Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: b3e171b600
Branches Tags
elasticsearch
/
docs
/
reference
/
migration
/
migrate_8_0
/
security.asciidoc

security.asciidoc 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 
  1. [discrete]
    2. 

  2. [[breaking_80_security_changes]]
    3. 

  3. ==== Security changes
    4. 

  4. 

  5. //NOTE: The notable-breaking-changes tagged regions are re-used in the
    6. 

  6. //Installation and Upgrade Guide
    7. 

  7. 

  8. //tag::notable-breaking-changes[]
    9. 

  9. .The realm `order` setting is now required.
    10. 

  10. [%collapsible]
    11. 

  11. ====
    12. 

  12. *Details* +
    13. 

  13. The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
    14. 

  14. specified for each explicitly configured realm. Each value must be unique.
    15. 

  15. 

  16. *Impact* +
    17. 

  17. The cluster will fail to start if the requirements are not met.
    18. 

  18. 

  19. For example, the following configuration is invalid:
    20. 

  20. [source,yaml]
    21. 

  21. --------------------------------------------------
    22. 

  22. xpack.security.authc.realms.kerberos.kerb1:
    23. 

  23.   keytab.path: es.keytab
    24. 

  24.   remove_realm_name: false
    25. 

  25. --------------------------------------------------
    26. 

  26. 

  27. And must be configured as:
    28. 

  28. [source,yaml]
    29. 

  29. --------------------------------------------------
    30. 

  30. xpack.security.authc.realms.kerberos.kerb1:
    31. 

  31.   order: 0
    32. 

  32.   keytab.path: es.keytab
    33. 

  33.   remove_realm_name: false
    34. 

  34. --------------------------------------------------
    35. 

  35. ====
    36. 

  36. 

  37. [[audit-logs-are-rolled-over-and-archived-by-size]]
    38. 

  38. .Audit logs are rolled-over and archived by size.
    39. 

  39. [%collapsible]
    40. 

  40. ====
    41. 

  41. *Details* +
    42. 

  42. In addition to the existing daily rollover, the security audit logs are
    43. 

  43. now rolled-over by disk size limit as well. Moreover, the rolled-over logs
    44. 

  44. are also gzip compressed.
    45. 

  45. 

  46. *Impact* +
    47. 

  47. The names of rolled over audit logfiles (but not the name of the current log)
    48. 

  48. have changed.
    49. 

  49. If you've setup automated tools to consume these files, you must configure them
    50. 

  50. to use the new names and to possibly account for gzip archives instead of plaintext.
    51. 

  51. The Docker build of Elasticsearch is not affected since it logs on stdout where
    52. 

  52. rollover is not performed.
    53. 

  53. ====
    54. 

  54. // end::notable-breaking-changes[]
    55. 

  55. 

  56. [[accept-default-password-removed]]
    57. 

  57. .The `accept_default_password` setting has been removed.
    58. 

  58. [%collapsible]
    59. 

  59. ====
    60. 

  60. *Details* +
    61. 

  61. The `xpack.security.authc.accept_default_password` setting has not had any affect
    62. 

  62. since the 6.0 release of {es}. It has been removed and cannot be used.
    63. 

  63. 

  64. *Impact* +
    65. 

  65. Discontinue use of the `xpack.security.authc.accept_default_password` setting.
    66. 

  66. Specifying this setting in `elasticsearch.yml` will result in an error on
    67. 

  67. startup.
    68. 

  68. ====
    69. 

  69. 

  70. [[roles-index-cache-removed]]
    71. 

  71. .The `roles.index.cache.*` settings have been removed.
    72. 

  72. [%collapsible]
    73. 

  73. ====
    74. 

  74. *Details* +
    75. 

  75. The `xpack.security.authz.store.roles.index.cache.max_size` and
    76. 

  76. `xpack.security.authz.store.roles.index.cache.ttl` settings have
    77. 

  77. been removed. These settings have been redundant and deprecated
    78. 

  78. since the 5.2 release of {es}.
    79. 

  79. 

  80. *Impact* +
    81. 

  81. Discontinue use of the `xpack.security.authz.store.roles.index.cache.max_size`
    82. 

  82. and `xpack.security.authz.store.roles.index.cache.ttl` settings. Specifying
    83. 

  83. these settings in `elasticsearch.yml` will result in an error on startup.
    84. 

  84. ====
    85. 

  85. 

  86. [[migrate-tool-removed]]
    87. 

  87. .The `elasticsearch-migrate` tool has been removed.
    88. 

  88. [%collapsible]
    89. 

  89. ====
    90. 

  90. *Details* +
    91. 

  91. The `elasticsearch-migrate` tool provided a way to convert file
    92. 

  92. realm users and roles into the native realm. It has been deprecated
    93. 

  93. since 7.2.0. Users and roles should now be created in the native
    94. 

