lqb
/
elasticsearch
дзеркало https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164
							[role="xpack"]
[[configuring-security]]
== Configuring security in {es}
++++
<titleabbrev>Configuring security</titleabbrev>
++++

The {es} {security-features} enable you to easily secure a cluster. You can
password-protect your data as well as implement more advanced security measures
such as encrypting communications, role-based access control, IP filtering, and
auditing. For more information, see
{stack-ov}/elasticsearch-security.html[Securing the {stack}].

To use {es} {security-features}:

. Verify that you are using a license that includes the {security-features}.
+
--
If you want to try all of the platinum features, you can start a 30-day trial.
At the end of the trial period, you can purchase a subscription to keep using
the full functionality. For more information, see
https://www.elastic.co/subscriptions and
{stack-ov}/license-management.html[License Management].
--

. Verify that the `xpack.security.enabled` setting is `true` on each node in
your cluster. If you are using a trial license, the default value is `false`.
For more information, see {ref}/security-settings.html[Security Settings in {es}].

. If you plan to run {es} in a Federal Information Processing Standard (FIPS) 
140-2 enabled JVM, see <<fips-140-compliance>>. 

. Configure Transport Layer Security (TLS/SSL) for internode-communication.
+
--
NOTE: This requirement applies to clusters with more than one node and to
clusters with a single node that listens on an external interface. Single-node
clusters that use a loopback interface do not have this requirement.  For more
information, see
{stack-ov}/encrypting-communications.html[Encrypting Communications].

--
.. <<node-certificates,Generate node certificates for each of your {es} nodes>>.

.. <<tls-transport, Enable TLS on each {es} node>>.

. If it is not already running, start {es}.

. Set the passwords for all built-in users.
+
--
The {es} {security-features} provide
{stack-ov}/built-in-users.html[built-in users] to
help you get up and running. The +elasticsearch-setup-passwords+ command is the
simplest method to set the built-in users' passwords for the first time.

For example, you can run the command in an "interactive" mode, which prompts you
to enter new passwords for the `elastic`, `kibana`, `beats_system`,
`logstash_system`, and `apm_system` users:

[source,shell]
--------------------------------------------------
bin/elasticsearch-setup-passwords interactive
--------------------------------------------------

For more information about the command options, see <<setup-passwords>>.

IMPORTANT: The `elasticsearch-setup-passwords` command uses a transient bootstrap
password that is no longer valid after the command runs successfully. You cannot
run the `elasticsearch-setup-passwords` command a second time. Instead, you can
update passwords from the **Management > Users** UI in {kib} or use the security
user API.

--

. Choose which types of realms you want to use to authenticate users. 
** <<configuring-ad-realm,Configure an Active Directory realm>>.
** <<configuring-file-realm,Configure a file realm>>.
** <<configuring-ldap-realm,Configure an LDAP realm>>.
** <<configuring-native-realm,Configure a native realm>>.
** <<configuring-pki-realm,Configure a PKI realm>>.
** <<configuring-saml-realm,Configure a SAML realm>>.
** <<configuring-kerberos-realm,Configure a Kerberos realm>>.

. Set up roles and users to control access to {es}.
For example, to grant _John Doe_ full access to all indices that match
the pattern `events*` and enable him to create visualizations and dashboards
for those indices in {kib}, you could create an `events_admin` role
and assign the role to a new `johndoe` user.
+
--
[source,shell]
----------------------------------------------------------
curl -XPOST -u elastic 'localhost:9200/_security/role/events_admin' -H "Content-Type: application/json" -d '{
  "indices" : [
    {
      "names" : [ "events*" ],
      "privileges" : [ "all" ]
    },
    {
      "names" : [ ".kibana*" ],
      "privileges" : [ "manage", "read", "index" ]
    }
  ]
}'

curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type: application/json" -d '{
  "password" : "userpassword",
  "full_name" : "John Doe",
  "email" : "john.doe@anony.mous",
  "roles" : [ "events_admin" ]
}'
----------------------------------------------------------
// NOTCONSOLE
--

[[enable-auditing]]
. Enable auditing to keep track of attempted and successful interactions with
  your {es} cluster:
+
--
.. Add the following setting to `elasticsearch.yml` on all nodes in your cluster:
+
[source,yaml]
----------------------------
xpack.security.audit.enabled: true
----------------------------
+
For more information, see {stack-ov}/auditing.html[Auditing Security Events] 
and <<auditing-settings>>. 

.. Restart {es}.

Events are logged to a dedicated `<clustername>_audit.json` file in
`ES_HOME/logs`, on each cluster node.
--

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/docs/reference/security/securing-communications/securing-elasticsearch.asciidoc
include::{es-repo-dir}/security/securing-communications/securing-elasticsearch.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc
include::{es-repo-dir}/security/securing-communications/configuring-tls-docker.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc
include::{es-repo-dir}/security/securing-communications/enabling-cipher-suites.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/docs/reference/security/securing-communications/separating-node-client-traffic.asciidoc
include::{es-repo-dir}/security/securing-communications/separating-node-client-traffic.asciidoc[]
:edit_url:
include::authentication/configuring-active-directory-realm.asciidoc[]
include::authentication/configuring-file-realm.asciidoc[]
include::authentication/configuring-ldap-realm.asciidoc[]
include::authentication/configuring-native-realm.asciidoc[]
include::authentication/configuring-pki-realm.asciidoc[]
include::authentication/configuring-saml-realm.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc
include::authentication/configuring-kerberos-realm.asciidoc[]
:edit_url: 
include::fips-140-compliance.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/docs/reference/settings/security-settings.asciidoc
include::{es-repo-dir}/settings/security-settings.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/docs/reference/security/reference/files.asciidoc
include::{es-repo-dir}/security/reference/files.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/docs/reference/settings/audit-settings.asciidoc
include::{es-repo-dir}/settings/audit-settings.asciidoc[]