Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
lqb
/
elasticsearch
spogulis no https://gitee.com/mirrors/elasticsearch.git
1
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: f56a0f4b66
Atzari Tagi
elasticsearch
/
docs
/
reference
/
high-availability
/
backup-and-restore-security-config.asciidoc

backup-and-restore-security-config.asciidoc 6.3 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163 
  1. [role="xpack"]
    2. 

  2. [[security-backup]]
    3. 

  3. === Back up a cluster's security configuration
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Back up the security configuration</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. Security configuration information resides in two places:
    9. 

  9. <<backup-security-file-based-configuration,files>> and
    10. 

  10. <<backup-security-index-configuration,indices>>.
    11. 

  11. 

  12. [discrete]
    13. 

  13. [[backup-security-file-based-configuration]]
    14. 

  14. ==== Back up file-based security configuration
    15. 

  15. 

  16. {es} {security-features} are configured using the <<security-settings,
    17. 

  17. `xpack.security` namespace>> inside the `elasticsearch.yml` and
    18. 

  18. `elasticsearch.keystore` files. In addition there are several other
    19. 

  19. <<security-files, extra configuration files>> inside the same `ES_PATH_CONF`
    20. 

  20. directory. These files define roles and role mappings and configure the
    21. 

  21. <<file-realm,file realm>>. Some of the
    22. 

  22. settings specify file paths to security-sensitive data, such as TLS keys and
    23. 

  23. certificates for the HTTP client and inter-node communication and private key files for
    24. 

  24. <<ref-saml-settings, SAML>>, <<ref-oidc-settings, OIDC>> and the
    25. 

  25. <<ref-kerberos-settings, Kerberos>> realms. All these are also stored inside
    26. 

  26. `ES_PATH_CONF`; the path settings are relative.
    27. 

  27. 

  28. IMPORTANT: The `elasticsearch.keystore`, TLS keys and SAML, OIDC, and Kerberos
    29. 

  29. realms private key files require confidentiality. This is crucial when files
    30. 

  30. are copied to the backup location, as this increases the surface for malicious
    31. 

  31. snooping.
    32. 

  32. 

  33. To back up all this configuration you can use a <<backup-cluster-configuration,
    34. 

  34. conventional file-based backup>>, as described in the previous section.
    35. 

  35. 

  36. [NOTE]
    37. 

  37. ====
    38. 

  38. 

  39. * File backups must run on every cluster node.
    40. 

  40. * File backups will store non-security configuration as well. Backing-up
    41. 

  41. only {security-features} configuration is not supported. A backup is a
    42. 

  42. point in time record of state of the complete configuration.
    43. 

  43. 

  44. ====
    45. 

  45. 

  46. [discrete]
    47. 

  47. [[backup-security-index-configuration]]
    48. 

  48. ==== Back up index-based security configuration
    49. 

  49. 

  50. {es} {security-features} store system configuration data inside a
    51. 

  51. dedicated index. This index is named `.security-6` in the {es} 6.x versions and
    52. 

  52. `.security-7` in the 7.x releases. The `.security` alias always points to the
    53. 

  53. appropriate index. This index contains the data which is not available in
    54. 

  54. configuration files and *cannot* be reliably backed up using standard
    55. 

  55. filesystem tools. This data describes:
    56. 

  56. 

  57. * the definition of users in the native realm (including hashed passwords)
    58. 

  58. * role definitions (defined via the <<security-api-put-role,create roles API>>)
    59. 

  59. * role mappings (defined via the
    60. 

  60.   <<security-api-put-role-mapping,create role mappings API>>)
    61. 

  61. * application privileges
    62. 

  62. * API keys
    63. 

  63. 

  64. The `.security` index thus contains resources and definitions in addition to
    65. 

  65. configuration information. All of that information is required in a complete
    66. 

  66. {security-features} backup.
    67. 

  67. 

  68. Use the <<modules-snapshots, standard {es} snapshot functionality>> to backup
    69. 

  69. `.security`, as you would for any <<backup-cluster-data, other data index>>.
    70. 

  70. For convenience, here are the complete steps:
    71. 

  71. 

  72. . Create a repository that you can use to backup the `.security` index.
    73. 

  73. It is preferable to have a <<backup-security-repos, dedicated repository>> for
    74. 

  74. this special index. If you wish, you can also snapshot the system indices for other {stack} components to this repository. 
    75. 

