Securing the Reporting Endpoints

edit

In a production environment, you should restrict access to the X-Pack reporting endpoints to authorized users. This requires that you:

  1. Enable X-Pack security on your Elasticsearch cluster.
  2. Configure an SSL certificate for Kibana.
  3. Configure Watcher to trust the Kibana server’s certificate by adding it to the Watcher truststore on each node:

    1. Import the Kibana server certificate into the Watcher truststore using Java Keytool:

      keytool -importcert -keystore watcher-truststore.jks -file server.crt

      If the truststore doesn’t already exist, it is created.

    2. Make sure the xpack.http.ssl.truststore.path setting in elasticsearch.yml specifies the location of the Watcher truststore.
  4. Add one or more users who have the permissions necessary to use Kibana and X-Pack reporting.

Once you’ve enabled SSL for Kibana, all requests to the X-Pack reporting endpoints must include valid credentials. For example, the following watch submits requests as the built-in elastic user:

PUT _xpack/watcher/watch/error_report
{
  "trigger" : {
    "schedule": {
      "interval": "1h"
    }
  },
  "actions" : {
  "email_admin" : {
    "email": {
      "to": "'Recipient Name <[email protected]>'",
      "subject": "Error Monitoring Report",
      "attachments" : {
        "error_report.pdf" : {
          "http" : {
            "content_type" : "application/pdf",
            "request" : {
              "method": "POST",
              "scheme": "https", 
              "headers": {
                "kbn-xsrf": "reporting"
              },
              "auth": { 
                "basic": {
                  "username": "elastic",
                  "password": "changeme"
                }
              },
              "read_timeout": "300s",
              "url": "https://0.0.0.0:5601/api/reporting/generate/dashboard/Error-Monitoring?_g=(time:(from:now-1d%2Fd,mode:quick,to:now))&sync"
            }
          }
        }
      }
    }
  }
 }
}

You must connect to the X-Pack reporting endpoints via HTTPS when SSL is enabled.

Provide user credentials for a user with permission to access Kibana and X-Pack reporting. For more information, see Setting up a Reporting Role.