Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 9ab920c8f1
Branches Tags
elasticsearch
/
docs
/
reference
/
migration
/
migrate_8_0
/
security.asciidoc

security.asciidoc 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190 
  1. [float]
    2. 

  2. [[breaking_80_security_changes]]
    3. 

  3. === Security changes
    4. 

  4. 

  5. //NOTE: The notable-breaking-changes tagged regions are re-used in the
    6. 

  6. //Installation and Upgrade Guide
    7. 

  7. 

  8. //tag::notable-breaking-changes[]
    9. 

  9. .The realm `order` setting is now required.
    10. 

  10. [%collapsible]
    11. 

  11. ====
    12. 

  12. *Details* +
    13. 

  13. The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
    14. 

  14. specified for each explicitly configured realm. Each value must be unique.
    15. 

  15. The cluster will fail to start if the requirements are not met.
    16. 

  16. 

  17. For example, the following configuration is invalid:
    18. 

  18. [source,yaml]
    19. 

  19. --------------------------------------------------
    20. 

  20. xpack.security.authc.realms.kerberos.kerb1:
    21. 

  21.   keytab.path: es.keytab
    22. 

  22.   remove_realm_name: false
    23. 

  23. --------------------------------------------------
    24. 

  24. 

  25. And must be configured as:
    26. 

  26. [source,yaml]
    27. 

  27. --------------------------------------------------
    28. 

  28. xpack.security.authc.realms.kerberos.kerb1:
    29. 

  29.   order: 0
    30. 

  30.   keytab.path: es.keytab
    31. 

  31.   remove_realm_name: false
    32. 

  32. --------------------------------------------------
    33. 

  33. ====
    34. 

  34. // end::notable-breaking-changes[]
    35. 

  35. 

  36. [[accept-default-password-removed]]
    37. 

  37. .The `accept_default_password` setting has been removed.
    38. 

  38. [%collapsible]
    39. 

  39. ====
    40. 

  40. *Details* +
    41. 

  41. The `xpack.security.authc.accept_default_password` setting has not had any affect
    42. 

  42. since the 6.0 release of {es}. It has been removed and cannot be used.
    43. 

  43. ====
    44. 

  44. 

  45. [[roles-index-cache-removed]]
    46. 

  46. .The `roles.index.cache.*` settings have been removed.
    47. 

  47. [%collapsible]
    48. 

  48. ====
    49. 

  49. *Details* +
    50. 

  50. The `xpack.security.authz.store.roles.index.cache.max_size` and
    51. 

  51. `xpack.security.authz.store.roles.index.cache.ttl` settings have
    52. 

  52. been removed. These settings have been redundant and deprecated
    53. 

  53. since the 5.2 release of {es}.
    54. 

  54. ====
    55. 

  55. 

  56. [[migrate-tool-removed]]
    57. 

  57. .The `elasticsearch-migrate` tool has been removed.
    58. 

  58. [%collapsible]
    59. 

  59. ====
    60. 

  60. *Details* +
    61. 

  61. The `elasticsearch-migrate` tool provided a way to convert file
    62. 

  62. realm users and roles into the native realm. It has been deprecated
    63. 

  63. since 7.2.0. Users and roles should now be created in the native
    64. 

  64. realm directly.
    65. 

  65. ====
    66. 

  66. 

  67. [[separating-node-and-client-traffic]]
    68. 

  68. .The `transport.profiles.*.xpack.security.type` setting has been removed.
    69. 

  69. [%collapsible]
    70. 

  70. ====
    71. 

  71. *Details* +
    72. 

  72. The `transport.profiles.*.xpack.security.type` setting has been removed since
    73. 

  73. the Transport Client has been removed and therefore all client traffic now uses
    74. 

  74. the HTTP transport. Transport profiles using this setting should be removed.
    75. 

  75. ====
    76. 

  76. 

  77. [discrete]
    78. 

  78. [[ssl-validation-changes]]
    79. 

  79. ==== SSL/TLS configuration validation
    80. 

  80. 

  81. .The `xpack.security.transport.ssl.enabled` setting is now required to configure `xpack.security.transport.ssl` settings.
    82. 

  82. [%collapsible]
    83. 

  83. ====
    84. 

  84. *Details* +
    85. 

  85. It is now an error to configure any SSL settings for
    86. 

  86. `xpack.security.transport.ssl` without also configuring
    87. 

  87. `xpack.security.transport.ssl.enabled`.
    88. 

  88. 

  89. For example, the following configuration is invalid:
    90. 

  90. [source,yaml]
    91. 