  94. realm directly.
    95. 

  95. 

  96. *Impact* +
    97. 

  97. Discontinue use of the `elasticsearch-migrate` tool. Attempts to use the
    98. 

  98. `elasticsearch-migrate` tool will result in an error.
    99. 

  99. ====
    100. 

  100. 

  101. [[separating-node-and-client-traffic]]
    102. 

  102. .The `transport.profiles.*.xpack.security.type` setting has been removed.
    103. 

  103. [%collapsible]
    104. 

  104. ====
    105. 

  105. *Details* +
    106. 

  106. The `transport.profiles.*.xpack.security.type` setting has been removed since
    107. 

  107. the Transport Client has been removed and therefore all client traffic now uses
    108. 

  108. the HTTP transport. Transport profiles using this setting should be removed.
    109. 

  109. 

  110. *Impact* +
    111. 

  111. Discontinue use of the `transport.profiles.*.xpack.security.type` setting.
    112. 

  112. Specifying this setting in a transport profile in `elasticsearch.yml` will
    113. 

  113. result in an error on startup.
    114. 

  114. ====
    115. 

  115. 

  116. [discrete]
    117. 

  117. [[ssl-validation-changes]]
    118. 

  118. ==== SSL/TLS configuration validation
    119. 

  119. 

  120. .The `xpack.security.transport.ssl.enabled` setting is now required to configure `xpack.security.transport.ssl` settings.
    121. 

  121. [%collapsible]
    122. 

  122. ====
    123. 

  123. *Details* +
    124. 

  124. It is now an error to configure any SSL settings for
    125. 

  125. `xpack.security.transport.ssl` without also configuring
    126. 

  126. `xpack.security.transport.ssl.enabled`.
    127. 

  127. 

  128. *Impact* +
    129. 

  129. If using other `xpack.security.transport.ssl` settings, you must explicitly
    130. 

  130. specify the `xpack.security.transport.ssl.enabled` setting.
    131. 

  131. 

  132. If you do not want to enable SSL and are currently using other
    133. 

  133. `xpack.security.transport.ssl` settings, do one of the following:
    134. 

  134. 

  135. * Explicitly specify `xpack.security.transport.ssl.enabled` as `false`
    136. 

  136. * Discontinue use of other `xpack.security.transport.ssl` settings
    137. 

  137. 

  138. If you want to enable SSL, follow the instructions in
    139. 

  139. {ref}/configuring-tls.html#tls-transport[Encrypting communications between nodes
    140. 

  140. in a cluster]. As part of this configuration, explicitly specify
    141. 

  141. `xpack.security.transport.ssl.enabled` as `true`.
    142. 

  142. 

  143. For example, the following configuration is invalid:
    144. 

  144. [source,yaml]
    145. 

  145. --------------------------------------------------
    146. 

  146. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    147. 

  147. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    148. 

  148. --------------------------------------------------
    149. 

  149. 

  150. And must be configured as:
    151. 

  151. [source,yaml]
    152. 

  152. --------------------------------------------------
    153. 

  153. xpack.security.transport.ssl.enabled: true <1>
    154. 

  154. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    155. 

  155. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    156. 

  156. --------------------------------------------------
    157. 

  157. <1> or `false`.
    158. 

  158. ====
    159. 

  159. 

  160. .The `xpack.security.http.ssl.enabled` setting is now required to configure `xpack.security.http.ssl` settings.
    161. 

  161. [%collapsible]
    162. 

  162. ====
    163. 

  163. *Details* +
    164. 

  164. It is now an error to configure any SSL settings for
    165. 

  165. `xpack.security.http.ssl` without also configuring
    166. 

  166. `xpack.security.http.ssl.enabled`.
    167. 

  167. 

  168. *Impact* +
    169. 

  169. If using other `xpack.security.http.ssl` settings, you must explicitly
    170. 

  170. specify the `xpack.security.http.ssl.enabled` setting.
    171. 

  171. 

  172. If you do not want to enable SSL and are currently using other
    173. 

  173. `xpack.security.http.ssl` settings, do one of the following:
    174. 

  174. 

  175. * Explicitly specify `xpack.security.http.ssl.enabled` as `false`
    176. 

  176. * Discontinue use of other `xpack.security.http.ssl` settings
    177. 

  177. 

  178. If you want to enable SSL, follow the instructions in
    179. 

  179. {ref}/configuring-tls.html#tls-http[Encrypting HTTP client communications]. As part
    180. 

  180. of this configuration, explicitly specify `xpack.security.http.ssl.enabled`
    181. 

  181. as `true`.
    182. 

  182. 

  183. For example, the following configuration is invalid:
    184. 

  184. [source,yaml]
    185. 

  185. --------------------------------------------------
    186. 

  186. xpack.security.http.ssl.certificate: elasticsearch.crt
    187. 

