive data such
    146. 

  146. as user names and password hashes. Because passwords are stored using
    147. 

  147. <<hashing-settings, cryptographic hashes>>, the disclosure of a snapshot would
    148. 

  148. not automatically enable a third party to authenticate as one of your users or
    149. 

  149. use API keys. However, it would disclose confidential information.
    150. 

  150. 

  151. It is also important that you protect the integrity of these backups in case
    152. 

  152. you ever need to restore them. If a third party is able to modify the stored
    153. 

  153. backups, they may be able to install a back door that would grant access if the
    154. 

  154. snapshot is loaded into an {es} cluster.
    155. 

  155. 

  156. We recommend that you:
    157. 

  157. 

  158. * Snapshot the `.security` index in a dedicated repository, where read and write
    159. 

  159. access is strictly restricted and audited.
    160. 

  160. * If there are indications that the snapshot has been read, change the passwords
    161. 

  161. of the users in the native realm and revoke API keys.
    162. 

  162. * If there are indications that the snapshot has been tampered with, do not
    163. 

  163. restore it. There is currently no option for the restore process to detect
    164. 

  164. malicious tampering.
    165.