  75. +
    76. 

  76. --
    77. 

  77. [source,console]
    78. 

  78. -----------------------------------
    79. 

  79. PUT /_snapshot/my_backup
    80. 

  80. {
    81. 

  81.   "type": "fs",
    82. 

  82.   "settings": {
    83. 

  83.     "location": "my_backup_location"
    84. 

  84.   }
    85. 

  85. }
    86. 

  86. -----------------------------------
    87. 

  87. 

  88. The user calling this API must have the elevated `manage` cluster privilege to
    89. 

  89. prevent non-administrators exfiltrating data.
    90. 

  90. 

  91. --
    92. 

  92. 

  93. . Create a user and assign it only the built-in `snapshot_user` role.
    94. 

  94. +
    95. 

  95. --
    96. 

  96. The following example creates a new user `snapshot_user` in the
    97. 

  97. <<native-realm,native realm>>, but it is not important which
    98. 

  98. realm the user is a member of:
    99. 

  99. 

  100. [source,console]
    101. 

  101. --------------------------------------------------
    102. 

  102. POST /_security/user/snapshot_user
    103. 

  103. {
    104. 

  104.   "password" : "secret",
    105. 

  105.   "roles" : [ "snapshot_user" ]
    106. 

  106. }
    107. 

  107. --------------------------------------------------
    108. 

  108. // TEST[skip:security is not enabled in this fixture]
    109. 

  109. 

  110. --
    111. 

  111. 

  112. . Create incremental snapshots authorized as `snapshot_user`.
    113. 

  113. +
    114. 

  114. --
    115. 

  115. The following example shows how to use the create snapshot API to backup
    116. 

  116. the `.security` index to the `my_backup` repository:
    117. 

  117. 

  118. [source,console]
    119. 

  119. --------------------------------------------------
    120. 

  120. PUT /_snapshot/my_backup/snapshot_1
    121. 

  121. {
    122. 

  122.   "indices": ".security",
    123. 

  123.   "include_global_state": true <1>
    124. 

  124. }
    125. 

  125. --------------------------------------------------
    126. 

  126. // TEST[continued]
    127. 

  127. 

  128. <1> This parameter value captures all the persistent settings stored in the
    129. 

  129. global cluster metadata as well as other configurations such as aliases and
    130. 

  130. stored scripts. Note that this includes non-security configuration and that it complements but does not replace the
    131. 

  131. <<backup-cluster-configuration, filesystem configuration files backup>>.
    132. 

  132. 

  133. --
    134. 

  134. 

  135. IMPORTANT: The index format is only compatible within a single major version,
    136. 

  136. and cannot be restored onto a version earlier than the version from which it
    137. 

  137. originated. For example, you can restore a security snapshot from 6.6.0 into a
    138. 

  138. 6.7.0 cluster, but you cannot restore it to a cluster running {es} 6.5.0 or 7.0.0.
    139. 

  139. 

  140. [discrete]
    141. 

  141. [[backup-security-repos]]
    142. 

  142. ===== Controlling access to the backup repository
    143. 

  143. 

  144. The snapshot of the security index will typically contain sensitive data such
    145. 

  145. as user names and password hashes. Because passwords are stored using
    146. 

  146. <<hashing-settings, cryptographic hashes>>, the disclosure of a snapshot would
    147. 

  147. not automatically enable a third party to authenticate as one of your users or
    148. 

  148. use API keys. However, it would disclose confidential information.
    149. 

  149. 

  150. It is also important that you protect the integrity of these backups in case
    151. 

  151. you ever need to restore them. If a third party is able to modify the stored
    152. 

  152. backups, they may be able to install a back door that would grant access if the
    153. 

  153. snapshot is loaded into an {es} cluster.
    154. 

  154. 

  155. We recommend that you:
    156. 

  156. 

  157. * Snapshot the `.security` index in a dedicated repository, where read and write
    158. 

  158. access is strictly restricted and audited.
    159. 

  159. * If there are indications that the snapshot has been read, change the passwords
    160. 

  160. of the users in the native realm and revoke API keys.
    161. 

  161. * If there are indications that the snapshot has been tampered with, do not
    162. 

  162. restore it. There is currently no option for the restore process to detect
    163. 

  163. malicious tampering.
    164.