  91. --------------------------------------------------
    92. 

  92. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    93. 

  93. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    94. 

  94. --------------------------------------------------
    95. 

  95. 

  96. And must be configured as:
    97. 

  97. [source,yaml]
    98. 

  98. --------------------------------------------------
    99. 

  99. xpack.security.transport.ssl.enabled: true <1>
    100. 

  100. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    101. 

  101. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    102. 

  102. --------------------------------------------------
    103. 

  103. <1> or `false`.
    104. 

  104. ====
    105. 

  105. 

  106. .The `xpack.security.http.ssl.enabled` setting is now required to configure `xpack.security.http.ssl` settings.
    107. 

  107. [%collapsible]
    108. 

  108. ====
    109. 

  109. *Details* +
    110. 

  110. It is now an error to configure any SSL settings for
    111. 

  111. `xpack.security.http.ssl` without also configuring
    112. 

  112. `xpack.security.http.ssl.enabled`.
    113. 

  113. 

  114. For example, the following configuration is invalid:
    115. 

  115. [source,yaml]
    116. 

  116. --------------------------------------------------
    117. 

  117. xpack.security.http.ssl.certificate: elasticsearch.crt
    118. 

  118. xpack.security.http.ssl.key: elasticsearch.key
    119. 

  119. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    120. 

  120. --------------------------------------------------
    121. 

  121. 

  122. And must be configured as either:
    123. 

  123. [source,yaml]
    124. 

  124. --------------------------------------------------
    125. 

  125. xpack.security.http.ssl.enabled: true <1>
    126. 

  126. xpack.security.http.ssl.certificate: elasticsearch.crt
    127. 

  127. xpack.security.http.ssl.key: elasticsearch.key
    128. 

  128. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    129. 

  129. --------------------------------------------------
    130. 

  130. <1> or `false`.
    131. 

  131. ====
    132. 

  132. 

  133. .A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface. 
    134. 

  134. [%collapsible]
    135. 

  135. ====
    136. 

  136. *Details* +
    137. 

  137. It is now an error to enable SSL for the transport interface without also configuring
    138. 

  138. a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
    139. 

  139. setting or the `xpack.security.transport.ssl.certificate` and
    140. 

  140. `xpack.security.transport.ssl.key` settings.
    141. 

  141. ====
    142. 

  142. 

  143. .A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server.
    144. 

  144. [%collapsible]
    145. 

  145. ====
    146. 

  146. *Details* +
    147. 

  147. It is now an error to enable SSL for the HTTP (Rest) server without also configuring
    148. 

  148. a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
    149. 

  149. setting or the `xpack.security.http.ssl.certificate` and
    150. 

  150. `xpack.security.http.ssl.key` settings.
    151. 

  151. ====
    152. 

  152. 

  153. [discrete]
    154. 

  154. [[builtin-users-changes]]
    155. 

  155. ==== Changes to built-in users
    156. 

  156. 

  157. .The `kibana` user has been renamed `kibana_system`.
    158. 

  158. [%collapsible]
    159. 

  159. ====
    160. 

  160. *Details* +
    161. 

  161. The `kibana` user was historically used to authenticate {kib} to {es}.
    162. 

  162. The name of this user was confusing, and was often mistakenly used to login to {kib}.
    163. 

  163. This has been renamed to `kibana_system` in order to reduce confusion, and to better
    164. 

  164. align with other built-in system accounts.
    165. 

  165. 

  166. If your `kibana.yml` used to contain:
    167. 

  167. [source,yaml]
    168. 

  168. --------------------------------------------------
    169. 

  169. elasticsearch.username: kibana
    170. 

  170. --------------------------------------------------
    171. 

  171. 

  172. then you should update to use the new `kibana_system` user instead:
    173. 

  173. [source,yaml]
    174. 

  174. --------------------------------------------------
    175. 

  175. elasticsearch.username: kibana_system
    176. 

  176. --------------------------------------------------
    177. 

  177. ====
    178. 

  178. 

  179. [discrete]
    180. 

  180. [[builtin-roles-changes]]
    181. 

  181. ==== Changes to built-in roles
    182. 

  182. 

  183. .The `kibana_user` role has been renamed to `kibana_admin`.
    184. 

  184. [%collapsible]
    185. 

  185. ====
    186. 

  186. *Details* +
    187. 

  187. Users who were previously assigned the `kibana_user` role should instead be assigned
    188. 

  188. the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been
    189. 

  189. renamed to better reflect its intended use.
    190. 

  190. ====
    191.