doc-exports/docs/css/umn/css_01_0189.html

<a name="css_01_0189"></a><a name="css_01_0189"></a>

<h1 class="topictitle1">Clusters in Security Mode</h1>
<div id="body0000001478234873"><p id="css_01_0189__en-us_topic_0000001478234873_p636171114205">When creating an Elasticsearch cluster, you can enable the security mode for it. Identity authentication is required when users access a security cluster. You can also authorize and encrypt security clusters.</p>
<div class="section" id="css_01_0189__en-us_topic_0000001478234873_section1753019573712"><h4 class="sectiontitle">Identity Verification</h4><p id="css_01_0189__en-us_topic_0000001478234873_p16118653165913">To access a security cluster, you need to enter the username and password. The identity verification is required for the following two types of users:</p>
<ul id="css_01_0189__en-us_topic_0000001478234873_ul15961822191016"><li id="css_01_0189__en-us_topic_0000001478234873_li496622131020">Administrator: The default administrator username is <strong id="css_01_0189__en-us_topic_0000001478234873_b1882413620149">admin</strong>, and the password is the one specified during cluster creation.</li><li id="css_01_0189__en-us_topic_0000001478234873_li111651241101219">Users: Enter the username and password created through Kibana.</li></ul>
</div>
<div class="section" id="css_01_0189__en-us_topic_0000001478234873_section44819400404"><h4 class="sectiontitle">Authorization</h4><p id="css_01_0189__en-us_topic_0000001478234873_p365213644117">On the <strong id="css_01_0189__en-us_topic_0000001478234873_b176411455185117">Kibana</strong> console, click <strong id="css_01_0189__en-us_topic_0000001478234873_b364275575114">Security</strong> to control user permissions in Elasticsearch clusters. You can configure hierarchical user permissions by cluster, index, document, and field. For details, see <a href="css_01_0109.html">Creating a User and Granting Permissions by Using Kibana</a>.</p>
<p id="css_01_0189__en-us_topic_0000001478234873_p48442213419">You can add or delete users, and map users to different roles for permissions control.</p>
<div class="fignone" id="css_01_0189__en-us_topic_0000001478234873_fig9206175294619"><span class="figcap"><b>Figure 1 </b>Configuring users</span><br><span><img id="css_01_0189__en-us_topic_0000001478234873_image1720625294617" src="en-us_image_0000001714802261.png"></span></div>
<p id="css_01_0189__en-us_topic_0000001478234873_p6540155417477">You can use role mapping to configure roles and map a user, backend role, and host name to a role.</p>
<div class="fignone" id="css_01_0189__en-us_topic_0000001478234873_fig1615521220484"><span class="figcap"><b>Figure 2 </b>Role mapping</span><br><span><img id="css_01_0189__en-us_topic_0000001478234873_image6155161254812" src="en-us_image_0000001714922093.png"></span></div>
<p id="css_01_0189__en-us_topic_0000001478234873_p9582122844812">You can set permissions for each role to access clusters, indexes and documents and assign Kibana tenants different roles.</p>
<div class="fignone" id="css_01_0189__en-us_topic_0000001478234873_fig171866416485"><span class="figcap"><b>Figure 3 </b>Configuring role permissions</span><br><span><img id="css_01_0189__en-us_topic_0000001478234873_image15187124118484" src="en-us_image_0000001667002482.png"></span></div>
<p id="css_01_0189__en-us_topic_0000001478234873_p132331659124815">You can set action groups, assign the groups to roles, and configure the roles' permission for accessing indexes and documents.</p>
<div class="fignone" id="css_01_0189__en-us_topic_0000001478234873_fig10424783491"><span class="figcap"><b>Figure 4 </b>Configuring action groups</span><br><span><img id="css_01_0189__en-us_topic_0000001478234873_image842488144911" src="en-us_image_0000001666842766.png"></span></div>
