Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 76c1c300c9
Branches Tags
elasticsearch
/
docs
/
reference
/
migration
/
migrate_8_0
/
security.asciidoc

security.asciidoc 4.8 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 
  1. [float]
    2. 

  2. [[breaking_80_security_changes]]
    3. 

  3. === Security changes
    4. 

  4. 

  5. //NOTE: The notable-breaking-changes tagged regions are re-used in the
    6. 

  6. //Installation and Upgrade Guide
    7. 

  7. 

  8. //tag::notable-breaking-changes[]
    9. 

  9. [float]
    10. 

  10. ==== The realm `order` setting is required
    11. 

  11. 

  12. The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
    13. 

  13. specified for each explicitly configured realm. Each value must be unique.
    14. 

  14. The cluster will fail to start if the requirements are not met.
    15. 

  15. 

  16. For example, the following configuration is invalid:
    17. 

  17. [source,yaml]
    18. 

  18. --------------------------------------------------
    19. 

  19. xpack.security.authc.realms.kerberos.kerb1:
    20. 

  20.   keytab.path: es.keytab
    21. 

  21.   remove_realm_name: false
    22. 

  22. --------------------------------------------------
    23. 

  23. 

  24. And must be configured as:
    25. 

  25. [source,yaml]
    26. 

  26. --------------------------------------------------
    27. 

  27. xpack.security.authc.realms.kerberos.kerb1:
    28. 

  28.   order: 0
    29. 

  29.   keytab.path: es.keytab
    30. 

  30.   remove_realm_name: false
    31. 

  31. --------------------------------------------------
    32. 

  32. 

  33. // end::notable-breaking-changes[]
    34. 

  34. 

  35. [float]
    36. 

  36. [[accept-default-password-removed]]
    37. 

  37. ==== The `accept_default_password` setting has been removed
    38. 

  38. 

  39. The `xpack.security.authc.accept_default_password` setting has not had any affect
    40. 

  40. since the 6.0 release of {es}. It has been removed and cannot be used.
    41. 

  41. 

  42. [float]
    43. 

  43. [[roles-index-cache-removed]]
    44. 

  44. ==== The `roles.index.cache.*` settings have been removed
    45. 

  45. 

  46. The `xpack.security.authz.store.roles.index.cache.max_size` and
    47. 

  47. `xpack.security.authz.store.roles.index.cache.ttl` settings have
    48. 

  48. been removed. These settings have been redundant and deprecated
    49. 

  49. since the 5.2 release of {es}.
    50. 

  50. 

  51. [float]
    52. 

  52. [[migrate-tool-removed]]
    53. 

  53. ==== The `elasticsearch-migrate` tool has been removed
    54. 

  54. 

  55. The `elasticsearch-migrate` tool provided a way to convert file
    56. 

  56. realm users and roles into the native realm. It has been deprecated
    57. 

  57. since 7.2.0. Users and roles should now be created in the native
    58. 

  58. realm directly.
    59. 

  59. 

  60. [float]
    61. 

  61. [[separating-node-and-client-traffic]]
    62. 

  62. ==== The `transport.profiles.*.xpack.security.type` setting has been removed
    63. 

  63. 

  64. The `transport.profiles.*.xpack.security.type` setting has been removed since
    65. 

  65. the Transport Client has been removed and therefore all client traffic now uses
    66. 

  66. the HTTP transport. Transport profiles using this setting should be removed.
    67. 

  67. 

  68. [float]
    69. 

  69. [[ssl-validation-changes]]
    70. 

  70. ==== SSL/TLS configuration validation
    71. 

  71. 

  72. [float]
    73. 

  73. ===== The `xpack.security.transport.ssl.enabled` setting may be required
    74. 

  74. 

  75. It is now an error to configure any SSL settings for
    76. 

  76. `xpack.security.transport.ssl` without also configuring
    77. 

  77. `xpack.security.transport.ssl.enabled`.
    78. 

  78. 

  79. For example, the following configuration is invalid:
    80. 

  80. [source,yaml]
    81. 

  81. --------------------------------------------------
    82. 

  82. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    83. 

  83. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    84. 

  84. --------------------------------------------------
    85. 

  85. 

  86. And must be configured as:
    87. 

  87. [source,yaml]
    88. 

  88. --------------------------------------------------
    89. 

  89. xpack.security.transport.ssl.enabled: true <1>
    90. 

  90. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    91. 

  91. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    92. 

  92. --------------------------------------------------
    93. 

  93. <1> or `false`.
    94. 

  94. 

  95. [float]
    96. 

  96. ===== The `xpack.security.http.ssl.enabled` setting may be required
    97. 

  97. 

  98. It is now an error to configure any SSL settings for
    99. 

  99. `xpack.security.http.ssl` without also configuring
    100. 

  100. `xpack.security.http.ssl.enabled`.
    101. 

  101. 

  102. For example, the following configuration is invalid:
    103. 

  103. [source,yaml]
    104. 

  104. --------------------------------------------------
    105. 

  105. xpack.security.http.ssl.certificate: elasticsearch.crt
    106. 

  106. xpack.security.http.ssl.key: elasticsearch.key
    107. 

  107. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    108. 

  108. --------------------------------------------------
    109. 

  109. 

  110. And must be configured as either:
    111. 

  111. [source,yaml]
    112. 

  112. --------------------------------------------------
    113. 

  113. xpack.security.http.ssl.enabled: true <1>
    114. 

  114. xpack.security.http.ssl.certificate: elasticsearch.crt
    115. 

  115. xpack.security.http.ssl.key: elasticsearch.key
    116. 

  116. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    117. 

  117. --------------------------------------------------
    118. 

  118. <1> or `false`.
    119. 

  119. 

  120. [float]
    121. 

  121. ===== The `xpack.security.transport.ssl` Certificate and Key may be required
    122. 

  122. 

  123. It is now an error to enable SSL for the transport interface without also configuring
    124. 

  124. a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
    125. 

  125. setting or the `xpack.security.transport.ssl.certificate` and
    126. 

  126. `xpack.security.transport.ssl.key` settings.
    127. 

  127. 

  128. [float]
    129. 

  129. ===== The `xpack.security.http.ssl` Certificate and Key may be required
    130. 

  130. 

  131. It is now an error to enable SSL for the HTTP (Rest) server without also configuring
    132. 

  132. a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
    133. 

  133. setting or the `xpack.security.http.ssl.certificate` and
    134. 

  134. `xpack.security.http.ssl.key` settings.
    135.