Configuring security in Elasticsearch
editConfiguring security in Elasticsearch
editThe Elasticsearch security features enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and auditing. For more information, see Overview.
-
Verify that you are using a license that includes the specific security features you want.
For more information, see https://www.elastic.co/subscriptions and License management.
-
Verify that the
xpack.security.enabled
setting istrue
on each node in your cluster. If you are using basic or trial licenses, the default value isfalse
. For more information, see Security settings. - If you plan to run Elasticsearch in a Federal Information Processing Standard (FIPS) 140-2 enabled JVM, see FIPS 140-2.
-
Configure Transport Layer Security (TLS/SSL) for internode-communication.
This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more information, see Encrypting communications.
- If it is not already running, start Elasticsearch.
-
Set the passwords for all built-in users.
The Elasticsearch security features provide built-in users to help you get up and running. The
elasticsearch-setup-passwords
command is the simplest method to set the built-in users' passwords for the first time.For example, you can run the command in an "interactive" mode, which prompts you to enter new passwords for the built-in users:
bin/elasticsearch-setup-passwords interactive
For more information about the command options, see elasticsearch-setup-passwords.
The
elasticsearch-setup-passwords
command uses a transient bootstrap password that is no longer valid after the command runs successfully. You cannot run theelasticsearch-setup-passwords
command a second time. Instead, you can update passwords from the Management > Users UI in Kibana or use the security user API. -
Choose which types of realms you want to use to authenticate users.
The types of authentication realms that you can enable varies according to your subscription. For more information, see https://www.elastic.co/subscriptions.
-
Set up roles and users to control access to Elasticsearch.
For example, to grant John Doe full access to all indices that match the pattern
events*
and enable them to create visualizations and dashboards for those indices in Kibana, you could create anevents_admin
role and assign the role to a newjohndoe
user.curl -XPOST -u elastic 'localhost:9200/_security/role/events_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type: application/json" -d '{ "password" : "userpassword", "full_name" : "John Doe", "email" : "[email protected]", "roles" : [ "events_admin" ] }'
-
(Optional) Enable auditing to keep track of attempted and successful interactions with your Elasticsearch cluster:
Audit logging is available with specific subscriptions. For more information, see https://www.elastic.co/subscriptions.
-
Add the following setting to
elasticsearch.yml
on all nodes in your cluster:xpack.security.audit.enabled: true
For more information, see Audit logging and Auditing settings.
- Restart Elasticsearch.
Events are logged to a dedicated
<clustername>_audit.json
file inES_HOME/logs
, on each cluster node. -
To walk through the configuration of security features in Elasticsearch, Kibana, Logstash, and Metricbeat, see Tutorial: Getting started with security.