Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: eb3c57b8eb
Branches Tags
elasticsearch
/
docs
/
reference
/
migration
/
migrate_8_0
/
security.asciidoc

security.asciidoc 4.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 
  1. [float]
    2. 

  2. [[breaking_80_security_changes]]
    3. 

  3. === Security changes
    4. 

  4. 

  5. //NOTE: The notable-breaking-changes tagged regions are re-used in the
    6. 

  6. //Installation and Upgrade Guide
    7. 

  7. 

  8. //tag::notable-breaking-changes[]
    9. 

  9. 

  10. // end::notable-breaking-changes[]
    11. 

  11. 

  12. [float]
    13. 

  13. [[accept-default-password-removed]]
    14. 

  14. ==== The `accept_default_password` setting has been removed
    15. 

  15. 

  16. The `xpack.security.authc.accept_default_password` setting has not had any affect
    17. 

  17. since the 6.0 release of {es}. It has been removed and cannot be used.
    18. 

  18. 

  19. [float]
    20. 

  20. [[roles-index-cache-removed]]
    21. 

  21. ==== The `roles.index.cache.*` settings have been removed
    22. 

  22. 

  23. The `xpack.security.authz.store.roles.index.cache.max_size` and
    24. 

  24. `xpack.security.authz.store.roles.index.cache.ttl` settings have
    25. 

  25. been removed. These settings have been redundant and deprecated
    26. 

  26. since the 5.2 release of {es}.
    27. 

  27. 

  28. [float]
    29. 

  29. [[migrate-tool-removed]]
    30. 

  30. ==== The `elasticsearch-migrate` tool has been removed
    31. 

  31. 

  32. The `elasticsearch-migrate` tool provided a way to convert file
    33. 

  33. realm users and roles into the native realm. It has been deprecated
    34. 

  34. since 7.2.0. Users and roles should now be created in the native
    35. 

  35. realm directly.
    36. 

  36. 

  37. [float]
    38. 

  38. [[separating-node-and-client-traffic]]
    39. 

  39. ==== The `transport.profiles.*.xpack.security.type` setting has been removed
    40. 

  40. 

  41. The `transport.profiles.*.xpack.security.type` setting has been removed since
    42. 

  42. the Transport Client has been removed and therefore all client traffic now uses
    43. 

  43. the HTTP transport. Transport profiles using this setting should be removed.
    44. 

  44. 

  45. [float]
    46. 

  46. [[ssl-validation-changes]]
    47. 

  47. ==== SSL/TLS configuration validation
    48. 

  48. 

  49. [float]
    50. 

  50. ===== The `xpack.security.transport.ssl.enabled` setting may be required
    51. 

  51. 

  52. It is now an error to configure any SSL settings for
    53. 

  53. `xpack.security.transport.ssl` without also configuring
    54. 

  54. `xpack.security.transport.ssl.enabled`.
    55. 

  55. 

  56. For example, the following configuration is invalid:
    57. 

  57. [source,yaml]
    58. 

  58. --------------------------------------------------
    59. 

  59. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    60. 

  60. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    61. 

  61. --------------------------------------------------
    62. 

  62. 

  63. And must be configured as:
    64. 

  64. [source,yaml]
    65. 

  65. --------------------------------------------------
    66. 

  66. xpack.security.transport.ssl.enabled: true <1>
    67. 

  67. xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    68. 

  68. xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
    69. 

  69. --------------------------------------------------
    70. 

  70. <1> or `false`.
    71. 

  71. 

  72. [float]
    73. 

  73. ===== The `xpack.security.http.ssl.enabled` setting may be required
    74. 

  74. 

  75. It is now an error to configure any SSL settings for
    76. 

  76. `xpack.security.http.ssl` without also configuring
    77. 

  77. `xpack.security.http.ssl.enabled`.
    78. 

  78. 

  79. For example, the following configuration is invalid:
    80. 

  80. [source,yaml]
    81. 

  81. --------------------------------------------------
    82. 

  82. xpack.security.http.ssl.certificate: elasticsearch.crt 
    83. 

  83. xpack.security.http.ssl.key: elasticsearch.key 
    84. 

  84. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    85. 

  85. --------------------------------------------------
    86. 

  86. 

  87. And must be configured as either:
    88. 

  88. [source,yaml]
    89. 

  89. --------------------------------------------------
    90. 

  90. xpack.security.http.ssl.enabled: true <1>
    91. 

  91. xpack.security.http.ssl.certificate: elasticsearch.crt 
    92. 

  92. xpack.security.http.ssl.key: elasticsearch.key 
    93. 

  93. xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
    94. 

  94. --------------------------------------------------
    95. 

  95. <1> or `false`.
    96. 

  96. 

  97. [float]
    98. 

  98. ===== The `xpack.security.transport.ssl` Certificate and Key may be required
    99. 

  99. 

  100. It is now an error to enable SSL for the transport interface without also configuring
    101. 

  101. a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
    102. 

  102. setting or the `xpack.security.transport.ssl.certificate` and
    103. 

  103. `xpack.security.transport.ssl.key` settings.
    104. 

  104. 

  105. [float]
    106. 

  106. ===== The `xpack.security.http.ssl` Certificate and Key may be required
    107. 

  107. 

  108. It is now an error to enable SSL for the HTTP (Rest) server without also configuring
    109. 

  109. a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
    110. 

  110. setting or the `xpack.security.http.ssl.certificate` and
    111. 

  111. `xpack.security.http.ssl.key` settings.
    112. 

  112. 

  113.