- X-Pack Reference for 6.0-6.2 and 5.x:
- Introduction
- Setting Up X-Pack
- Breaking Changes
- X-Pack APIs
- Graphing Connections in Your Data
- Profiling your Queries and Aggregations
- Reporting from Kibana
- Securing the Elastic Stack
- Getting Started with Security
- How Security Works
- Setting Up User Authentication
- Configuring SAML Single-Sign-On on the Elastic Stack
- Configuring Role-based Access Control
- Auditing Security Events
- Encrypting Communications
- Restricting Connections with IP Filtering
- Cross Cluster Search, Tribe, Clients and Integrations
- Reference
- Monitoring the Elastic Stack
- Alerting on Cluster and Index Events
- Machine Learning in the Elastic Stack
- Troubleshooting
- Getting Help
- X-Pack security
- Can’t log in after upgrading to 6.2.4
- Some settings are not returned via the nodes settings API
- Authorization exceptions
- Users command fails due to extra arguments
- Users are frequently locked out of Active Directory
- Certificate verification fails for curl on Mac
- SSLHandshakeException causes connections to fail
- Common SSL/TLS exceptions
- Internal Server Error in Kibana
- Setup-passwords command fails due to connection failure
- X-Pack Watcher
- X-Pack monitoring
- X-Pack machine learning
- Limitations
- License Management
- Release Notes
WARNING: Version 6.2 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Getting Started with Security
editGetting Started with Security
editTo secure a cluster, you must install X-Pack on every node in the cluster. Basic authentication is enabled by default—to communicate with the cluster, you must specify a username and password. Unless you enable anonymous access, all requests that don’t include a user name and password are rejected.
X-Pack security provides a built-in elastic
superuser you can use
to start setting things up. This elastic
user has full access
to the cluster, including all indices and data, so the elastic
user
does not have a password set by default.
To get started with X-Pack security:
- Install X-Pack.
- Start Elasticsearch and Kibana.
-
Set the passwords of the built in
elastic
,kibana
, andlogstash_system
users.In most cases, you can simply run the
bin/x-pack/setup-passwords
tool on one of the nodes in your cluster. Run that command with the same user that is running your Elasticsearch process. In "auto" mode this tool will randomly generate passwords and print them to the console.bin/x-pack/setup-passwords auto
For more information, see Setting Built-in User Passwords.
-
Set up roles and users to control access to Elasticsearch and Kibana. For example, to grant John Doe full access to all indices that match the pattern
events*
and enable him to create visualizations and dashboards for those indices in Kibana, you could create anevents_admin
role and and assign the role to a newjohndoe
user.curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content-Type: application/json" -d '{ "password" : "userpassword", "full_name" : "John Doe", "email" : "john.doe@anony.mous", "roles" : [ "events_admin" ] }'
-
Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster:
-
Add the following setting to
elasticsearch.yml
on all nodes in your cluster:xpack.security.audit.enabled: true
- Restart Elasticsearch.
By default, events are logged to a dedicated
elasticsearch-access.log
file inES_HOME/logs
. You can also store the events in an Elasticsearch index for easier analysis and control what events are logged. For more information, see Configuring Auditing. -
Once you get these basic security measures in place, we strongly recommend that you secure communications to and from nodes by configuring your cluster to use SSL/TLS encryption. Nodes that do not have encryption enabled send passwords in plain text and will not be able to install a non-trial license that enables the use of X-Pack security.
Depending on your security requirements, you might also want to:
- Integrate with LDAP or Active Directory, or require certificates for authentication.
- Use IP Filtering to allow or deny requests from particular IP addresses or address ranges.