  187. xpack.security.http.ssl.key: elasticsearch.key
    188. 

  188. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    189. 

  189. --------------------------------------------------
    190. 

  190. 

  191. And must be configured as either:
    192. 

  192. [source,yaml]
    193. 

  193. --------------------------------------------------
    194. 

  194. xpack.security.http.ssl.enabled: true <1>
    195. 

  195. xpack.security.http.ssl.certificate: elasticsearch.crt
    196. 

  196. xpack.security.http.ssl.key: elasticsearch.key
    197. 

  197. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    198. 

  198. --------------------------------------------------
    199. 

  199. <1> or `false`.
    200. 

  200. ====
    201. 

  201. 

  202. .A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface.
    203. 

  203. [%collapsible]
    204. 

  204. ====
    205. 

  205. *Details* +
    206. 

  206. It is now an error to enable SSL for the transport interface without also configuring
    207. 

  207. a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
    208. 

  208. setting or the `xpack.security.transport.ssl.certificate` and
    209. 

  209. `xpack.security.transport.ssl.key` settings.
    210. 

  210. 

  211. *Impact* +
    212. 

  212. If `xpack.security.transport.ssl.enabled` is set to `true`, provide a
    213. 

  213. certificate and key using the `xpack.security.transport.ssl.keystore.path`
    214. 

  214. setting or the `xpack.security.transport.ssl.certificate` and
    215. 

  215. `xpack.security.transport.ssl.key` settings. If a certificate and key is not
    216. 

  216. provided, {es} will return in an error on startup.
    217. 

  217. ====
    218. 

  218. 

  219. .A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server.
    220. 

  220. [%collapsible]
    221. 

  221. ====
    222. 

  222. *Details* +
    223. 

  223. It is now an error to enable SSL for the HTTP (Rest) server without also configuring
    224. 

  224. a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
    225. 

  225. setting or the `xpack.security.http.ssl.certificate` and
    226. 

  226. `xpack.security.http.ssl.key` settings.
    227. 

  227. 

  228. *Impact* +
    229. 

  229. If `xpack.security.http.ssl.enabled` is set to `true`, provide a certificate and
    230. 

  230. key using the `xpack.security.http.ssl.keystore.path` setting or the
    231. 

  231. `xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key`
    232. 

  232. settings. If certificate and key is not provided, {es} will return in an error
    233. 

  233. on startup.
    234. 

  234. ====
    235. 

  235. 

  236. [discrete]
    237. 

  237. [[builtin-users-changes]]
    238. 

  238. ==== Changes to built-in users
    239. 

  239. 

  240. .The `kibana` user has been replaced by `kibana_system`.
    241. 

  241. [%collapsible]
    242. 

  242. ====
    243. 

  243. *Details* +
    244. 

  244. The `kibana` user was historically used to authenticate {kib} to {es}.
    245. 

  245. The name of this user was confusing, and was often mistakenly used to login to {kib}.
    246. 

  246. This has been renamed to `kibana_system` in order to reduce confusion, and to better
    247. 

  247. align with other built-in system accounts.
    248. 

  248. 

  249. *Impact* +
    250. 

  250. Replace any use of the `kibana` user with the `kibana_system` user. Specifying
    251. 

  251. the `kibana` user in `kibana.yml` will result in an error on startup.
    252. 

  252. 

  253. If your `kibana.yml` used to contain:
    254. 

  254. [source,yaml]
    255. 

  255. --------------------------------------------------
    256. 

  256. elasticsearch.username: kibana
    257. 

  257. --------------------------------------------------
    258. 

  258. 

  259. then you should update to use the new `kibana_system` user instead:
    260. 

  260. [source,yaml]
    261. 

  261. --------------------------------------------------
    262. 

  262. elasticsearch.username: kibana_system
    263. 

  263. --------------------------------------------------
    264. 

  264. 

  265. IMPORTANT: The new `kibana_system` user does not preserve the previous `kibana`
    266. 

  266. user password. You must explicitly set a password for the `kibana_system` user.
    267. 

  267. ====
    268. 

  268. 

  269. [discrete]
    270. 

  270. [[builtin-roles-changes]]
    271. 

  271. ==== Changes to built-in roles
    272. 

  272. 

  273. .The `kibana_user` role has been renamed `kibana_admin`.
    274. 

  274. [%collapsible]
    275. 

  275. ====
    276. 

  276. *Details* +
    277. 

  277. Users who were previously assigned the `kibana_user` role should instead be assigned
    278. 

  278. the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been
    279. 

  279. renamed to better reflect its intended use.
    280. 

  280. 

  281. *Impact* +
    282. 

  282. Assign users with the `kibana_user` role to the `kibana_admin` role.
    283. 

  283. Discontinue use of the `kibana_user` role.
    284. 

  284. ====
    285.