<p id="css_01_0189__en-us_topic_0000001478234873_p11274924194916">You can view the parameters of authentication and authorization for the current cluster. You can also run the <strong id="css_01_0189__en-us_topic_0000001478234873_b914028134113827">securityadmin</strong> command to modify the configuration.</p>
<div class="fignone" id="css_01_0189__en-us_topic_0000001478234873_fig1995754614499"><span class="figcap"><b>Figure 5 </b>Viewing cluster parameters</span><br><span><img id="css_01_0189__en-us_topic_0000001478234873_image8958174615492" src="en-us_image_0000001714922097.png"></span></div>
<p id="css_01_0189__en-us_topic_0000001478234873_p6322121345017">You can also clear the security cache.</p>
<div class="fignone" id="css_01_0189__en-us_topic_0000001478234873_fig16691821165012"><span class="figcap"><b>Figure 6 </b>Clearing the security cache</span><br><span><img id="css_01_0189__en-us_topic_0000001478234873_image567012125016" src="en-us_image_0000001714802265.png"></span></div>
</div>
<div class="section" id="css_01_0189__en-us_topic_0000001478234873_section19601134845014"><h4 class="sectiontitle">Encryption</h4><p id="css_01_0189__en-us_topic_0000001478234873_p9146753145017">When key data is transferred between nodes or through the HTTP protocol, SSL/TLS encryption is used to ensure data security.</p>
<p id="css_01_0189__en-us_topic_0000001478234873_p8737413205115">You can perform the preceding functions on Kibana, using <strong id="css_01_0189__en-us_topic_0000001478234873_b347272483113827">.yml</strong> files (not recommended), or by calling RESTful APIs. For more information about the security mode, see <a href="https://opendistro.github.io/for-elasticsearch-docs/docs/security/" target="_blank" rel="noopener noreferrer">Security</a>.</p>
</div>
<div class="section" id="css_01_0189__en-us_topic_0000001478234873_section166847002115"><h4 class="sectiontitle">Resetting the Administrator Password</h4><p id="css_01_0189__en-us_topic_0000001478234873_p133252314210">If you want to change the administrator password of a security cluster or you have forgotten the password, reset the password.</p>
<ol id="css_01_0189__en-us_topic_0000001478234873_ol82011427134013"><li id="css_01_0189__en-us_topic_0000001478234873_li62021427154020">On the <strong id="css_01_0189__en-us_topic_0000001478234873_b1270685936113827">Clusters</strong> page, locate the target cluster whose password you want to reset and click the cluster name. The <strong id="css_01_0189__en-us_topic_0000001478234873_b1955243225113827">Cluster Information</strong> page is displayed.</li><li id="css_01_0189__en-us_topic_0000001478234873_li2079816112418">In the <strong id="css_01_0189__en-us_topic_0000001478234873_b7919824125616">Configuration</strong> area, click <strong id="css_01_0189__en-us_topic_0000001478234873_b199191224195610">Reset</strong> next to <strong id="css_01_0189__en-us_topic_0000001478234873_b7919122435612">Reset Password</strong>.<div class="note" id="css_01_0189__en-us_topic_0000001478234873_note1659782016559"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_01_0189__en-us_topic_0000001478234873_ul22881526105512"><li id="css_01_0189__en-us_topic_0000001478234873_li1928818265556">The password can contain 8 to 32 characters.</li><li id="css_01_0189__en-us_topic_0000001478234873_li13391595583">The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. The following special characters are supported: ~!@#$%^&amp;*()-_=+\|[{}];:,&lt;.&gt;/?</li><li id="css_01_0189__en-us_topic_0000001478234873_li9796211478">Do not use the administrator name, or the administrator name spelled backwards.</li><li id="css_01_0189__en-us_topic_0000001478234873_li76951243348">You are advised to change the password periodically.</li></ul>
</div></div>
</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0008.html">Creating an Elasticsearch Cluster</a></div>
</div>
</div>